Introduction
The deployment of artificial intelligence across American financial services is accelerating at a pace that commands the attention of every institution regardless of size. For community banks and credit unions—those institutions that serve as the financial backbone of countless localities and regions across the country—the question is no longer whether to adopt AI, but rather how to do so with discipline, deliberateness, and an appropriate appreciation for the risks involved.
Three technological paradigms are discussed. The first, classic AIi, encompasses the rules-based, algorithmic, and statistical models that have long underpinned credit scoring, fraud detection, anti-money laundering (AML) transaction monitoring, and interest rate risk modeling. The second, generative AI, encompasses large language models and related systems capable of producing text, summarizations, analyses, and other content in response to natural language prompts. The third, agentic AI, encompasses autonomous AI systems capable of executing multi-step workflows, making decisions, and taking actions with limited or no human intervention at each step. Each paradigm carries its own risk profile and governance demands.
The Landscape: Why AI, Why Now
For a decade, federal bank supervisors have engaged directly with financial institutions of all sizes regarding their use of AI and related technologies. What has changed recently is the velocity of capability improvement and the competitive pressure that this velocity creates. Generative AI tools capable of drafting regulatory correspondence, summarizing examination findings, and analyzing commercial loan files have become commercially available at a cost accessible to community institutions. Simultaneously, financial crime has grown more sophisticated: deepfake fraud, synthetic identity schemes, and increasingly complex money laundering typologies have made manual compliance processes demonstrably insufficient against the current threat environment.
The competitive dimension is equally significant. Larger institutions and well-capitalized FinTechs have moved aggressively into AI-enabled customer experience, credit decisioning, and operations. Community institutions that do not develop a coherent AI strategy risk ceding ground in precisely the areas—relationship lending, personalized service, responsive operations—where their competitive advantage has historically been concentrated.
None of this is to say that adoption should be rash or reckless. The Federal Reserve’s Vice Chair for Supervision recently observed that regulators must “ensure that our supervisory guidance does not hinder access to and implementation of innovation” while simultaneously emphasizing that AI “presents clear risks” requiring proactive governance.1 The message for community institution leadership is straightforward: proceed but proceed with discipline.
i Also referred to as symbolic systems, logic-based programming, or top-down approaches.
Before Adoption: The Foundational Imperatives
Conduct a Strategic AI Risk Assessment
Before committing resources to any AI initiative, an institution’s leadership should commission a structured strategic risk assessment. The purpose of this assessment is not merely to catalogue risks but to establish the institution’s current AI adoption stage, identify existing governance gaps, and formulate a Target Operating Model (TOM) that is both ambitious and achievable. The U.S. Treasury’s Financial Services AI Risk Management Framework (FS AI RMF), adapted from the National Institute of Standards and Technology’s AI Risk Management Framework, provides the most authoritative and scalable foundation for this work.2 The FS AI RMF organizes risk management around four core functions—Govern, Map, Measure, and Manage—each of which has direct applicability to community institutions regardless of size or sophistication.3
Critically, the assessment should encompass not only internal AI deployments but also those delivered by third-party vendors. A large and growing proportion of AI capability accessible to community institutions arrives pre-packaged within core banking platforms, loan origination systems, and compliance technology suites. Third-party delivery does not diminish institutional accountability; it recasts it as a vendor oversight responsibility. Revised interagency guidance on third-party risk management reinforces this principle.
Establish Governance Before Deployment
The revised model risk management interagency guidance clarifies that its scope applies narrowly to traditional models and classic AI applications.4 Generative and agentic AI are explicitly excluded from SR 26-2’s requirements, with the expectation that institutions will develop governance and controls for these systems informed by their existing risk management practices. For community institutions, this creates both flexibility and responsibility. There is no prescribed governance template for generative and agentic AI, which means that institutions must construct one proportionate to their risk profile.
At a minimum, governance for AI should include a cross-functional AI oversight committee comprising representation from technology, compliance, risk management, lending, operations, and legal functions. This committee should establish a use case inventory documenting every AI system or application in production or under development, along with its purpose, data inputs, decision outputs, vendor relationships, and applicable regulatory requirements. Human-in-the-loop (HITL) requirements should be explicitly defined for every use case where AI output influences a consequential decision.
Address Fair Lending and Consumer Protection Risks Proactively
For the chief lending officer and the chief compliance officer, AI’s interaction with fair lending law and consumer protection regulation demands particular attention. AI-assisted credit underwriting, whether rules-based credit scoring or generative AI-assisted loan narrative preparation/support, carries the potential for algorithmic bias. Disparate impact analysis must be incorporated into the validation and monitoring protocols for any AI system that touches credit decisions, pricing, or customer-facing communications. The Equal Credit Opportunity Act and the Fair Housing Act impose strict requirements that are not lessened or relaxed given technological novelty. Regulators have made clear that the obligation to detect and remediate discriminatory outcomes is independent of the mechanism that generates them.
During Adoption: Disciplined Implementation
Match the Technology to the Use Case
Not every business problem requires the same AI paradigm, and discipline in use case selection is a hallmark of successful early-stage adoption. Rules-based transaction monitoring, statistical credit scoring, and algorithmic rate-setting have a long track record in regulated financial services and is well understood by examiners. Generative AI offers compelling value in internal productivity applications such as document summarization, regulatory change analysis, policy drafting support, and customer service scripting. Agentic AI, systems that can autonomously execute workflows such as suspicious activity report (SAR) filing research, covenant compliance verification, or commercial loan spreading, carries the highest capability ceiling and the highest governance requirement. Institutions should sequence their adoption to build governance competency before deploying autonomous systems in risk-sensitive workflows.
Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT): A Critical Use Case
For AML/CFT officers, AI represents both an operational imperative and a regulatory flashpoint. As transaction volumes grow and financial crime schemes become more sophisticated, AI-enabled transaction monitoring offers a materially superior detection capability relative to legacy rule-based systems. At the same time, any AI system used in the context of BSAii/AMLiii program execution must be documented, validated, and defensible to examination. The FS AI RMF’s guidance on data integrity, model bias, and explainability is directly applicable to AML model governance. AML/CFT officers should work closely with their chief risk and compliance officers to ensure that AI-assisted monitoring programs are supported by documentation sufficient to withstand supervisory scrutiny.
Data Infrastructure: The Enabling Constraint
The efficacy of any AI system is bounded by the quality and completeness of the data it consumes. Community institutions frequently carry the legacy of disparate core systems, incomplete customer data, and non-indexed loan file archives. A candid assessment of data infrastructure readiness is a prerequisite to successful AI adoption. Chief information officers and chief financial officers should evaluate, in particular, data governance policies, data quality controls, access management, and the institution’s capacity to generate audit-ready documentation of AI model inputs and outputs. Investing in data infrastructure represents a foundation upon which AI value is built.
ii Bank Secrecy Act.
iii Anti-Money Laundering.
Following Adoption: Continuous Oversight
Model Monitoring and Performance Validation
AI systems, unlike static policy documents, evolve in their behavior as the data they process changes over time. Model drift—the degradation of model performance as real-world conditions diverge from training conditions—is a known risk across all AI deployments and a particular concern in the context of credit models operating through an economic cycle. Chief risk officers and their delegate AI officers should implement ongoing performance monitoring protocols that include quantitative performance metrics, periodic validation reviews, and defined thresholds for escalation and remediation. For generative AI systems, monitoring should encompass not only accuracy metrics but also output consistency, hallucination rates, and compliance with defined use boundaries.
Regulatory Engagement and Examination Readiness
Regulators at the Federal Reserve, OCC, and FDIC have signaled a constructive posture toward AI innovation, provided that institutions can demonstrate sound governance. Community institutions should treat examination preparation for AI as continuous rather than episodic. This means maintaining current, accessible documentation of AI system inventories, governance policies, validation records, vendor oversight materials, and incident logs. The Financial Stability Oversight Council’s AI series and the Treasury’s AIEOGiv deliverables, including the AI Lexicon and the FS AI RMF, provide useful benchmarks against which institutions may assess and document the maturity of their AI governance programs.5
Workforce Development and Cultural Readiness
The sustainability of any AI program depends on the institution’s human capital. Staff at all levels, from customer-facing branch personnel to loan underwriters to compliance analysts, require education and training appropriate to their roles. Chief operating officers and chief human resources officers should develop training programs that address not only the mechanics of AI tools but the judgment required to recognize when AI output warrants human review. A culture of informed skepticism toward AI output, what regulators characterize as “effective challenge”, is as important an institutional asset as any specific applied or adopted technology.
iv Artificial Intelligence Executive Oversight Group.
Conclusion
Artificial Intelligence offers community banks and credit unions a genuine opportunity to improve the efficiency, accuracy, and effectiveness of core operations, from credit underwriting and fraud detection to customer service and compliance monitoring. Realizing this opportunity requires disciplined governance, honest self-assessment, and sustained executive engagement. It also requires clear-sighted thinking regarding the risks involved including algorithmic bias, data integrity failures, model hallucinations, and the operational and reputational consequences of autonomous systems behaving in unintended ways.
The regulatory environment, while evolving, is navigable. Supervisors have expressed a clear commitment to enabling responsible innovation at institutions of all sizes. Community institutions that invest in structured risk assessment, sound governance, and continuous monitoring will be well positioned both to benefit from AI’s capabilities and to satisfy their supervisory obligations. Those that adopt AI without adequate preparation will face compounding exposure that no subsequent remediation can fully reverse. The path forward is open and well-illuminated; the task for community institution leadership is to walk it deliberately.
1 Bowman, Michelle W., Vice Chair for Supervision. “Artificial Intelligence in the Financial System.” Remarks at the Financial Stability Oversight Council AI Series Roundtable on Cybersecurity and Risk Management, Washington, D.C., May 1, 2026. Board of Governors of the Federal Reserve System. https://www.federalreserve.gov/newsevents/speech/bowman20260501a.htm.
2 U.S. Department of the Treasury, AI Executive Order Guidance. “Treasury Releases AI Lexicon and Financial Services AI Risk Management Framework.” March 2026. https://home.treasury.gov/news/press-releases/sb0401.
3 Cyber Risk Institute. Financial Services AI Risk Management Framework (FS AI RMF), adapted from the NIST AI Risk Management Framework (NIST AI RMF 1.0). Available at https://cyberriskinstitute.org.
4 Board of Governors of the Federal Reserve System, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation. SR Letter 26-2: Supervisory Guidance on Model Risk Management. April 17, 2026.
5 National Institute of Standards and Technology. NIST Special Publication 1308: Cybersecurity Framework 2.0 – Cybersecurity, ERM, and Workforce Management Quick-Start Guide. U.S. Department of Commerce.