AI governance for credit unions is the program a federally insured credit union uses to make its AI and generative-AI systems defensible to NCUA examiners, the board, and its members. The honest starting point is what does not exist: there is no NCUA model-risk rule equivalent to the banking agencies' SR 26-2. The NCUA has not adopted SR 11-7 or SR 26-2, and as of mid-2026 no formal NCUA AI model-risk regime exists. Your AI is instead governed by the lenses NCUA already examines: cybersecurity under Part 748, third-party risk, fair lending, UDAAP, and BSA/AML, organized with the NIST AI Risk Management Framework.
This page maps each credit-union AI use to the existing lens that already governs it, so you can govern AI honestly without inventing a rule that is not there.
A credit union does not sit under a dedicated AI model-risk rule the way a large bank now sits under SR 26-2. It sits under the examiner, the board, and a set of existing obligations that AI touches all at once.
Start with the differentiator, because it is the whole point of this page. There is no NCUA model-risk rule equivalent to SR 26-2. In GAO report 25-107197 (May 2025), the GAO recommended that the NCUA develop model-risk management guidance. NCUA staff concluded that a model-risk-only focus would not fit all credit-union AI use cases and that imposing any new requirements would require formal rulemaking. The practical result, as of mid-2026, is that the NCUA has issued no binding AI model-risk regime. Any page that tells you a credit union must comply with SR 11-7 or SR 26-2 is wrong: those are banking-agency instruments, and the NCUA has adopted neither.
What does exist, and what actually frames an exam, is the NCUA's artificial intelligence resource page. It directs credit unions to identify and monitor AI-specific risks, to weigh the fair-lending, discrimination, and consumer-protection implications of AI, to use the NIST AI Risk Management Framework and CISA AI-security practices, and to apply the NCUA's existing third-party guidance: Letter 07-CU-13, Evaluating Third Party Relationships, and Letter 01-CU-20, Due Diligence Over Third Party Service Providers. The NCUA has also published an AI Compliance Plan that governs its own use of AI and presents itself as a responsible-AI template you can borrow from.
The exam touchpoints follow from existing law, not from a new AI rule: cybersecurity under Part 748, third-party management under 07-CU-13 and 01-CU-20, fair lending wherever AI touches underwriting, pricing, marketing, or collections, UDAAP in member-facing AI, BSA/AML and OFAC, governance and board oversight, and data privacy. The matrix below maps each of those lenses to the evidence it expects. One honest qualifier: NCUA exam practice and the agency's AI resources track many of the same themes as the banking agencies' model-risk guidance, but there is no formal NCUA AI model-risk rule equivalent to SR 26-2 at this time. Examiners are reported, in industry commentary rather than official NCUA text, to evaluate AI governance along SR 11-7-style lines (an inventory, risk-tiering, validation, and monitoring). Treat that as practical examiner behavior to prepare for, not a codified rule you must cite.
Because there is no single NCUA AI rule, governance means mapping each AI use to the existing NCUA or federal authority that reaches it, then assembling the evidence that authority expects. A single system can appear in more than one row.
| Credit-union AI use | The existing lens that governs it | Evidence to assemble |
|---|---|---|
| AI or machine learning in member credit underwriting, pricing, or collections | Fair lending: ECOA, Regulation B, and the Fair Housing Act, plus safety and soundness | Adverse-action reasons traceable to the model, disparate-impact and proxy testing, model documentation and assumptions, and a record of human review over overrides and exceptions. |
| Member-facing chatbots, generative-AI assistants, and AI-generated marketing copy | UDAAP and consumer protection | Disclosure and accuracy review, substantiation for any claims, a human-review step, complaint monitoring, and retained records of what the assistant told members. |
| Any AI system that touches member data or runs on credit-union infrastructure | Cybersecurity and IT under NCUA Part 748 and its security-program appendices | AI folded into the information security program and risk assessment, access controls and logging, an incident-response path, and a security program reported to the board. |
| Vendor-supplied or embedded AI: core processor, fraud tool, lending or chat platform | Third-party due diligence: NCUA Letters 07-CU-13 and 01-CU-20 | A vendor due-diligence file that names what the AI does and what data it touches, contract controls, ongoing monitoring of model changes, and a documented exit plan. |
| AI in BSA/AML transaction monitoring, fraud detection, or sanctions screening | BSA/AML and OFAC | Model and tuning documentation, above-the-line and below-the-line threshold testing, an alert-to-SAR audit trail, and validation of OFAC screening logic and match rates. |
| The AI program overall: ownership, accountability, and board oversight | Safety-and-soundness governance and board oversight | A current AI inventory, risk-tiering of each system, named accountability, a board-level AI and risk policy, and monitoring evidence that the program runs over time. |
| Member nonpublic personal information used by, or to train, an AI system | Data privacy: GLBA privacy provisions under NCUA Part 716, with member-data safeguards under Part 748 | Data-flow mapping, purpose limits and retention rules, member-NPI handling controls, and a record of exactly what data feeds each model. |
The point a credit-union risk leader will recognize at once: the absence of an NCUA AI rule does not mean the absence of obligations. The obligations live in the rules you already answer to, and the governance job is to find them, map your AI onto them, and assemble the evidence each one expects.
If you have read our banking page, the difference is structural and it matters for how you defend your AI in an exam.
A bank above roughly $30 billion in assets now sits under SR 26-2 model risk, the April 2026 guidance that replaced SR 11-7 and carved generative and agentic AI out of its scope; the bank story is about a rule that exists and a gap inside it. The credit-union story is different: there is no AI model-risk rule to carve anything out of. NCUA examiners reach your AI through the existing lenses in the matrix above, and the GAO recommendation plus the NCUA staff response confirm that any new AI requirements would have to come through rulemaking that has not happened.
So a credit union should not buy a program written for the bank SR 26-2 regime and assume it fits. The right program is anchored to Part 748, the third-party letters, fair lending, BSA/AML, and consumer protection, organized with the NIST AI RMF for structure and the CISA practices for AI security, and it prepares for the SR 11-7-style themes examiners are reported to apply while being precise that those are practical examiner behavior, not an adopted NCUA rule. For an examiner, honesty about what does not exist is a sign the program was built by someone who read the actual authorities.
Not a parallel compliance program and not a binder of templates. A defensible AI governance program built onto the exam lenses your credit union already answers to.
The fastest way to fail an AI governance engagement is to stand up a second compliance program nobody maintains. We do the opposite: we map AI governance onto the controls you already run for Part 748, your third-party program under 07-CU-13 and 01-CU-20, fair lending, and BSA/AML, with a crosswalk so one control set answers several lenses. On that foundation we build what an examiner, a board, and your members depend on: a defensible AI inventory that names every model and generative system in use, including the shadow-AI nobody registered; a risk classification that tiers each system by member impact and regulatory exposure; an audit-readiness gap assessment against the NCUA and federal lenses in the matrix, organized with NIST AI RMF; and a remediation roadmap that closes the highest-risk gaps first.
The emphasis throughout is control-mapping and readiness. DSE prepares your program for audit and assembles the evidence; we do not certify, we do not promise you pass an exam, and we never describe a program as examiner-ready, because no honest advisor can guarantee an examiner's conclusion. If the more urgent question is whether a deployed system can be broken rather than whether it can be governed, AI red teaming and LLM security testing is a separate engagement, and because most credit unions consume AI through a vendor, the discipline behind the third-party row of the matrix is laid out in our third-party AI vendor risk assessment checklist.
Most credit unions start with a fixed-fee diagnostic, then decide whether to run the roadmap themselves or keep a senior owner on the program. You choose the depth.
A fixed-fee diagnostic: an AI inventory, risk classification, a gap assessment that maps each AI use to its NCUA or federal lens and to NIST AI RMF, and a prioritized remediation roadmap. You leave with a defensible picture of where you stand.
A retainer that runs the roadmap with you: control testing, registry upkeep, and third-party-AI monitoring as your models, prompts, and vendors change. The program stays current instead of going stale in a drawer.
A fractional AI governance officer who owns accountability over time, keeps policy current as NCUA guidance moves, reports to the board and supervisory committee, and is the senior name on AI governance when an examiner calls.
A small firm of senior practitioners, established 2026, that builds the tools it governs with.
Engagements run on a senior-only bench: the person who scopes the work does the work, and the person in the room with your board and supervisory committee is the person who wrote the gap assessment. For a credit union, where the AI question is new and the regulatory picture is still forming, that depth matters more, not less. The firm also ships authored open-source IP: mcp-warden is DSE's public MCP supply-chain integrity gate, which pins a tool surface, fails on drift, and inspects what a third-party tool returns at runtime, exactly the discipline a credit union needs to vet the third-party AI inside its core, fraud tools, and lending and chat platforms. We govern AI by building the controls that govern AI. Established 2026, operator-led, and accountable on paper under a signed SOW or MSA.
Self-score your readiness in about ten minutes, or scope a fixed-fee engagement on a 30-minute call. Either way you leave with a clearer picture of the gaps.
Not ready for a paid engagement yet? Start with the free AI governance audit-readiness checklist: 14 self-scored items across NIST AI RMF, mapped to ISO/IEC 42001 and US supervisory expectations. It will tell you, in plain terms, where the gaps are before an examiner does.
Regulatory content last reviewed: June 2026 · Maintained by DSE · Next review on material change to NCUA AI guidance or the issuance of any NCUA AI model-risk rulemaking.
DSE provides AI governance and compliance readiness consulting and AI security testing for federally insured credit unions. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify NCUA, NIST AI RMF, or fair-lending compliance. Only the relevant regulator or an accredited certification body can attest to that.
There is no NCUA model-risk rule equivalent to SR 26-2, and we do not represent that the NCUA has adopted SR 11-7 or SR 26-2. Where we describe mapping AI to NCUA Part 748, Letters 07-CU-13 and 01-CU-20, fair lending, UDAAP, BSA/AML, or the NIST AI RMF, that means advisory alignment, not certification. We cannot guarantee passing an examination or avoiding a finding, we do not provide legal advice, and we work alongside your counsel.
All engagements are governed by a signed SOW / MSA that includes a limitation of liability. DSE prepares organizations for audit and does not certify. Established 2026.