arXiv: The AI Resilience Gap: Bringing Artificial Intelligence Inside the Operational Resilience Perimeter
AI Analysis
This paper, published on arXiv in July 2026, argues that current regulatory frameworks, including the EU’s Digital Operational Resilience Act (DORA), do not adequately address the unique risks posed by artificial intelligence systems. The authors identify an “AI resilience gap,” where AI models—particularly those used for critical decision-making or automated operations—fall outside the traditional operational resilience perimeter. They propose that AI systems should be explicitly brought inside that perimeter, subject to the same rigorous testing, incident reporting, and third-party risk management requirements as other critical ICT systems.
The analysis affects all financial entities already in scope of DORA, including banks, investment firms, payment processors, and ICT third-party service providers. However, it has particular relevance for any organization deploying AI for core business functions, such as credit scoring, fraud detection, trading algorithms, or customer service automation. The paper suggests that regulators may soon expect these firms to treat AI models as critical functions requiring continuous stress testing and scenario analysis.
Compliance teams should immediately review their current AI governance frameworks against DORA’s requirements. Specifically, they should map all AI systems used in critical or important functions, assess whether these systems are covered by existing resilience testing and incident response plans, and begin documenting how AI-specific failures (e.g., model drift, adversarial attacks, or bias cascades) would be managed. Proactive engagement with national competent authorities on this emerging interpretation is also advisable.
Get notified about DORA changes
Subscribe to our free weekly digest covering 24 compliance frameworks.