Modernising the risk stack in the age of agentic AI: reflections after Risk Live Europe
We had 25 minutes at Risk Live to talk about modernising the risk stack. Here is the version I didn’t have time to give on stage.

I recently joined the panel Modernising the Risk Stack at Risk Live Europe, alongside Nitesh Kumar from BNP Paribas, Tin Lau from Mirae Asset Securities UK, and Philip Harding from Risk.net. We had 25 minutes. It was useful, but honestly, not enough. The topic is too big, and I left the panel with the feeling that the most important part of the discussion was only just starting. So here is the version I didn’t have time to give on stage.
A few years ago, this panel would have been about cloud migration, decommissioning legacy monoliths, and consolidating vendor sprawl. These are all legitimate topics, just not very new. What is different in 2026 is that AI has entered every conversation, not as a side topic. It’s the reason why the old architecture suddenly looks impossible to defend.
What a modern risk architecture should look like today
The way I see it is that the risk stack split into two worlds when storage became cheap enough. Before that, we tried to do too much in one single batch. After that, the industry started separating the compute from the analytics, at least in theory.
Layer 1 - Financial libraries and valuations: this is where you compute prices, sensitivities, and risk measures at the instrument level. It’s heavy, parallel, and ideally lives on distributed cloud or grid compute where you can scale elastically. I think this layer is usually well understood.
Layer 2 - Real-time aggregation and risk analytics: this is where most of my discussions focus. It's the layer that takes the granular outputs of layer 1 (millions of positions, sensitivities, exposures, cash flows) and turns them into something a risk manager (or an agent) can query in real time. This separation preserves full history, supports auditability, and sets the stage for what comes next with AI.
When people started to adopt these two steps, they threw the results of layer 1 into a data lake (typically Hadoop). But they quickly realised that an efficient storage wasn’t automatically designed to solve the second layer and a number of trade-offs started to mushroom: pre-aggregation, in-memory, splitting the data (typically by asset class, risk metrics, and history)...
Layer 2 is where users become autonomous. They shouldn’t have to wait for IT, pre-aggregations, extracts, or overnight batches. They should be able to ask questions directly on all the data, at full granularity, across history, and get an answer in human time.
The piece everyone underestimates is the financial semantic layer. Raw tables are unusable by humans and by agents. A semantic layer turns fragmented data into a consistent financial language: instruments, books, counterparties, hierarchies, metrics. It allows your analysts to move faster and ensures your agents will actually work.
Then the architecture itself needs to be open and the deployment should be flexible. Think open APIs, native Python, the ability to plug in your own analytics, and for agents to navigate the data autonomously. Cloud is a strong option but not the only option. The right architecture lets you put each workload where the economics and the regulation make sense.
Where the market is moving
I still keep seeing in-memory stacks, which were fine when they ran on a server in a basement. When you bring them to the cloud, the bill becomes indefensible, with millions in infrastructure costs for architectures that were never designed to scale horizontally on commodity hardware.
Then there are the likes of Databricks, Snowflake, and their peers that are great tools but not intended to run a high volume of interactive analytical queries. You will quickly run into concurrency and performance issues at scale. You will either see costs explode or strong limitations for users to explore data. An extreme example I heard recently: an analyst ran a single unoptimised query scanning a huge database on a Sunday night to meet a regulatory deadline, and the firm woke up on Monday to a six-figure bill. Now imagine that same behaviour, but with autonomous agents that don't get tired or bored, and will happily fire hundreds or thousands of queries to answer one question. Your costs will explode if you implement pay-per-use plus agentic AI without the right data layer underneath.
The boring answer is the right one: fixed-cost compute, high concurrency, performance at scale, and foundations that were already built for autonomous analysts before we wanted to operate agents.
How AI actually changes the game
Risk modernisation has historically been defensive. I recently heard this quote from a CRO, “The horse bolts, and then we're asked to install the lock.”
Agentic AI is the only thing I’ve seen in fifteen years that is driving the change from reactive to proactive. Firms are not re-platforming because a regulator has forced them to. They are doing it earlier, because the first serious agentic AI experiments make one thing obvious very quickly: the existing data stack will not survive contact with agents.
I liked an analogy I read recently from Anthropic: ”Why has AI advanced faster in coding than in biology? To agents, bio databases are like cities built before cars - maddening to drive in because they’re designed for different traffic.”
I think the same is true in capital markets. Our risk warehouses, regulatory data marts, and P&L stores were all built for overnight batches, static dashboards, Excel extracts, and static regulatory submissions. They weren’t designed for agents asking ad-hoc questions in real time. What makes the city drivable for agents is the semantic layer: a governed, queryable view that agents can actually navigate without getting lost.
But we need to be careful to separate two distinct worlds cleanly. Agents are great at replicating consistent, repetitive human thinking and executing workflows to orchestrate data cleansing, certification, explanation, exploration, and reporting. They’re not good at math or handling structured/tabular data. So you need to keep the deterministic numerical engine deterministic, and put the agentic layer on top, orchestrating rather than computing.
Today, most risk teams spend easily 90% of their day on data quality in the wide sense, with the actual risk management happening in the last hour, if at all. In an ideal world, agents do that preparation work overnight or in the background. The risk manager arrives at 9am and starts with validating the data cleaning that was prepared and moves to decisions instead of ending the day checking and cleaning data. Today’s reality is in between: accelerating and optimising a full day of work into a few hours, and getting support on risk analysis, contextual understanding, and action planning.
It also changes the staffing model. Today, too many smart people spend too much of their time preparing or waiting for data instead of interpreting risk. Firms typically have many junior employees (or employees outsourced to low-cost countries) doing data prep with a few senior people in London or NY doing analysis. This should be completely revamped, with AI handling the mundane and humans moving to the top to focus on judgement, creativity, validation, and explainability to the regulator. When mistakes happen, regulators won’t accept "the agent said so.”
Final thoughts
I truly believe that a modern agent-ready risk architecture in 2026 is a granular, fixed-cost, interactive data platform, with a financial semantic layer and an open architecture. With this, you are armed to deploy your agents. Agents sitting on top, not instead of the stack.
If you've spent years fighting for budget to fix your risk data foundations, AI has finally given your CFO a reason to say yes. The numbers are no longer theoretical: fewer manual reconciliations, fewer wasted cloud cycles, fewer people spending their day preparing data instead of analysing risk, and a real chance of deploying agents safely.
I think the gap will show faster than people expect. Not in ten years. Maybe not even in three. By the time we are back at Risk Live next year, some firms will already be using agents on trusted, explainable risk data. Others will still be trying to understand why their first PoC looked impressive in a demo and never made it to production.
Other articles


.jpg)
