The AI Policy Your Board Actually Needs
Most AI policies approved by community bank and credit union boards won't help when AI actually starts causing problems. This article outlines what boards really need: practical...
Your institution probably has an AI policy by now. Most do. And if you're like most boards, you approved it after a 15-minute presentation that felt more like a legal document review than a strategic discussion.
But here's the thing about AI policies: the ones getting approved in most boardrooms won't help when AI actually starts causing problems.
Most AI policies read like someone took a data governance template and replaced "data" with "artificial intelligence." They talk about ethical principles and responsible use. They require committee approval for AI deployments. They mandate vendor assessments and risk ratings.
All good ideas in theory. None of them answer the questions your board will actually face when AI incidents happen.
The Questions Your Policy Doesn't Address
Last month, I reviewed AI governance policies from two dozen community financial institutions. Not one addressed the questions that keep examiners up at night:
How do you know when AI is making decisions in your institution? Not just the AI you deployed intentionally, but the AI running inside the software you've been using for years that recently got "enhanced" with machine learning features.
What happens when your loan officers start using AI to draft credit memos, and you discover it six months later during an exam? Is that a technology risk issue or an operational risk issue? Who owns the remediation?
When your call center platform adds an AI chatbot feature in a routine software update, does that trigger your AI policy approval process? What if you only find out about it when a member files a complaint about getting wrong information from "your" AI assistant?
These aren't hypothetical scenarios. They're playing out at community banks and credit unions right now. And the AI policies most boards approved aren't designed to handle them.
Why Most AI Policies Miss the Mark
The fundamental problem with most AI governance frameworks is they assume AI deployment is a discrete event. You evaluate a vendor. You assess the risk. You approve or reject the solution. Then you move on.
But AI doesn't work that way anymore. AI capabilities are getting embedded into existing systems through software updates. Your core processor doesn't send you a formal notification when they add machine learning algorithms to their fraud detection module. Your lending platform doesn't ask for board approval when they deploy natural language processing to scan credit applications.
According to a 2025 survey by the Independent Community Bankers of America (ICBA), 78% of community banks were using AI in at least one operational area. But only 31% could identify all the AI systems active in their institution. The gap between AI usage and AI awareness is enormous.
The Credit Union National Association (CUNA) found similar patterns. Their 2025 technology survey showed 84% of credit unions under $1 billion in assets had AI functionality in their operations, but 47% described their AI governance as "ad hoc" or "under development."
That disconnect is what creates regulatory risk. Not the AI itself, but the governance gap around AI you didn't know you had.
Real-World AI Governance Failures
In 2024, a $2 billion credit union in the Midwest discovered during an NCUA examination that their member service platform had been using AI to route member calls for eight months. The AI was making decisions about which calls required human intervention and which could be handled through automated responses. The credit union had never evaluated this functionality, never assessed the fair lending implications, and had no monitoring in place to detect errors or bias.
The finding wasn't catastrophic, but it highlighted a governance blind spot that could have been much worse. The AI was making decisions about member access to services without any oversight or control.
That same year, a community bank in Texas realized their digital account opening platform had quietly added AI-powered identity verification. The AI was approving or flagging new account applications based on patterns it learned from historical data. When the bank finally audited the system, they found the AI had been rejecting applications from certain ZIP codes at higher rates. Whether this constituted disparate impact discrimination was unclear. What was clear was that the bank had no framework for detecting or addressing the issue.
I've experienced something like this myself, though in a different context. At AWS, working with banking clients implementing cloud infrastructure, we constantly found "shadow IT" situations where departments had adopted cloud services without going through proper evaluation processes. The technology worked fine. The business results were positive. But the governance gap created compliance exposure that sometimes took months to remediate.
The pattern is the same with AI. The technology gets deployed gradually, often without formal decision points, until suddenly you have significant AI functionality with no governance framework around it.
Building an AI Policy That Actually Works
The AI policy your board actually needs starts with inventory, not principles.
Start with discovery, not approval. Instead of creating a process for evaluating new AI deployments, create a process for discovering AI deployments that already happened. Require every department to audit their software stack quarterly and flag any functionality that involves automated decision-making, pattern recognition, or predictive analytics. You can't govern what you can't see.
Focus on decisions, not technology. Don't try to define AI (you'll get it wrong, and the definition will be outdated by the time you approve it). Instead, focus on automated decision-making that affects members, employees, or regulatory compliance. If software is making choices that used to require human judgment, it belongs in your AI governance framework regardless of the underlying technology.
Create AI incident response procedures. Traditional technology incident response focuses on system outages and security breaches. AI incidents are different. They might involve biased outcomes, unexplainable decisions, or gradual performance degradation. Your AI policy needs to define what constitutes an AI incident, who investigates it, and how you report it to regulators.
Establish AI monitoring requirements. Not just system monitoring (uptime, performance), but outcome monitoring. Are AI-driven decisions producing patterns that suggest bias? Are approval rates or rejection rates changing in ways that correlate with protected characteristics? Your policy should require regular analysis of AI decision outcomes, not just AI system health.
Mandate AI vendor transparency. Every vendor contract should include clear disclosure requirements for AI functionality. If they add AI capabilities to existing services, you need to know within 30 days. If their AI training data changes, you need to know. If their AI models get updated in ways that could affect decision patterns, you need to know. Vendors who won't commit to this level of transparency aren't vendors you should be using for AI-powered services.
Implementation That Actually Happens
The best AI policy in the world doesn't matter if it sits in a binder collecting dust. Implementation requires specific, measurable actions.
Appoint an AI inventory owner (usually your CTO or CIO, but could be your compliance officer) and make it a performance metric. They should deliver a complete AI inventory to your board every six months, with newly discovered systems flagged for risk assessment.
Add AI governance to your internal audit rotation. Not a separate AI audit, but AI-related findings within existing audits. When internal audit reviews lending operations, they should evaluate AI-driven decision-making. When they audit customer service, they should assess AI-powered member interactions.
Include AI literacy in your board education program. Not deep technical training, but enough understanding to ask smart questions. Board members should know the difference between rule-based automation and machine learning. They should understand what algorithmic bias looks like and why explainability matters for regulatory compliance.
The Real Risk Isn't AI Failure
Here's what most boards miss: the biggest AI risk isn't that AI will fail catastrophically. It's that AI will work exactly as designed, producing outcomes you never intended because you weren't paying attention when it was deployed.
AI systems optimize for the patterns they see in historical data. If your historical data contains biases, your AI will amplify those biases. If your training data isn't representative, your AI decisions won't be representative. If you're not monitoring AI outcomes, you won't know when optimization starts producing discrimination.
The institutions that navigate AI successfully will be the ones that govern it proactively rather than reactively. That means building governance frameworks before you need them, not after examiners find problems.
Questions for board members and leaders thinking through AI governance:
1. Can your institution produce a complete inventory of AI systems currently in use? How confident are you that the inventory is actually complete?
2. What's your process for evaluating AI that gets embedded in existing vendor solutions through software updates?
3. How do you balance the need for AI governance with the reality that AI capabilities are proliferating faster than traditional approval processes can keep up?
Let me know how your institution is handling these challenges. The more we share, the better we all get at governing emerging technology.
#CommunityBanking #FinEdge #AIGovernance #BoardGovernance #RiskManagement