Operational Resilience & AI Governance
Operational Resilience, AI Governance & Regulatory Readiness for Asset Managers
- ✓ Evidence DORA operational maturity across AIFMs, UCITS ManCos and delegates — with audit-ready frameworks that withstand EU supervisory scrutiny
- ✓ Meet SEC FY2026 examination priorities on cybersecurity, operational resiliency, AI governance and Reg S-P for US-registered investment advisers and funds
- ✓ Embed AI governance into trading algorithms, alternative data analytics and ML-driven compliance systems — aligned to EU AI Act, NIST AI RMF and SEC expectations
- ✓ Pass institutional ODD scrutiny with structured evidence of resilience controls, incident management and board oversight
Why Leading Asset Managers Trust T3
Deep AIM Expertise
Hedge funds, PE, alternatives, UCITS and traditional managers — from front-office to operations to compliance
2/3 Big Tech
Delivered AI risk management for two of the three largest technology companies in the world
NIST · OECD · EU
Contributed to NIST AI RMF, OECD AI Principles, ISO 42001, EU AI Act & UK Safety Principles
The Challenge
2026: Regulators in the EU, UK and US Are All Raising the Bar — Can You Evidence Operational Maturity?
DORA's compliance deadline passed on 17 January 2025. For EU AIFMs, UCITS management companies and their critical ICT providers, 2026 is the first full year of active supervisory enforcement. Regulators are no longer asking whether frameworks exist — they are testing whether frameworks are genuinely embedded and functioning. The first annual Register of Information (ROI) submissions are due in Q1 2026, requiring detailed data on every ICT third-party arrangement. Firms that cannot produce audit-ready evidence of resilience testing, incident management and vendor oversight face real enforcement consequences.
In the United States, the SEC's FY2026 Examination Priorities place operational resiliency, cybersecurity, AI governance and Reg S-P compliance among the top cross-cutting themes for registered investment advisers and funds. The SEC will examine whether firms have robust incident response programmes, adequate third-party vendor oversight and genuine AI policies — including whether AI representations to clients match actual usage, whether human oversight is maintained over AI-driven decisions, and whether cybersecurity controls address AI-enabled threats. Smaller RIAs face a June 2026 deadline for compliance with the amended Reg S-P, requiring written incident-response programmes, 30-day breach notification and enhanced vendor security obligations.
In parallel, the UK FCA continues to deepen its engagement on operational resilience. Asset managers classified as enhanced-scope SMCR firms or dual-regulated by the PRA must evidence annual self-assessments and demonstrate that important business services remain within impact tolerances. Final UK rules on incident reporting and critical third-party provider oversight are anticipated in 2026, introducing more granular requirements to monitor cloud, fund admin and prime brokerage dependencies.
At the same time, AI is reshaping investment management. ML-driven trading strategies, alternative data analytics, GenAI research tools and AI-powered compliance systems are becoming operational dependencies. BaFin has already published specific guidance on ICT risks from AI usage in financial companies, recognising that DORA and the EU AI Act are two frameworks that financial entities must navigate simultaneously.
Institutional allocators now conduct deep operational due diligence covering technology infrastructure, compliance controls and cyber preparedness. Managers who cannot demonstrate structured, evidence-based resilience risk losing mandates — regardless of alpha generation.
Our Approach
Integrated DORA, OpRes & AI Governance — Purpose-Built for Asset Managers
T3 delivers a proportionate, unified programme that moves your firm from documented frameworks to evidenced operational maturity across the EU, UK and US regulatory landscape. We connect DORA's six pillars, SEC examination expectations and UK operational resilience requirements with AI risk governance into a single, attested capability — adapted to the size, complexity and risk profile of your firm, whether you are a multi-billion hedge fund, a cross-border UCITS platform or a boutique PE manager.
01
Regulatory Maturity Assessment & Gap Analysis
Stress-test your existing frameworks against supervisory expectations in every jurisdiction where you operate. We assess DORA enforcement readiness and ROI preparation for EU entities, SEC exam-readiness for US RIAs and funds, and UK FCA OpRes obligations — delivering a unified maturity heatmap and prioritised uplift roadmap.
02
ICT Risk Management Framework
Design or enhance your ICT risk management framework covering identification, protection, detection, response and recovery — with dedicated governance structures, risk appetite thresholds and board reporting lines.
03
Third-Party & ICT Vendor Governance
Criticality mapping across cloud providers, fund admins, prime brokers, data vendors and OMS/EMS platforms. We benchmark contracts against DORA Art 28–30, SEC third-party vendor oversight expectations and Reg S-P vendor security requirements, design exit strategies and build a complete Register of Information.
04
Resilience Testing & Scenario Design
Custom severe-but-plausible scenarios covering cyber disruption, cloud outages, prime broker failures, data corruption and AI model drift. Includes TLPT scoping for firms meeting the calibrated threshold and tabletop exercises for all others.
05
AI Governance for Investment Management
Model risk registers, bias audits, explainability standards and red teaming for ML-driven trading, alternative data, GenAI research and AI-powered compliance. Aligned to EU AI Act, NIST AI RMF, BaFin AI guidance and SEC expectations on AI policies, human oversight and accuracy of AI representations to clients.
06
ODD Readiness & AI Literacy Training
Prepare your firm for institutional operational due diligence with structured evidence packs. Role-specific AI literacy and responsible AI training for portfolio managers, risk teams, compliance officers and boards.
Engagement Process
From Gap Analysis to Regulator-Ready Evidence
Scope & Perimeter Definition (Weeks 1–2)
Identify in-scope entities across jurisdictions — EU AIFMs, UCITS ManCos and delegates under DORA; US-registered RIAs and funds subject to SEC examination; UK firms under FCA OpRes. Map applicable requirements per entity and define what "critical or important function" means for your operating model.
Maturity Assessment & ROI Preparation (Weeks 2–5)
Stress-test current governance, risk management, policies and contracts against supervisory expectations — not just DORA text. Prepare or validate your Register of Information for Q1 2026 submission. Deliverable: maturity heatmap, ROI readiness report and prioritised uplift roadmap.
Framework Design & Vendor Governance (Weeks 4–9)
Design or adapt your ICT risk management framework, incident reporting procedures, business continuity plans and third-party governance structures. Benchmark and remediate vendor contracts against DORA's contractual requirements.
Resilience Testing & AI Red Teaming (Weeks 8–13)
Execute scenario tests covering cyber, third-party disruption, AI model failure and combined stress events. For firms meeting TLPT thresholds, we scope and facilitate threat-led penetration testing. For all others, structured tabletop exercises and AI red teaming.
Evidence Packs, Reporting & Ongoing Assurance (Weeks 12–16+)
Compile regulator-ready evidence packs for DORA supervisory review, SEC examination and UK FCA self-assessment. Deliver board reporting templates, ODD documentation and SEC compliance programme artefacts. Establish repeatable annual review cycles and optional independent assurance for fund boards and institutional allocators.
DORA Framework
DORA's Six Pillars — How We Address Each for Asset Managers
DORA is structured around six interconnected pillars. With enforcement now live and the first ROI submission due in Q1 2026, T3 helps you move from documented frameworks to evidenced, supervisor-ready operational maturity — proportionate to your firm's operating model, delegation structures and risk profile.
| DORA Pillar | What T3 Delivers |
|---|---|
| 1. ICT Risk Management | Comprehensive framework with governance structures, risk appetite definition, board reporting lines and annual review methodology |
| 2. ICT Incident Reporting | Incident classification, escalation procedures, regulatory reporting templates and timelines aligned to ESA technical standards |
| 3. Digital Resilience Testing | Scenario design, tabletop exercises, TLPT scoping and execution support — including AI-specific failure modes |
| 4. Third-Party Risk Management | Register of Information, contractual gap analysis against Art 28–30, exit strategies, substitutability assessments and vendor audit support |
| 5. Information Sharing | Threat intelligence sharing arrangements and protocols compliant with DORA's information-sharing provisions |
| 6. Governance & Oversight | Board accountability structures, designated ICT risk ownership, management body training and evidence of active oversight |
Regulatory Landscape
Key Regulations Affecting Asset Managers in 2026
| Regulation | Status | Impact on Asset Managers |
|---|---|---|
| EU DORA | In force — first full supervisory year | AIFMs, UCITS ManCos and critical ICT providers must evidence embedded frameworks, testing and vendor oversight |
| EU AI Act | Phased from Aug 2025 | High-risk obligations for AI in credit scoring, risk assessment; AI literacy requirements for all deployers |
| UK FCA OpRes | Full regime — final rules on CTPs expected 2026 | Enhanced-scope SMCR firms and dual-regulated managers face annual impact-tolerance self-assessments |
| BaFin AI Guidance | Published Dec 2025 | Non-binding guidance on ICT risks from AI — requires DORA and EU AI Act to be addressed jointly |
| ESMA LMT Guidelines | Revised — RTS effective Apr 2026 | Updated liquidity management tool requirements for open-ended AIFs with operational resilience implications |
| ESA–UK MoU | Signed Jan 2026 | Deepened EU–UK supervisory cooperation on critical ICT third-party oversight |
| SEC FY2026 Exam Priorities | Published Nov 2025 — active | Operational resiliency, cybersecurity, AI governance and third-party vendor oversight are cross-cutting exam themes for RIAs and funds |
| SEC Reg S-P (Amended) | Smaller RIAs — Jun 2026 deadline | Written incident-response programme, 30-day breach notification, enhanced vendor security obligations for customer data protection |
| NIST AI RMF 1.0 | Voluntary — US benchmark | Voluntary US framework for AI risk management — increasingly referenced in SEC exam reviews and institutional ODD questionnaires |
Proof of Impact
How We Have Helped Regulated Firms
Use Case
Responsible AI Framework for a Global Tech Firm
T3 augmented and operationalised a Responsible AI framework meeting regulatory requirements across the EU, UK and US. We enhanced RAI principles, formed a dedicated AI Ethics Board, developed fairness and impact testing methodologies, established a tiered transparency reporting process and conducted regular audits to monitor bias, performance and compliance.
Result: Streamlined compliance processes with measurable ROI improvements and market-leading AI initiative credibility.
Use Case
AI Literacy Programme for a Regulated Bank
We assessed current literacy levels, defined tailored learning objectives aligned with EU AI Act requirements, developed e-learning modules and interactive workshops, and established continuous feedback loops. The programme addressed foundational AI gaps, regulatory confusion, cultural inertia and the heightened risk of biased AI outcomes.
Result: Increased staff confidence and AI proficiency, reduced AI-related risks and stronger competitive advantage through responsible AI adoption.
Awards & Recognition
Winner — 2025 AI Leader of the Year, Women in Governance Risk & Compliance
Winner — 2025 North America AI Leader of the Year, Women in AI
Top 33 — 2025 Women Shaping the Future of Responsible AI, She Shapes AI
Who This Is For
Asset Management Leaders Navigating Global Resilience & AI Risk
COOs & Heads of Operations
Embedding DORA into day-to-day operating models and vendor management
CROs & Risk Teams
Integrating ICT and AI model risk into enterprise risk taxonomy
CCOs & Compliance
Meeting DORA reporting obligations, SEC exam priorities, EU AI Act requirements and FCA expectations
CTOs & IT Directors
Governing ICT assets, cloud vendors and AI infrastructure
Fund Boards & ManCo Directors
Exercising oversight and requesting DORA assurance from delegates
Investor Relations & ODD Teams
Providing institutional allocators with structured resilience evidence
Frequently Asked Questions
Global Operational Resilience & AI Governance
Does DORA apply to my hedge fund or PE firm?
DORA applies to EU-authorised AIFMs (excluding sub-threshold AIFMs) and UCITS management companies. Non-EU AIFMs that manage or market AIFs in the EU may also be in scope. DORA does not apply directly to externally-managed funds, but fund boards should request DORA compliance confirmation from their ManCos. The proportionality principle allows firms to calibrate their compliance effort to their size and complexity.
What about UK-only asset managers?
The UK operational resilience regime has a narrower scope than DORA and focuses on firms regulated by both the FCA and PRA, or classified as enhanced-scope SMCR firms. However, the FCA is expected to finalise new rules on incident reporting and critical third-party providers in 2026. Additionally, the ESA–UK MoU signed in January 2026 deepens cooperation on cross-border ICT oversight, meaning UK firms with EU-regulated delegates may face indirect DORA obligations.
What are the key US requirements for asset managers in 2026?
The SEC's FY2026 Examination Priorities make operational resiliency, cybersecurity and AI governance cross-cutting examination themes for registered investment advisers and funds. Examiners will review whether firms have robust incident response programmes, adequate third-party vendor oversight, and genuine AI governance policies — including whether AI tool representations to clients match actual usage and whether human oversight is maintained. The amended Regulation S-P requires written incident-response programmes and 30-day breach notification, with a June 2026 deadline for smaller firms. US managers with EU-authorised delegates must also consider DORA obligations flowing through their delegation arrangements.
Why do asset managers need AI governance specifically?
ML-driven trading algorithms, alternative data analytics, GenAI research tools and AI-powered compliance systems are becoming core operational dependencies. BaFin has published specific guidance recognising that DORA and the EU AI Act must be addressed jointly. Institutional allocators increasingly include AI governance in their ODD questionnaires. Firms without structured AI risk management face both regulatory and commercial risk.
How long does a DORA enforcement-readiness engagement take?
A comprehensive programme runs 12–16 weeks. Modular engagements are available: DORA maturity assessment and ROI preparation (3–5 weeks), third-party governance review (4–6 weeks), resilience testing and scenario design (4–6 weeks) or AI governance framework build (6–10 weeks). For firms that achieved initial compliance in 2025, we focus on closing the gap between documented frameworks and evidenced operational maturity.
What is T3's specific credibility in this area?
T3's Head of Responsible AI, Jen Gennai, founded Google's Responsible Innovation team and contributed directly to the NIST AI RMF, OECD AI Principles, ISO 42001, the EU AI Act and UK Safety Principles. T3 team members have delivered AI risk management for two of the three largest technology companies globally. Our risk and regulation specialists bring deep financial services experience from BNP Paribas, Credit Suisse, the FCA, the ECB and other leading institutions.
Ready to Evidence Operational Maturity & AI Governance Across the EU, UK and US?
Book a free advisory call with our asset management resilience and AI risk specialists. We will assess your enforcement readiness across every jurisdiction where you operate and outline a proportionate path from documented frameworks to evidenced operational maturity.
Book a Free Advisory CallOr contact us directly | UK: +44 20 8087 0917 | US: +1 213 659 0224
