AI is accelerating modernization projects that previously required months of analysis. But in highly regulated organizations, an uncomfortable reality quickly emerges: The risk is no longer in converting the code, but in demonstrating that the new version still does exactly what the old one did.
Almost every management committee has made the same decision this year: to apply artificial intelligence to their systems. And almost all discover the same thing when they delve into the details: AI is easy to add to the periphery — a chatbot, a copilot, a dashboard — and very difficult to integrate where it really matters, which is the legacy core. In banking, insurance, and much of the public sector, that core is still COBOL on a mainframe, with decades of patches and documentation that, to put it mildly, is incomplete.
That’s precisely where the regulatory risk lies. And that’s where most projects go off the rails.
I’ve spent three decades in regulated sectors, and the pattern repeats itself. The IT team approaches modernization as a delivery problem — deliver quickly, close tickets, move to production — when in a regulated sector, the problem is compliance. Success isn’t measured by what you deliver, but by what you can defend. Changing that mindset is half the battle.
The promise is enticing. Today, a language model can read thousands of lines of COBOL, document them, explain them, and propose an equivalent in Java or Python in a fraction of the time it would take a human team. It works. I’ve seen it accelerate analyses that previously took weeks.
The problem isn’t the code. The problem is the business rules that no one ever wrote down. In a migration project in a highly regulated banking environment, the biggest risk wasn’t in the routines, but in a calculation exception that had been running for 15 years and wasn’t documented anywhere: It existed only in the code and in the mind of a now-retired analyst. When you ask a model to “translate” that, it doesn’t translate; it fills in the gap with what statistically seems correct. And it does so with impeccable certainty.
On a dashboard, a hallucination is a troublesome error. In a financial institution’s calculation engine, it’s a compliance incident, a customer complaint, and potentially a penalty from the regulator.
The temptation, precisely because the tool is so fast, is to skip the slow part: reconstructing that logic with someone who understands it. That’s the worst possible decision. The speed of AI is seductive precisely at the point where making a mistake is most costly.
DORA has been in effect since January 2025 and is very clear: operational resilience, ICT asset management, business continuity, and third-party risk control. Modernizing the core addresses all four areas simultaneously. NIS2 adds the security and notification layer. And the AI Regulation introduces its own framework when the system you deploy is high-risk.
Although DORA, NIS2, and the EU AI Regulation pursue different objectives, they share a common requirement: the ability to demonstrate control, traceability, and accountability over deployed systems. This is the link between the three frameworks, and it’s what a modernization project must protect from day one.
It’s important to clear up a recent misunderstanding here. With the Digital Omnibus agreement of May 2026, the high-risk obligations of Annex III are postponed until December 2027. Many executives have interpreted the headline — “EU delays AI Law” — as a reprieve. This is a dangerous interpretation. Transparency obligations still apply in August 2026, synthetic content marking comes into effect in December 2026, and, most importantly, the underlying risk remains unchanged. An erroneous automated decision in 2026 still falls under the GDPR, under sector-specific regulations, and under the jurisdiction of the relevant supervisor. The deadline has been moved; the responsibility has not.
I don’t have a magic formula, but I do have five principles that I apply to every project of this type:
In a regulated sector, the CIO’s challenge is no longer simply to modernize legacy systems, but to do so in a way that withstands the scrutiny of auditors, regulators, and risk committees.
Leading one of these projects is no longer about coordinating deliveries; it’s about making the transformation defensible. It means saying no to a shortcut that would save two weeks but leave a gap without traceability. It means treating governance as an accelerator — because a well-documented change is approved faster — and not a brake.
AI is an extraordinary tool for organizations to overcome their legacy technical debt. But in banking, insurance, or public administration, uncontrolled speed is not an advantage: It’s a liability that surfaces at first inspection. Modernizing quickly can be a competitive advantage; modernizing with traceability, control, and defense capabilities is what makes it sustainable.
Therefore, I summarize what I’ve learned over the years as the following: A secure solution isn’t the slowest or the most expensive; it’s the one that survives the first audit.
José Enrique Ibarra is Interim CIO and AI Project Manager, with three decades of experience leading IT in regulated sectors—banking, insurance, energy, and public administration. His focus is on governing digital transformation and AI adoption under the AI Regulation, DORA, NIS2, GDPR, ISO 27001, and the Spanish National Security Framework (ENS), ensuring it withstands the scrutiny of auditors and regulators. He leads AI Forge, his applied AI initiative. He resides in Almería.