Risk and governance
NCUA and AI Compliance
Research mandate
Governance and control guidance for credit unions adopting AI within existing regulatory, risk, and examination responsibilities.
Credit union leaders do not need a separate theory of governance for artificial intelligence. They need to apply established responsibilities for safety, soundness, consumer protection, information security, model oversight, and third party risk to systems that can behave differently from traditional software. The difficult work is translating those responsibilities into controls that match how a specific tool is used.
A member facing lending decision, an employee drafting assistant, and an internal search tool do not create the same risk. Their data, decision authority, potential harm, and audit requirements are different. A single institution wide rule will either be too weak for consequential uses or too restrictive for low risk productivity work. Effective governance starts with an inventory, a use case classification, and a named business owner. It then sets requirements based on the facts of each deployment.
Documentation is central. Leadership should be able to explain why the use case was approved, what data it can access, which outputs require review, how performance is tested, how incidents are handled, and when the tool will be suspended. The record should also identify the responsible vendor, material subcontractors, retention practices, security commitments, and contractual rights. This evidence helps compliance, internal audit, information security, and exam teams evaluate the system without reconstructing decisions after the fact.
Human oversight must be specific. A statement that an employee remains in the loop is not a control. The institution needs to define what the employee reviews, what evidence is available, which conditions require escalation, and how the review is recorded. The reviewer also needs enough authority, time, and training to disagree with the system. Otherwise, human review becomes a procedural label instead of a reliable safeguard.
This pillar tracks regulatory developments and converts them into practical questions for boards, executives, risk teams, and implementation owners. It focuses on governance structure, model and vendor oversight, consumer compliance, data protection, monitoring, and examination readiness. The aim is not to predict an examiner's conclusion. It is to help leaders build a defensible operating record before a question arrives.
Coverage framework
Questions this research addresses
Each area is examined through the operating realities of a regulated, member owned financial institution.
Risk classification
Match review depth and control requirements to data sensitivity, decision authority, member impact, and operational dependence.
Governance evidence
Maintain a use case inventory, approval rationale, testing record, monitoring plan, incidents, and accountable owners.
Examination readiness
Prepare clear answers about purpose, data, oversight, vendors, performance, consumer impact, and corrective action.