Critical applications in banking: Combining transformation, security and performance to drive resilience

At Bank Tech Day 2026 in Paris last April, I moderated a roundtable discussion titled "Critical Applications in Banking: Secure, Transform, Decide." The discussion revealed a strong conviction among participants: as transformation accelerates through AI, cloud technologies, and open ecosystems, banks must rethink how they balance innovation, risk management and operational resilience.

In this blog, I highlight the key application challenges discussed during the roundtable. According to CGI's 2026 Voice of Our Clients research, 46% of banking executives view legacy systems as a significant challenge. Modernization remains essential for improving agility, resilience and transformation outcomes.

Transformation accelerated by AI

Driven by AI and cloud, the modernization of banking systems is already well underway. However, with the rise of AI, it’s reaching a new stage—AI acts as an accelerator of transformation.

Because the most advanced capabilities are largely offered through external platforms, banks are increasing their use of cloud and specialized providers to better adapt to rapid changes in their environment. Architecture is becoming more open, distributed and modular. This evolution creates new opportunities, but it also makes the management of critical applications more complex.

AI also is redefining the role of CIOs. Less focused on internal operations, they’re becoming ecosystem orchestrators, responsible for assembling and managing multiple services to ensure the continuity and long-term robustness of systems.

Critical applications at the heart of decision-making

Not all applications carry the same level of importance. In banking, their criticality is based on a precise risk analysis of business impact, data sensitivity and regulatory constraints.

These criteria directly guide architecture and managed services decisions. Some applications remain highly internalized, while others become open to cloud environments, provided they meet strict requirements.

Another key factor is trust. Both bank customers and regulators expect tangible guarantees, particularly through certifications or security “badges” (e.g., ISO 27001, SecNumCloud, or sector-specific frameworks such as FS Cloud), which help secure operations in increasingly open environments.

A hybrid and sovereign technology landscape

Faced with this complexity, there’s no single solution. Banks are using a range of solutions, depending on their security challenges and associated constraints:

• Internal environments for the most sensitive assets
• Secure private clouds
• Sovereign clouds that address localization and control requirements
• Hyperscalers enhanced with specific safeguards

In this context, sovereignty is becoming a key decision criterion, although it’s still not clearly defined. It addresses regulatory requirements, as well as the need for control and trust, particularly for sensitive data and critical applications.

Compliance and security: The gap between requirements and effectiveness

In a highly regulated sector like banking, compliance and security are closely linked. Audits, certifications and frameworks provide an essential foundation for structuring these efforts. Robust controls, evidence and documentation also are required to meet regulatory expectations and customer demands.

In practice, however, compliance can consume a significant share of resources in an environment where controls are already extensive. The challenge isn’t to treat compliance and security as competing priorities, but to ensure they work together to reduce risk effectively and strengthen the bank’s ability to absorb, respond to and recover from incidents.

Back to top 

Toward more global, intelligent and automated control

With the rise of AI, new use cases are emerging and bringing governance issues back to the forefront. Control approaches, historically organized in silos across cybersecurity, data and compliance, are now showing their limits in the face of increasingly complex environments.

A shift is needed. We must move toward control mechanisms that are more global, coherent and multi-objective. This means going beyond separate control logic to implement systems capable of simultaneously covering several priorities: security, compliance, data management and the governance of AI use cases.

AI plays a key role here. It makes it possible to analyze massive volumes of data and detect anomalies. In doing so, it helps make these control systems more responsive and effective.

Reconciling transformation and risk control

Banks today must accelerate transformation while maintaining a high level of control. AI will only intensify this dynamic, creating significant opportunities while requiring banks to rethink their control and governance models. The challenge is no longer to choose between transformation and risk control, but to ensure they advance together in increasingly complex environments.

In this context, the challenge is no longer simply to secure critical applications, but to sustain the right balance over time. By aligning innovation with effective risk control, banks can strengthen customer trust, build sustainable performance and make resilience a lasting competitive advantage.

Partnering to advance

CGI supports banks in strengthening the resilience of their critical applications by combining expertise in cybersecurity, cloud and hybrid IT, responsible AI, sovereign AI, and more. We help financial institutions modernize securely, manage complexity and build the controls needed to support sustainable performance.

To learn more about how CGI can help your organization balance innovation, risk control and operational resilience, contact me or explore our banking capabilities on cgi.com.