A CIO's actual week
Picture a normal week for a CIO. On Monday, the CFO asks why cloud spend jumped eleven percent last quarter. On Tuesday, a software publisher opens an audit and wants a defensible record of every license in use. On Wednesday, the board asks whether the AI program is producing returns or just costs. On Thursday, an operating partner asks for the number behind a vendor-consolidation thesis. On Friday, internal audit asks you to reproduce a figure you reported six months ago.
Every one of those five questions has the same hidden requirement. The answer has to be the same answer every time someone asks it, and you have to be able to show your work. That is not a reporting nicety. In a regulated decision, it is the difference between a number you can defend and a number you merely possess.
The core thesis, in plain English
Same data in, same answer out, every time. In exploratory work — drafting, brainstorming, summarizing — variability is tolerable and often useful. In a decision you may have to defend to an auditor, a regulator, a board, or a court, variability is a liability. A system that cannot reproduce its own output cannot be audited, and an organization that cannot reproduce its own decisions cannot defend them.
This is not a claim against artificial intelligence. It is a claim about where each kind of computation belongs. Numbers, classifications, and benchmarks that carry accountability should be produced deterministically. Language generated around those numbers can be AI-assisted, provided it is bounded and the underlying figures are already fixed.
A system that cannot reproduce its own output cannot be audited.
What each kind of system can and cannot do
The two architectures are not interchangeable. The table below shows which capabilities each one can deliver inside a financial decision that has to hold up under scrutiny.
| Capability in a financial decision | Deterministic system | Probabilistic system (LLM) |
|---|---|---|
| Same input produces same output | Yes, by definition | Not guaranteed, even at temperature 0 |
| Output can be reproduced on demand for audit | Yes | No |
| Computation path can be reconstructed step by step | Yes | Post-hoc approximation only |
| Generates fluent narrative language | Limited | Strong |
| Handles ambiguous, unstructured input | Limited | Strong |
| Suitable for an exploratory first draft | Overkill | Well suited |
| Suitable as the system of record for a defensible number | Yes | No |
What this means for the buyer
If your AI system cannot reproduce a number on demand, you do not own that number — you rent it from a process you cannot inspect. For a CIO or CFO accountable under SOX, model-risk guidance, or a vendor audit, that is an unfunded liability sitting inside the technology stack. The buying question is no longer “is the AI accurate?” It is “can we reproduce and defend what it produced?”
Regulatory note
Regulators have moved. On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2, revised guidance on model risk management. It explicitly excludes “deterministic rule-based processes and software where there are no statistical, economic, or financial theories underpinning their design or use” from the definition of a regulated model, while carving generative and agentic AI out of the guidance entirely as “novel and rapidly evolving.” Deterministic architectures now sit in a lighter-touch regulatory category; generative AI sits in a governance gap.
— Federal Reserve SR 26-2 / OCC Bulletin 2026-13 (April 17, 2026)
You do not own that number — you rent it from a process you cannot inspect.
The Audit Problem in Enterprise AI
The failure mode in enterprise AI is structural, not a defect to be patched in the next release. Three documented cases make the point — and a fourth explains why the others were not isolated incidents.
What “deterministic” actually means
The authoritative definition comes from the NIST Computer Security Resource Center: a deterministic algorithm is “an algorithm that, given the same inputs, always produces the same outputs.”1 A stochastic system, by contrast, “yield[s] outputs that are estimates of the real output, reflecting the influence of randomness.”1
From that single property follows a chain that financial controls depend on. Determinism gives you reproducibility — the ability to rerun a computation and get the same result. Reproducibility gives you auditability — the ability to reconstruct, step by step, why a specific output followed from a specific input. Break the first link and the other two fall.
Why large language models are not reproducible — even when configured to be
Atil and colleagues tested five commercial LLMs at temperature 0 with a fixed seed and identical infrastructure — settings that should produce identical output every run. They found “accuracy variations up to 15% across naturally occurring runs,” and “none of the LLMs consistently delivers repeatable accuracy across all tasks, much less identical output strings.”2
The plain-language explanation is batch non-invariance. When you send a request to a hosted model, the server packs your request into a batch with other users' requests to use the hardware efficiently. The exact arithmetic performed on your request depends on which other requests happen to share the batch, and that composition is effectively random from your point of view. Floating-point math is not perfectly associative, so the same prompt run twice can take a slightly different numerical path and land on a different answer. This is not a bug awaiting a fix. OpenAI's own documentation states determinism “is not guaranteed” and that outputs will “mostly” match — and the word “mostly” is regulatory poison for a financial system.
“Mostly” is regulatory poison for a financial system.
The Regulatory Tailwind
Regulators have moved faster on this question in the last eighteen months than in the previous decade. Four sources tell the story.
SR 26-2 (April 17, 2026)
The joint Fed/OCC/FDIC guidance narrows the definition of a “model” to require a statistical, economic, or financial theory, and explicitly excludes “deterministic rule-based processes and software where there are no statistical, economic, or financial theories underpinning their design or use.”3 It states that “generative AI and agentic AI models are novel and rapidly evolving” and “are not within the scope of this guidance” — while noting that governance expectations still apply.3 Deterministic architectures gain a lighter regulatory footprint. Generative AI sits in a defined gap.
EU AI Act (Regulation EU 2024/1689)
Recital 58 classifies credit and creditworthiness AI as high-risk because such systems “determine those persons' access to financial resources.”4 High-risk systems must satisfy a risk-management system (Article 9), technical documentation (Article 11), automatic logging over the system's lifetime (Article 12), transparency to deployers (Article 13), human oversight (Article 14), a quality-management system (Article 17), and log retention of at least six months (Article 19).4
NIST AI RMF 1.0
The U.S. federal trustworthy-AI vocabulary organizes work into GOVERN, MAP, MEASURE, and MANAGE, and defines seven characteristics of trustworthy AI. It states that “accountability presupposes transparency” and that “explainable systems can be debugged and monitored more easily, and they lend themselves to more thorough documentation, audit, and governance.”5
ISO/IEC 42001:2023 and BIS FSI Paper No. 24
ISO/IEC 42001 is the first certifiable AI management system standard.6 The Bank for International Settlements stated plainly in September 2025 that for LLMs, “the model's output may vary even when the input remains unchanged,” and that a supervisor “is unlikely to trust the results of an AI model if its results cannot be understood.”7
Deterministic architectures gain a lighter regulatory footprint. Generative AI sits in a defined gap.
Documented Failures in Probabilistic Systems
The failures below are not anecdotes. They are court records, regulatory enforcement actions, and peer-reviewed research.
Mata v. Avianca (S.D.N.Y., June 22, 2023)
In a personal-injury suit in the Southern District of New York, plaintiff's counsel used ChatGPT to draft a brief. It cited six judicial decisions — none of which existed. The model fabricated case names, docket numbers, and quoted passages, and when asked whether the cases were real, it confirmed they “indeed exist.” Judge P. Kevin Castel sanctioned the attorneys, writing that “signing and filing that affirmation after making no 'inquiry' was an act of subjective bad faith.”8 The fabricated citations would not reliably recur on a re-query. There was no reproducible audit trail to begin with.
Moffatt v. Air Canada (BCCRT, February 14, 2024)
Air Canada's website chatbot told a grieving customer he could claim a bereavement fare retroactively — contrary to the airline's actual policy. The British Columbia Civil Resolution Tribunal held the airline liable. Tribunal Member Christopher C. Rivers rejected the airline's argument that the chatbot was a separate legal entity: “It should be obvious to Air Canada that it is responsible for all the information on its website. It makes no difference whether the information comes from a static page or a chatbot.”9 The deploying organization owns the consequence of every AI output.
The Stanford/RegLab study
Researchers ran 202 preregistered legal queries through three commercial RAG-based legal-research tools that vendors had marketed as near-hallucination-free. Lexis+ AI hallucinated on 17 percent of queries. Westlaw AI-Assisted Research hallucinated on 33 percent. The authors concluded the tools “each hallucinate between 17% and 33% of the time” and that “until vendors provide hard evidence of reliability, claims of hallucination-free legal AI systems will remain, at best, ungrounded.”10 Retrieval grounding — the industry's primary mitigation — does not close the gap.
SEC AI-washing enforcement
The SEC's first AI-washing enforcement actions landed on March 18, 2024, against Delphia and Global Predictions for claiming AI capabilities they did not have, with combined penalties of $400,000.11 In January 2025, the SEC charged Presto Automation — the first AI-washing action against a public company — for overstating an AI voice product that quietly relied on human workers.12 In April 2025, the case escalated to the criminal track: Albert Saniger, founder of Nate, was indicted in the first criminal AI-washing prosecution, accused of raising over $42 million on claims of autonomous AI shopping that was, in practice, performed by contract workers.13
The deeper pattern from model-risk history
Long-Term Capital Management collapsed in 1998 — a $4.6 billion loss and a Federal Reserve-organized bailout — because rigorous models built by Nobel laureates encoded false assumptions about stable correlations. JPMorgan's “London Whale” lost $6.2 billion in 2012 after the bank built a new value-at-risk model, in a spreadsheet, that “divided by their sum instead of their average,” halving apparent risk.14 Knight Capital lost $460 million in 45 minutes in 2012 when deterministic trading code lacked the controls to “monitor the output of its system.”15 The thread connecting all of these: an enterprise that cannot reproduce and inspect its own decisions cannot defend them.
An enterprise that cannot reproduce and inspect its own decisions cannot defend them.
The Deterministic-First Reference Pattern
The constructive answer is not to ban AI from finance. It is to put a deterministic core at the center of every analytical output — numbers, classifications, benchmarks — and to admit bounded probabilistic components only where they are genuinely additive, such as generating narrative language around figures that are already fixed.
Retrieval-augmented generation as the foundational hybrid pattern
The foundational hybrid pattern is retrieval-augmented generation. Lewis and colleagues introduced RAG at NeurIPS 2020 precisely because parametric-only models cannot “precisely manipulate knowledge” and because “providing provenance for their decisions” was an open problem.16 RAG grounds generation in an explicit, inspectable retrieval layer — a deterministic component bounding a probabilistic one.
Neuro-symbolic AI as the academic framing
The 2024 systematic review by Colelough and Regli describes neuro-symbolic AI as a framework that merges neural and symbolic methods to produce reasoning. Borrowing Kahneman's framing, the neural side is System 1 — “fast, intuitive, and parallel” — and the symbolic side is System 2 — “slow, deliberate, and sequential.”17 The review's most telling finding is a gap: explainability and trustworthiness are “less represented (28%)” in current research relative to learning and inference (63%).17 That gap is exactly where defensible financial systems must live.
Constrained generation as the bounding mechanism
The Microsoft and EPFL study on structured outputs shows that constrained decoding “guides the LM to sample only from valid tokens, ensuring that the final output perfectly conforms to a predefined structure,” while finding that “LM-only exhibits the lowest compliance rate, highlighting its unreliability as a standalone solution.”18 Structure can be enforced — but the deterministic verification layer still has to confirm semantic correctness.
Put a deterministic core at the center. Admit AI only where it is bounded and genuinely additive.
How to Evaluate Vendors
The buying question for any AI-for-finance vendor is not “is the AI accurate?” It is “can we reproduce and defend what it produced?” The five questions below separate vendors that can answer from vendors that cannot.
- 1
Which outputs are produced deterministically, and which involve a probabilistic model?
A vendor who cannot draw the line clearly does not have a defensible architecture — they have a marketing slide. Ask for the diagram. If every output is "AI-generated," the answer to every audit will be "we cannot reproduce that."
- 2
Can you reproduce an identical output for an identical input on demand?
For any analytical figure the vendor reports, ask them to run the same input twice and show you that the output strings match — character for character. If they cannot, the figure is not an audit-grade number.
- 3
If an LLM is involved, has output variance at temperature 0 been measured on your document types?
A vendor who has not measured this on their own pipeline is asking you to underwrite the variance.
- 4
Can the system reconstruct the full computation path for any past output?
Not the explanation generated retroactively when an auditor asks. The explanation that was logged at decision time, alongside the input and output, and retained for the regulatory retention period.
- 5
What independent validation exists for the system's outputs?
"Effective challenge" under SR 26-2 means an objective expert can stress-test the system. If the only people who can interpret the outputs work at the vendor, that condition is not met.
The buying question is not “is the AI accurate?” It is “can we reproduce and defend what it produced?”
Governance Appendix
The questions and tables below are designed for procurement, audit, and compliance teams evaluating an AI-for-finance vendor. Each item maps to either the NIST AI Risk Management Framework (NIST AI RMF 1.0) or to a clause of ISO/IEC 42001:2023.
Buyer's Diligence Checklist
GOVERN (NIST) / ISO 42001 Clauses 5–6
- Which outputs are produced deterministically and which involve a probabilistic model?
- Who at the executive level is accountable for AI risk decisions?
- Are legal and regulatory requirements for AI documented (NIST GOVERN 1.1)?
- Is there a documented AI management system aligned to ISO/IEC 42001?
- Has an AI system impact assessment been completed (ISO 42001 Clause 6)?
- Are the trustworthy-AI characteristics integrated into policy (NIST GOVERN 1.2)?
MAP (NIST) / ISO 42001 Clause 8
- For each analytical output, is the output type numerical, categorical, or narrative?
- Which outputs drive defensible decisions versus exploratory work?
- Where exactly does a probabilistic component sit in the pipeline?
- What is the intended use, and what are the documented out-of-scope uses?
MEASURE (NIST) / ISO 42001 Clause 9
- Can the vendor reproduce an identical output for an identical input on demand?
- If an LLM is used, has output variance at temperature 0 been measured?
- What is the measured hallucination rate on your document types?
- How is semantic correctness verified beyond structural schema compliance?
- Are explanations logged at decision time, or generated retroactively?
- What independent validation exists for the system's outputs?
MANAGE (NIST) / ISO 42001 Clause 10
- Can the system reconstruct the full computation path for any past output?
- What is the log-retention period, and does it meet the six-month minimum?
- How are model or rule changes versioned and recorded?
- Is there a human-review protocol between AI output and reliance on it?
- How are anomalies detected and how is processing halted on aberrant output?
- What is the corrective-action process for a nonconforming output?
- Can the vendor produce the exact explanation that applied 18 months ago?
- Are capability claims in marketing materials independently substantiated?
Mapping to SR 26-2
How a deterministic-core architecture aligns with the April 2026 joint Fed/OCC/FDIC guidance.
| SR 26-2 element | Deterministic-core alignment |
|---|---|
| Definition of "model" requires a statistical/economic/financial theory | Rule-based deterministic processes fall outside the model definition |
| "Deterministic rule-based processes" explicitly excluded | Core analytical engine qualifies for the exclusion |
| Generative/agentic AI out of scope, governance still applies | Bounded narrative layer is isolated and separately governed |
| Model validation assesses reliability and limitations | Deterministic outputs are reproducible, so reliability is directly testable |
| "Effective challenge" by objective experts | Transparent computation path enables independent challenge |
| Adequate documentation supports model risk management | Complete audit trail satisfies documentation expectations |
| Board-level accountability and model inventory | Clear inventory of deterministic vs. probabilistic components |
Audit-Trail Requirements
What an auditable AI system's logs must contain, grounded in EU AI Act Article 12 (record-keeping) and Article 19 (six-month minimum retention).
- Inputs — the exact input data for each output, timestamped.
- System version — the rule-set or model version that produced the output (per Article 12 lifetime logging).
- Computation path — the step-by-step deterministic computation, not a post-hoc approximation.
- Output — the produced result, with a reproducibility token allowing exact re-run.
- Explanation at decision time — the explanation that applied when the decision was made, retained alongside the output.
- Human review — who reviewed the output, when, and the disposition.
- Retention — logs kept for at least six months (Article 19); supporting technical documentation kept far longer where applicable.
- Retrievability — logs stored in a retrievable format that lets an examiner follow the chain from question to answer.
Sources & Further Reading
Primary sources only. Every claim above maps to a numbered entry below.
- 1.NIST Computer Security Resource Center. Definitions of "deterministic algorithm" and "stochastic." csrc.nist.gov/glossary
- 2.Atil, B., et al. "LLM Stability: A Detailed Analysis with Some Surprises." arXiv:2408.04667. Measured 15% accuracy variance at temperature 0 across five commercial LLMs. arxiv.org/abs/2408.04667
- 3.Federal Reserve, OCC, FDIC. SR 26-2 / OCC Bulletin 2026-13, "Guidance on Model Risk Management." Joint guidance issued April 17, 2026. federalreserve.gov
- 4.European Union. Regulation (EU) 2024/1689 (the "EU AI Act"). Recital 58, Articles 9, 11, 12, 13, 14, 17, 19. eur-lex.europa.eu
- 5.NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0). January 2023. nvlpubs.nist.gov
- 6.International Organization for Standardization. ISO/IEC 42001:2023, "Information technology — Artificial intelligence — Management system." iso.org/standard/81230.html
- 7.Bank for International Settlements, Financial Stability Institute. FSI Paper No. 24, "Regulating AI in the financial sector." September 2025. bis.org
- 8.Mata v. Avianca, Inc., No. 1:22-cv-01461 (S.D.N.Y. June 22, 2023). 678 F. Supp. 3d 443. Sanctions imposed for fabricated AI-generated citations. courtlistener.com
- 9.Moffatt v. Air Canada, 2024 BCCRT 149 (Civil Resolution Tribunal of British Columbia, February 14, 2024). civilresolutionbc.ca
- 10.Magesh, V., Surani, F., Dahl, M., Suzgun, M., Manning, C. D., & Ho, D. E. "Hallucination-Free? Assessing the Reliability of Leading AI Legal Research Tools." Stanford RegLab, 2024. Journal of Empirical Legal Studies. DOI: 10.1111/jels.12413. reglab.stanford.edu
- 11.U.S. Securities and Exchange Commission. SEC Press Release 2024-36, "SEC Charges Two Investment Advisers with Making False and Misleading Statements About Their Use of Artificial Intelligence." March 18, 2024. sec.gov
- 12.U.S. Securities and Exchange Commission. Charges against Presto Automation, January 2025. sec.gov/litigation
- 13.U.S. Department of Justice and SEC. Charges against Albert Saniger, founder of Nate, April 2025. First criminal AI-washing prosecution. justice.gov/usao-sdny
- 14.U.S. Senate Permanent Subcommittee on Investigations. "JPMorgan Chase Whale Trades: A Case History of Derivatives Risks and Abuses." March 15, 2013. hsgac.senate.gov
- 15.U.S. Securities and Exchange Commission. SEC Release No. 70694, In the Matter of Knight Capital Americas LLC. October 16, 2013. sec.gov/litigation/admin/2013/34-70694.pdf
- 16.Lewis, P., et al. "Retrieval-Augmented Generation for Knowledge-Intensive NLP Tasks." NeurIPS 2020. arXiv:2005.11401. arxiv.org/abs/2005.11401
- 17.Colelough, B. C., & Regli, W. "Neuro-Symbolic AI in 2024: A Systematic Review." 2024. arxiv.org/abs/2501.05435
- 18.Geng, S., et al. (Microsoft Research & EPFL). "Generating Structured Outputs from Language Models: Benchmark and Studies." 2025. arxiv.org/abs/2501.10868
All URLs verified as of June 2026. Where a primary source URL is not yet stable (e.g., agency press releases), the parent agency page is provided so the reader can locate the underlying document.
Last updated: June 2026 · Version 1.0