For the first time, more American businesses are paying for Anthropic's Claude than for OpenAI's ChatGPT. According to the Ramp AI Index released this week, Anthropic's business adoption rose to 34.4% in April — surpassing OpenAI's 32.3%. The shift is particularly acute in financial services, where Anthropic has been moving aggressively.
Last week, Anthropic held an invite-only briefing in New York and debuted Claude Opus 4.7 — a model positioned specifically for financial work. Days before that, it announced a $1.5 billion joint venture with Goldman Sachs, Blackstone, and Hellman & Friedman to embed Claude directly into the operations of the firms' portfolio companies. The message to Wall Street: Claude is your AI layer now.
For CISOs and Chief Risk Officers at banks, insurers, and asset managers, this creates a governance problem that most compliance teams aren't yet framing correctly.
The Gap Between Adoption and Governance
Enterprises are adopting Claude fast. But the speed of model adoption is outpacing the governance infrastructure required to use it safely in regulated environments.
Claude doesn't know your firm's policies. It doesn't know which client data is off-limits for a given workflow. It doesn't know whether an analyst's prompt contains MNPI. It doesn't know that your OCC examination guidance requires an audit trail of every AI-assisted decision.
The model is capable. The deployment context is ungoverned.
As one CIO analysis noted this week: "Enterprise AI isn't plug-and-play because it needs deep integration with internal data, workflows, and governance systems." That gap between model capability and real-world governance is exactly where compliance failures incubate.
What Regulators Expect
The OCC, FFIEC, and NAIC have been explicit that AI use in regulated financial services requires:
- Model risk management — SR 11-7 guidance applies to AI-assisted decisions, not just traditional models
- Audit trails — examiners expect to see what the AI was asked, what it returned, and what decisions followed
- Policy enforcement — employees using AI tools for client-facing work must operate within documented, enforced guardrails
- Data handling controls — PII, MNPI, and customer financial data require access controls that the model itself cannot enforce
None of these requirements disappear because the AI is Claude instead of a homegrown model. If anything, the fact that Claude is now deeply embedded in financial workflows — via Goldman's portfolio companies, via Anthropic's pre-built FS agents — makes the governance gap more urgent, not less.
The Governance Layer Anthropic Doesn't Provide
Anthropic sells capability. What it doesn't sell — and explicitly isn't trying to sell — is the governance enforcement layer your compliance team needs between the model and your employees.
That layer includes:
- Real-time policy enforcement at the point of use — blocking or flagging prompts that contain regulated data before the query reaches the model
- Per-user and per-team policy configuration — different guardrails for trading desk vs. wealth management vs. compliance teams
- Immutable audit logging — a record of every AI interaction, attributable to a specific user, retained for the period your examiners expect
- Shadow AI visibility — knowing when employees are routing around your sanctioned Claude deployment to use personal accounts or consumer-tier tools
These aren't features Anthropic will build. They're compliance infrastructure — and the window to put them in place before examiners start asking for evidence is closing.
What This Means for Your 2026 AI Risk Program
If your institution is in the 34% of businesses now paying for Claude — or planning to be — your AI governance program needs to answer four questions:
- Who is using Claude, for what, and with what data? If you don't have visibility, you don't have governance.
- Are your AI use policies enforced in real time, or just written in a PDF? A policy that employees can route around isn't a control.
- Do you have an audit trail an examiner can read? Not model logs — interaction-level records, attributable to individuals.
- What happens when an employee pastes client data into a personal Claude account? If the answer is "we hope they don't," that's a gap.
Containment.AI enforces AI governance policies at the point of use — in the browser and at the API layer — with per-user controls, real-time blocking, and immutable audit logs built for regulated environments. Start free or talk to us about your governance program →