The Governance Moat: What Founders and Firms Get Wrong About Competitive Advantage

A tale of two banks.

I know — you're here for AI, not banking. But stay with me, because this isn't really a banking story. It's a governance story. And what happened between these two institutions is the clearest example I've found of what it actually costs when governance is an afterthought — and what it's worth when it isn't.

In 2015, Wells Fargo was the most valuable bank in the world by market capitalization — worth $301 billion, a full $40 billion more than JPMorgan Chase. It was growing fast. Its cross-selling model — getting customers to open multiple accounts — was celebrated on Wall Street as a masterclass in relationship banking.

Then it unraveled.

Employees had been opening millions of fake accounts in customers' names to hit aggressive sales targets. Nobody at the board level was watching.

When it surfaced — through a city attorney's investigation, a CFPB enforcement action, and a Senate Banking Committee hearing that became a national spectacle — the question wasn't just what the employees had done. It was what the board knew, what oversight existed, and who was accountable.

The answer, it turned out, was: not much.

The fines totaled over $3 billion. The CEO resigned, forfeited $41 million in stock, and was later barred from the industry. The Federal Reserve imposed an asset cap in 2018, restricting Wells Fargo from growing beyond $1.95 trillion until it fixed its governance. That cap wasn't lifted until June 2025.

On the same day the initial CFPB fine was announced in September 2016, Wells Fargo's market cap fell below JPMorgan's for the first time since 2013. It never went back.

Today, Wells Fargo is worth approximately $250 billion — less, in nominal terms, than it was in 2015. During one of the longest bull markets in history, Wells Fargo went backward. JPMorgan, meanwhile, grew to nearly $700 billion.

While Wells Fargo spent seven years frozen — paying fines, replacing leadership, and rebuilding oversight structures it should have had all along — JPMorgan was growing. Under Jamie Dimon, JPMorgan had long championed what he called the "fortress balance sheet": a deliberate philosophy of treating risk management, governance, and controls not as a cost center, but as a core strategic investment.

That posture meant that when Wells Fargo stumbled, JPMorgan was the credible alternative — for enterprise clients, for institutional relationships, for the regulated industries that needed a counterparty they could trust. It captured what Wells Fargo couldn't pursue. It compounded. The asset cap didn't just slow Wells Fargo down. It handed JPMorgan a head start it has never needed to give back.

That's the story most financial services firms deploying AI aren't thinking about. Not because they're doing anything wrong. But because when governance is an afterthought, you don't find out the cost until it's already compounded — in lost revenue, amplified regulatory risk, and a market position that quietly shifted to a competitor who made different choices earlier.

Financial services firms deploying AI are earlier in that curve. The governance failures haven't fully surfaced yet. But the infrastructure decisions being made right now — what to validate, what to document, who owns accountability — will determine who the Wells Fargos and who the JPMorgans are in five years.

That's what this piece is about.

The Category Error Most Leaders Are Making

Here's what I see happening.

A company builds genuinely differentiated AI technology. Revenue is growing. Investors are excited. And when someone brings up governance — model validation, AI risk frameworks, disclosure accuracy, board oversight — the response is some version of:

"We'll get to that. Right now we need to sell."

That instinct is understandable. It's also a category error.

The same pattern plays out inside financial services firms deploying AI. Leadership sets firm-wide adoption targets. AI gets embedded into goals and performance metrics across the organization — often faster than the infrastructure to govern it. Misaligned incentives creep in. And without a deliberate approach to which tools belong where and how they should integrate or be walled off from each other, what starts as an AI strategy becomes a patchwork.

Without a comprehensive and focused business strategy, the revenue projections and cost savings written into the business case are often misguided and won't materialize. And when someone brings up governance — the response is the same:

"We'll get to that. Right now we need to deploy."

Another category error.

Governance isn't the cost you pay to stay in the game. It's the moat you build to stay ahead. And right now, in financial services, AI governance is one of the highest-variance competitive attributes in the market — which means it's one of the few places where firms can still create real separation from the pack.

The thing that makes a strategic position durable, though, isn't just that it's valuable. It's that building it requires real trade-offs — and those trade-offs make it genuinely hard to copy. That's the part most financial services leaders aren't focused on yet.

Operational Effectiveness Is Not Strategy

There's a distinction that most companies never fully internalize, and it costs them:

• Operational effectiveness means doing what everyone else does, but doing it better — faster, cheaper, with fewer defects.
• Strategic positioning means doing something fundamentally different.

The problem with operational effectiveness alone is that best practices spread. When every company benchmarks against the same leaders, adopts the same tools, and hires from the same talent pool, they converge. They get better together. But relative to each other, nobody pulls ahead.

You end up with a market full of companies that look increasingly identical, competing harder and harder for the same customers on the same dimensions — what Michael Porter famously called "competitive convergence." Companies run faster just to stay in place.

In AI, this is already happening. Access to powerful models is becoming increasingly democratized — what cost millions to build two years ago is available to any firm via an API today.

But for financial services firms, democratized access isn't the differentiator. The AI companies that will win in this market are those that have built enterprise-grade governance, data controls, and security into their products from the ground up — not bolted them on after the fact. That's where the real exposure lies for financial services firms evaluating third parties: not whether the model is powerful enough, but whether the company behind it has built something you can actually deploy, defend, and stand behind in a regulated environment.

Here's what it looks like when that doesn't happen:

Weight vs. Variance: The Most Underused Concept in Strategy

There's a framework I find myself coming back to constantly in this work: the distinction between weight and variance.

The strategic mistake most companies make is over-investing in things that are high weight but low variance. You have to do them. But they won't help you pull ahead.

Think about product security in enterprise SaaS circa 2015. Every buyer cared about it. Every vendor claimed to have it. SOC 2 reports were table stakes — you couldn't get in the door without one. But having a SOC 2 didn't close deals, because everyone had one. High weight, low variance.

AI governance is at a similar inflection point today — except the gap between leaders and laggards is still wide enough that early movers can build something real. Everybody says they take AI risk seriously. Very few companies have the infrastructure to prove it. That gap is the opportunity.

This framework applies equally to AI companies and to financial services firms — the calculus is the same on both sides of the table.

Why the Variance Is Spiking Right Now

Several things are happening simultaneously that are turning governance from a low-variance table-stakes item into a genuine differentiator.

The Bar for Institutional Trust Is Rising

Your clients, counterparties, and distribution partners are now asking detailed questions about AI governance — and the sophistication of those questions is increasing faster than most firms realize. The questions sound like this:

• A global custodian evaluating an AI-assisted fund accounting tool: How was the model validated? Who owns the risk when it miscalculates a NAV? What's the audit trail when a client calls to challenge the numbers? And if the model is wrong, how many funds are affected simultaneously — because at scale, a single calculation error doesn't stay contained to one client.
• A financial services firm evaluating an AI underwriting tool: How was bias tested? What audit trail exists? Who signed off on deployment?

In regulated industries, not having answers is already disqualifying. And the firms that show up with real governance infrastructure are the ones that stand out. The data makes clear how wide the gap has become:

• According to McKinsey, 88% of organizations now use AI in at least one business function — yet only 18% have enterprise-wide governance councils with the authority to make responsible AI decisions.
• Stanford's AI Index 2025 found that while 78% of organizations deployed AI in 2024, only 11% have fully implemented fundamental responsible AI capabilities.
• A 2024 Gartner survey found that 80% of large organizations claim to have AI governance initiatives — but fewer than half can demonstrate measurable maturity.

The pattern across every major study is the same: deployment is racing ahead of governance, and the gap is widening.

Regulators Have Moved From Signaling to Acting

The SEC has made AI disclosures an examination priority. U.S. states are filling the federal vacuum fast, and the patchwork is getting denser by the quarter. But the firms and AI companies that will pull ahead aren't building governance infrastructure to satisfy regulators. They're building it because understanding the AI ecosystem — what tools are in the stack, how they interact, where the data goes, who owns the risk — is what smart, sustainable AI deployment actually requires.

The regulatory posture follows. The competitive advantage follows. The companies that treat governance as a minimum requirement will spend the next few years in catch-up mode — reactive, distracted, and expensive. The ones that treat it as a business imperative will spend those years compounding.

What You Validated May Not Be What You're Running

Most firms assume that once an AI tool is validated and deployed, what they validated is what they're running. A well-documented episode from early 2026 illustrates why that assumption is dangerous.

From March 4 to April 20, 2026, three overlapping changes to one of the most widely-used AI coding tools — two deliberate product decisions, one a software bug — degraded the model's reasoning quality for users across the world. An engineer's analysis of nearly 7,000 sessions documented a 67% drop in reasoning depth. Third-party benchmarks showed accuracy falling more than 15 percentage points. Users described it as "AI shrinkflation."

The third party said nothing for weeks. Complaints were initially attributed to user behavior. The postmortem came only after the backlash reached critical mass — more than six weeks after the first change was introduced.

This isn't a story about a bad company doing bad things. It's a story about what happens when a third party changes a model's configuration — deliberately or accidentally — without telling you. Configuration changes, system prompt updates, caching behavior, reasoning effort defaults — all of these can fundamentally alter how an AI system performs without the underlying model weights changing at all.

For financial services firms, this is a direct governance gap. The model you validated may not be the model serving your clients. If you don't have a third-party notification protocol, change management testing, and ongoing performance monitoring built into your AI governance framework — you're flying blind. And in regulated industries, "we didn't know the model had changed" is not a defensible answer.

The Personal Stakes for Leadership Are Rising

That's not a hypothetical risk profile anymore. AI-related securities class actions are now the leading category of event-driven litigation — filings doubled in 2024 and kept accelerating into 2025.

Courts are actively extending longstanding director liability frameworks to AI oversight failures, and the questions being asked in boardrooms, by investors, and by other stakeholders are now the same ones regulators are asking in examination rooms.

The Winners Are Already Pulling Away

PwC's 2026 AI Performance study found that roughly 74% of AI's economic value is being captured by just 20% of companies. That's not a mild skew — it's a rout.

The top performers aren't simply deploying more AI tools or spending more on the technology. What separates them is that they use AI as a growth and reinvention engine — and they build governance and trust foundations alongside it. AI-leading companies are 1.7 times more likely to have a documented responsible AI framework and 1.5 times more likely to run a cross-functional AI governance board. The governance wasn't overhead. It was part of how they built something that could actually scale — and trust, it turns out, is worth a lot.

What the Moat Actually Looks Like

The most durable competitive assets share a common characteristic: they compound over time and can't be purchased overnight. They're built through years of consistent investment, and the value lies not in any single piece but in the accumulated depth of the whole.

AI governance infrastructure is exactly that kind of asset.

None of that can be replicated by a competitor in a quarter. It takes years to build. It gets more valuable the longer you've had it.

And it creates a 'toll bridge' effect. In regulated markets, buyers aren't just asking who has the best features — they're also asking who can actually be trusted. Governance doesn't just help you compete. It determines whether you're on the list at all. And the companies that get on that list first don't just win early deals — they build the audit history, the regulatory relationships, and the client references that make the list harder to crack for everyone who comes after.

For financial services firms, the implication runs in both directions. When regulators examine your firm, they follow the third-party chain. If your vendor's documentation doesn't exist, you have a problem with your examiner. And your vendor has a problem with you. The vendors building governance infrastructure now are the ones who will support your regulatory posture over time. The ones that aren't will become a liability — slowly, then suddenly.

Think about what serious governance commitment actually requires you to give up:

• Data that would make your model better. Declining training data that carries legal or ethical liability — commercially attractive sources with murky provenance, buried consent issues, or bias you can't audit out.
• Speed to market. Losing deals to a competitor who moves faster because they skip the validation you won't skip. You won't always know that's why you lost. But sometimes you will.
• Engineering capacity. Spending cycles on auditability, explainability, and audit trails — infrastructure that never shows up in a demo but is what makes the whole system defensible.
• Model capability. Choosing a less powerful but explainable model over one you can't audit — because in financial services, if you can't stand behind the output, you can't deploy it.

None of that is free. And a competitor who tries to bolt governance on top of a fast-and-loose deployment culture — without making those underlying trade-offs — will face the same problem Continental Airlines did when it tried to compete with Southwest.

Southwest had built its entire operation around one model: short routes, fast turnarounds, no frills, low cost. Every part of the business reinforced every other part.

Continental tried to copy the cheap fares on select routes while keeping its full-service operation running everywhere else. It didn't work — because the low prices were never the strategy. They were the output of a thousand interlocking decisions Southwest had made from day one. Copy the price without copying the system, and you just lose money.

Three Places to Start

You don't need to boil the ocean. Focus on the things that are high weight and high variance — the areas where deliberate investment will actually move the needle on your competitive position and regulatory preparedness. Right now, three areas offer the highest return.

1 — Know What You're Running

Start with a simple question: if your board, a client, or another key stakeholder asked you right now to list every AI model that touches sensitive data — could you answer in an hour?

Most can't. And the problem is often more surprising than people expect. For financial services firms, it's not just the AI tools they deliberately deployed — it's the AI embedded in their CRM, their HR systems, their finance platforms, often without anyone having explicitly decided to bring AI into those workflows.

For AI companies, the same blind spot exists in reverse — they're often so focused on what they're building that they lose track of what they're using. Third-party transcription tools sitting in on client calls. Open-source models running lead scoring. Anthropic or OpenAI powering internal workflows that touch client data. Nobody owns it. Nobody catalogued it.

Build the inventory — every model, every third-party AI tool, every AI-assisted workflow — with ownership, use case, and data sources documented. The practical stakes are real:

• Using OpenAI for contract summarization? That's one data flow and one set of terms.
• Anthropic for customer support drafts? Different model, different risk profile.
• A fine-tuned open-source model for lead scoring? Potentially a different regulatory obligation entirely.
• A third-party transcription tool sitting in on client calls? Someone needs to own that.

You can't validate what you haven't catalogued. You can't manage third-party risk if you don't know your dependencies. And when the question comes — from your board, a client, or a key stakeholder — you want the answer to already exist.

Knowing what you're running also means knowing how it's performing over time. Your AI inventory isn't static — third-party updates, configuration changes, and infrastructure decisions can alter model behavior without you being notified. Build into your governance framework the expectation that third parties will inform you of material changes, and the capability to detect when something has shifted — before your clients or your regulator notices first.

2 — Get Your Story Straight

Audit every place where you describe your AI capabilities — client agreements, marketing materials, pitch decks, your website, and regulatory filings if applicable.

The question isn't just "is this accurate?" It's "could a reasonable person read this and form an expectation we can't meet?"

That distinction matters more than it used to. The SEC has explicitly flagged "AI washing" — overstating or misrepresenting what your technology actually does — as an enforcement priority. A few places companies commonly get this wrong:

• Marketing copy that describes AI capabilities in aspirational terms that don't match the current product
• Client agreements that don't define what's AI-generated versus human-reviewed
• Pitch decks that imply proprietary AI when the underlying models are third-party APIs

The risk isn't hypothetical — and it isn't isolated to any one type of firm.

Sullivan & Cromwell, one of the most sophisticated law firms in the world, made headlines this year when AI-generated content in its work contained hallucinated details. They weren't trying to mislead anyone. They simply didn't have the oversight to catch it before it went out the door.

In 2025, Deloitte's Australian member firm submitted a $290,000 government report on welfare enforcement that contained fabricated academic references, a quote falsely attributed to a federal court judge — with the judge's name misspelled — and citations to papers that don't exist. The original report made no mention of AI. It took an outside researcher to catch it. Deloitte's own internal review attributed the errors to human error — meaning reviewers looked at the AI-generated content and still missed it. A revised version was published after media scrutiny. Deloitte refunded the final payment installment.

That's the exposure. Not in a startup. Not in a firm cutting corners. In two of the most sophisticated organizations in their respective fields — and in both cases, it was caught from the outside, not from within. If it can happen to them, it can happen to you.

3 — Assign Real Ownership

Think about how financial controls evolved in most companies. For years, "everyone was responsible" for the numbers — the CEO, the business unit heads, whoever kept the books. Then at some point, the company named a CFO. Put it in one person's job description. Created a reporting cadence to the board. And suddenly, accountability was real.

That moment has arrived for AI governance — and the data makes the case clearly:

• Grant Thornton's 2026 AI Impact Survey found that 78% of executives lack confidence they could pass an independent AI governance audit within 90 days. Their diagnosis: leadership deployed AI without defining who owns the outcomes.
• McKinsey's 2026 AI Trust survey found that organizations with named AI governance ownership score materially higher on governance maturity — and yet only 28% of organizations report that the CEO takes direct responsibility for AI governance at all.
• Deloitte found that enterprises where senior leadership actively shapes AI governance achieve significantly greater business value than those that leave it to technical teams.

The pattern is consistent across every major study: ownership drives outcomes. The absence of ownership drives risk.

Designate someone at the senior leadership level — not AI product, not AI engineering — with explicit accountability for AI risk, validation, oversight, and disclosure. It needs to be:

• A named person with it in their job description
• A regular reporting cadence to the board or a relevant committee
• Clear authority to slow or halt a deployment when the risk isn't understood

One important distinction: ownership doesn't mean unrestricted access. Naming someone accountable for AI governance isn't the same as giving them visibility into every model, every data source, or every system. The risks of getting this wrong are real and specific — a data engineer building a model shouldn't have access to executive communications, and a senior leader overseeing AI governance shouldn't suddenly have visibility into every HR and finance record.

Poorly scoped access can introduce the very risks governance is designed to prevent. The goal is clear accountability with appropriate oversight mechanisms — not a new vector for data exposure.

The Compounding Logic

Here's what makes this more than just a checklist: these three investments don't sit in isolation. They reinforce each other — and that reinforcement is where the real strategic value lives.

A competitor who copies just one element gets almost nothing. They have to match the whole chain. And by the time they're trying, you've had another year of compounding.

Salesforce is the clearest proof of concept. Today it holds more CRM market share than Microsoft, Oracle, Adobe, and SAP combined — and 90% of Fortune 500 companies run on it. The product is excellent.

But in regulated industries, a significant reason competitors with comparable functionality lost wasn't the features. It was the trust infrastructure Salesforce built over a decade — the security certifications, audit logs, data residency controls, and compliance documentation that made it the low-risk, defensible choice. Governance didn't slow Salesforce down. It became the moat.

That's what governance infrastructure does over time. The company that builds it now will have something in 2029 that no competitor can buy: a history of how their models have performed, a pattern of regulatory engagement that demonstrates good faith, and client relationships built on genuine transparency.

The framing I'd encourage every AI-native CEO to hold: governance isn't the thing that slows you down. It's the moat that lets you move faster than your competitors can follow — into regulated markets they can't enter, enterprise deals they can't close, and client relationships they can't replicate.

The companies that build this infrastructure now will be bigger, stickier, and harder to displace.

For financial services firms, the framing is the same but the stakes are different. Governance infrastructure isn't the thing that slows down AI deployment. It's what makes deployment defensible — to your board, to your regulators, to your clients, and to the counterparties who need to trust that what you've built will hold up under scrutiny.

The firms that get this right won't just be more compliant. They'll be more trusted, more resilient, and harder to displace.