BPCE and AI: From Cautious Experimentation to Industrial Strategy

In less than two years, BPCE has shifted from a defensive control posture to a logic of gradual industrialization of generative AI, anchored to its Vision 2030 strategic plan. The challenge is not merely technological. It is organizational, social, regulatory and, above all, economic. The group claims massive adoption of assistants, while maintaining marked caution on “agentic” AI, deemed still too immature for large-scale deployments.

This trajectory sheds light on a central question for the European banking sector: how to capture rapid productivity gains without degrading service quality, compliance, or control of technological dependencies?

Three structural convictions: human, quality of use, selection

BPCE summarizes its doctrine around three convictions: people first (maximum appropriation), quality of use as a source of value (efficiency and economic value), and selection (prioritizing use cases) rather than undifferentiated deployment.

This triptych is revealing. It places change management on the same level as infrastructure. It also introduces a portfolio logic: one does not “do AI”, one chooses AI products, with target users, journeys, metrics, and a profitability horizon.

“AI for all”: MAiA as a platform, not just a chatbot

The “AI for all” program is embodied in MAiA, presented as an internal “Secure GPT” launched in 2023. The tool becomes a platform: prompt libraries, personalized assistants, awareness and training modules. BPCE indicates it has trained or acculturated approximately 45,000 employees, and is now achieving its adoption target (50% by end of 2026) one year ahead of schedule.

Strategic point: MAiA is not an isolated product, but a hub that structures the standardization of practices (prompts, guardrails, reusability) and the dissemination of skills. This reduces the risk of “shadow AI” and promotes instrumented rather than declarative governance.

Critical question: how does BPCE measure the quality of prompts and responses (accuracy, compliance, bias), beyond usage volumes?

A “multi-model” and “multi-cloud” architecture, under sovereignty constraint

On the technical level, BPCE makes several models available (OpenAI, Anthropic, Mistral AI, Google Gemini) via “secured” cloud environments (Microsoft Azure and Google Cloud). For the most sensitive data, the group also mentions an internal model execution capability, with a “small farm” of approximately 40 GPUs in its data centers, and a vector database deployed internally for confidential documents.

This combination outlines a compromise strategy:

• Performance and speed via leading models accessible in the cloud, but under controlled tenants.
• Confidentiality via internal execution on critical perimeters.
• Reversibility through supplier diversification and partner “selection”.

The tension on sovereignty also appears in the data ecosystem: BPCE describes the need to control dependencies, particularly vis-à-vis American players, which pushes toward “dual” architectures.
In the background, supervisory expectations on cloud outsourcing are strengthening (risk management, governance, continuity, concentration).

“Transformative AI”: five domains, a ROI promise, metrics

Alongside general-purpose tooling, BPCE structures a “transformative AI” program that prioritizes five domains: AI for advisors, contact centers, simplification of digital experience, fraud prevention, AI for IT functions.

The most salient point is the profitability logic: “for one euro invested, one euro gained” over a short horizon, with metrics in place, without disclosing invested amounts.
This reflects a capital allocation approach: AI is treated as an investment portfolio, arbitrated based on observed returns.

Critical question: which metrics truly dominate the arbitration? Time savings, cost reduction, revenue increase, risk reduction, customer satisfaction, or reduction of internal pain points?

The augmented advisor: documentation, eligibility, reporting, opportunities

BPCE indicates that 75% of advisors use AI. The described use cases cover the three phases of the relationship: preparation (customer knowledge, access to documentation), in-meeting assistance (product eligibility, response reliability), then post-meeting (reporting, restructuring, identification of commercial opportunities).

The expected benefit is twofold: more proactivity and more useful time with the customer. But this axis is also the most sensitive: AI touches on recommendations, and therefore the risk of misinformation, and the traceability of decisions.

Here, AI risk management frameworks become structural (risk analysis, mitigation measures, governance throughout the lifecycle), consistent with the AI Act for high-risk cases and with trust frameworks (e.g., NIST AI RMF).

Customer relationship centers: voicebots and summaries, with human control

In CRCs, BPCE describes seven major use cases, including voicebots that processed one million calls out of twelve million, and automatic exchange summary systems.
For insurance, after ten months in production, 85% of summaries would be validated without modification, with a 10% decrease in average handling time.

The interesting data is not just productivity. It’s the level of operational acceptance: validation “without modification” is a proxy for trust, but it can mask a risk of automation complacency if teams review less carefully as the tool appears to “work well”.

Critical question: how does BPCE avoid the erosion of control (automation bias) when pressure on handling times increases?

Digital experience: a customer assistant, already at scale

On the customer side, BPCE integrates generative AI into Banque Populaire and Caisse d’Épargne mobile applications to answer questions by referring to relevant documentation. The group claims more than one million customer users, with a gradual deployment to business customers.

This product choice is cautious: the assistant is framed by documentation, which limits hallucinations and strengthens auditability. It resembles a “RAG-first” strategy (retrieval-augmented generation) rather than a free conversational agent.

Natixis CIB: RAG as a decision brick, under enhanced surveillance

In investment banking, the GeorgIA assistant (Natixis CIB) is presented as powered by a RAG mechanism, initially to explore voluminous documents (internal and external) and conduct macroeconomic analyses. The tool is also used to produce credit memos serving as the basis for financing decisions on very high amounts.

This changes the nature of the risk: one moves from “office” productivity gains to direct decision support. In this context, surveillance, explainability and managerial accountability requirements in financial services become critical.

Critical question: what is the exact status of the produced memo (draft, recommendation, analysis), and what level of traceability links each assertion to sources?

IT and developers: an open source choice to limit intrusion

BPCE also equips its developers: approximately 1,500 would have access to code assistance integrated into the IDE, based on a fork of the open source Continue, after testing tools deemed “intrusive”. The stated ambition is to deploy to all the group’s developers.

This point relates to the open source culture described on the data side, and to the search for better control of technical chains. In banking, code assistants are accelerators, but also a new risk vector (code leaks, licenses, vulnerabilities). The “fork + control” strategy is consistent with a control posture.

The data foundation: a scale problem… addressed by communities, not top-down

The article on the data ecosystem is, in reality, the organizational mirror of the AI strategy. BPCE describes itself as a mosaic of entities, DNA and IS: historical on-prem, public cloud, varied practices, and complexity increased by sovereignty constraint.

Faced with this, BPCE rejects centralized “directive” governance. The choice is “bottom-up”: cross-functional communities to disseminate standards and best practices in a scalable manner. The “Big Data Community” created in 2017 is the first building block, with a platform economic model where each participant pays the same quota and has the same voice in developments.

The system then extends to cloud communities (GCP), data architecture, tools (Power BI, Dataiku), with certification and internal relay logic: the mission shifts from support to “empowerment”.
And to avoid insularity, BPCE opens up to external communities (Google Cloud Customer Community) and open source, notably via TOSIT.

Critical question: how does BPCE arbitrate between local freedom (which promotes adoption) and standardization (which reduces risks) when AI touches on decisions and compliance?

AI agents: an acknowledged horizon, but “a few months of experimentation” first

BPCE is preparing for agentics, but with caution. AI agents are described as “at best in development or R&D”. Oney would be testing an agentic AI experience on the financing journey, while the group is also exploring back-office operations and internal controls, allowing a few months of experimentation before scaling, time to implement security procedures and verify robustness.

This caution is rational: agentics increases the risk surface (autonomous actions, cascading errors, security, audit), and calls for control mechanisms closer to critical systems engineering than simple assistant deployment.

Social dimension: a GEPP framework integrating AI

Finally, BPCE integrates AI into social dialogue via a GEPP agreement incorporating a component on artificial intelligence, signed in July 2025. The associated HR discourse emphasizes AI that assists and does not replace, by “removing pain points” to put the employee back at the heart of their work.

The challenge here is credibility: lasting acceptance will depend on the ability to prove that productivity gains translate into work quality, skills, and career paths, not just cost compression.

What BPCE’s strategy reveals about the near future of European banking

BPCE traces a pragmatic, structured path, quite representative of a European bank under constraints: rapid adoption, multi-model architecture, ROI management, industrialization by domain, and socio-technical governance via communities.
But the shift from “assistant” mode to “agent” mode will be a change in nature. It will require reinforced rigor: lifecycle risk management, explicit accountability, auditability, and control of cloud outsourcing.

Sources:

https://www.lemagit.fr/etude/Adoption-de-lIA-generative-BPCE-fait-un-gros-point-detape

https://www.lemagit.fr/etude/BPCE-federe-un-ecosysteme-Data-complexe