ING: Governing AI Before It Governs You

In this conversation, Marco Li Mandri of ING lays out a clear, structured view of what responsible AI deployment actually requires inside a global bank. While much of the industry conversation focuses on what AI can do, Li Mandri is firmly focused on what must be in place before it is allowed to do it.

He describes ING’s approach as resting on three non-negotiable pillars. The first is purpose and permission. AI must be used only where there is a clear justification — either because it is mandated by regulation or because the customer has explicitly given consent. Without this foundation, no technical sophistication can make an AI use case acceptable. Purpose defines legitimacy.

The second pillar is process. Li Mandri explains that generative AI introduces an entirely new category of risk — far beyond what traditional models or rules-based systems created. In response, ING has implemented a dedicated GenAI risk assessment framework, designed specifically to evaluate the unique risks this technology brings. This framework considers more than one hundred distinct risk factors, allowing ING to examine issues individually rather than treating AI risk as a single abstract concern. From bias and hallucination to explainability and misuse, each risk is assessed deliberately and transparently.

But purpose and process alone are not enough. The third pillar is productisation. AI governance cannot live in policy documents or slide decks — it must be embedded directly into the product itself. Li Mandri explains that ING’s AI and GenAI platforms are built as robust systems with humans firmly in the loop, real-time monitoring, and automated detection of anomalies or errors. AI systems actively flag when something is going wrong, allowing teams to intervene quickly and remain in control.

This embedded governance model is critical. Rather than relying on periodic reviews or retrospective audits, ING monitors accuracy, behaviour, and hallucination risk continuously. Control is not an afterthought — it is designed into how the product operates every day.

What emerges is a picture of AI not as an experiment, but as a managed capability. ING is not trying to eliminate risk — an impossible task — but to understand it deeply, isolate it clearly, and control it consistently. This approach allows the bank to innovate while remaining compliant, resilient, and trustworthy.

Li Mandri’s message is pragmatic and cautionary in equal measure. AI’s power demands discipline. Institutions that rush to deploy without purpose, process, and embedded control risk losing trust long before they gain value. ING’s approach shows that moving fast and staying in control are not opposites — but only if governance comes first.