Blog

Bank Examiner AI Governance Checklist: What Examiners Look For

A practical bank examiner AI governance checklist covering the documentation, MRM evidence, and program controls compliance officers need before the exam team walks in.

11 min read

Regulators are no longer treating AI as a future risk. When an OCC, FDIC, or Federal Reserve examination team schedules time with your institution, the bank examiner AI governance checklist they carry is specific, sequenced, and unforgiving of gaps. Compliance officers at regional banks and credit unions who wait until the pre-exam letter arrives to start gathering documentation consistently find themselves in remediation conversations they could have avoided. This post maps what examiners actually request, what MRM evidence satisfies their standards, and how to close program gaps before the exam date is set.


What Bank Examiners Actually Look For in an AI Governance Review

Examiners approach an AI governance review the same way they approach any safety-and-soundness examination: they want to see that risk is identified, measured, controlled, and reported through a documented, repeatable process. The AI compliance checklist they work from is not published as a single regulatory document, but it is reconstructable from interagency guidance, SR 11-7, the OCC’s model risk management handbook, and more recent joint statements on AI risk.

At the highest level, examiners are asking four questions:

  1. Does the institution know what AI systems it is running?
  2. Does it understand the risks those systems create?
  3. Does it have controls proportionate to those risks?
  4. Does senior management and the board receive meaningful reporting?

AI governance exam findings at banks that receive Matters Requiring Attention (MRAs) almost always trace back to a failure on one of these four dimensions — not to exotic technical failures, but to missing or incomplete governance infrastructure. A credit union that deployed a vendor-provided credit-decisioning model without a formal validation, for example, is exposed on questions two and three regardless of how well the model actually performs.

The practical implication: your AI compliance checklist needs to be organized around these four questions, not around a product vendor’s feature list or a consultant’s framework slide deck.


The Core Documentation Examiners Request on Day One

The first day of an AI governance exam is a document request day. Examiners will ask for a defined set of artifacts before they interview anyone. If those artifacts are not ready, the exam tone shifts immediately.

AI governance documentation requirements typically include:

  • AI/model inventory — A complete list of all models and AI tools in production, including vendor-provided and embedded models. Examiners expect this to cover credit, fraud, AML, customer service, and operational AI, not just internally built models. The inventory should show model purpose, owner, risk tier, and last validation date.
  • AI governance policy — A board-approved policy that defines what constitutes a model, how models are tiered by risk, who owns governance decisions, and what the approval workflow looks like.
  • AI governance risk register — A living document that maps identified AI risks to controls and control owners. Examiners will compare the risk register against the model inventory to check for gaps.
  • Third-party AI vendor due diligence records — Contracts, vendor risk assessments, and any SLAs or audit rights provisions relevant to AI vendors. With most community and regional banks relying heavily on fintech and core processor AI tools, this is a frequent exam focus.
  • Board and committee reporting — Minutes or materials showing that the board or a designated risk committee receives regular AI risk reporting. Examiners want evidence that governance is not siloed in the technology team.

AI compliance documentation requirements are not satisfied by a single policy document. Examiners expect a documentation ecosystem — inventory, policy, risk register, and reporting — that fits together coherently.

RelatedAI Governance Audit Readiness: How to Prepare for a Regulatory Examination


Model Risk Management and Validation Evidence Examiners Scrutinize

After the document request, examiners move to model risk management. This is where AI governance exam findings at banks most often surface, because MRM requirements under SR 11-7 are well-established and examiners know exactly what adequate validation evidence looks like.

What examiners expect to see for each material AI model:

  • Conceptual soundness documentation — Evidence that the model’s design and assumptions were reviewed before deployment. For a vendor model, this means the institution’s own review of vendor documentation, not just a vendor attestation.
  • Ongoing monitoring reports — Periodic performance reports showing that the model is behaving as expected in production. Examiners look for stability metrics, population drift analysis, and outcome monitoring. A model that has never been monitored since deployment is an automatic finding.
  • Independent validation records — Validation performed by someone independent of model development. For smaller institutions, this may be a third-party validator. Examiners will check that validation scope covered conceptual soundness, data quality, and outcome testing — not just a documentation review.
  • Model limitation disclosures — Documentation of known model weaknesses and how they are managed.
  • Findings and remediation tracking — Any validation findings should be tracked to resolution. An open finding with no remediation plan is a red flag.

The AI governance documentation standard for MRM is higher than many compliance officers expect. Vendor-provided models are not exempt. If your institution uses a vendor credit-scoring model, you are responsible for validating it or obtaining credible third-party validation — vendor documentation alone does not satisfy examiner expectations.


Building and Demonstrating an Ongoing AI Governance Program

Examiners distinguish between institutions that have governance documents and institutions that have governance programs. The difference is evidence of ongoing activity: training records, change management logs, monitoring cadences, and committee minutes that show the program is operating, not just documented.

How to implement AI governance in banking as a living program:

AI governance training program — Examiners will ask whether staff who own, use, or oversee AI systems have received training on AI risk and governance obligations. Training records should show who was trained, on what content, and when. Front-line staff using AI-assisted decisioning tools need training on limitations and override procedures; risk and compliance staff need deeper governance training.

AI governance change management in banking — Any material change to a model — retraining, threshold adjustment, new data inputs, vendor updates — should trigger a documented change management review. Examiners look for a change log that shows the institution is tracking model changes and assessing their risk implications before deployment, not after.

Ongoing monitoring cadence — Monitoring should be scheduled and documented, not ad hoc. Examiners expect to see a monitoring calendar and completed monitoring reports. The frequency should be proportionate to model risk tier: high-risk models warrant quarterly or more frequent review; lower-risk models may be reviewed annually.

Committee oversight evidence — AI governance committee charters, meeting minutes, and escalation records demonstrate that governance decisions are being made through a defined process. Examiners will ask who sits on the committee, how often it meets, and what decisions it has made.


Closing Gaps Before the Exam: A Prioritized Readiness Roadmap

Most regional banks and credit unions are not starting from zero, but they are also not fully examination-ready. The AI governance implementation roadmap below is sequenced by examiner priority — address the items at the top first, because those are the artifacts examiners request on day one.

Phase 1 — Inventory and Policy (Weeks 1–4)

Complete or update your AI/model inventory. Every model in production needs a record. If your inventory has not been updated in the past six months, assume it is incomplete. Simultaneously, review your AI governance policy against current interagency expectations.

Phase 2 — Risk Register and Vendor Due Diligence (Weeks 3–8)

Build or update the AI governance risk register against the completed inventory. For each model, document the risk tier, key controls, and any open issues. Pull vendor contracts and due diligence files for all AI vendors and identify any gaps in audit rights, SLA terms, or validation documentation.

Phase 3 — MRM Evidence (Weeks 6–12)

For each model in the high and medium risk tiers, confirm that validation records exist and are current. Commission third-party validation for any material model that lacks independent validation. Establish or document monitoring cadences and ensure monitoring reports are being produced and reviewed.

Phase 4 — Training and Change Management (Weeks 8–16)

Deploy or document the AI governance training program. Build the change management log and ensure the process for capturing model changes is operational. Confirm that committee oversight structures are in place and that meeting minutes are being maintained.

Phase 5 — Board Reporting and Dry Run (Weeks 12–20)

Produce a board-level AI risk report using the format you will present to examiners. Conduct an internal pre-exam review against the examiner checklist. Identify any remaining gaps and document remediation plans with owners and target dates.

Brine

Build, hire, and govern every AI system in your environment.

Describe a workflow in plain English and Brine builds it, runs it on your data, and governs every step — costing and attributing each action to its agent and model, with a pre-dispatch cap that holds a step before it overspends and a signed audit trail as standard.

Scope a pilot More resources