AI governance for financial services is the program a US bank, captive lender, or fintech uses to make its AI and generative-AI systems defensible to examiners, the board, and enterprise procurement. It inventories every AI system, classifies each one by risk, and maps controls onto the supervisory expectations institutions already answer to: SR 26-2 model risk, third-party and vendor risk, fair lending under ECOA, Regulation B, and the Fair Housing Act, and UDAP. NIST AI RMF and ISO/IEC 42001 are used for procurement and board assurance, not as the things examiners supervise against. Because SR 26-2 places generative and agentic AI outside its model-risk scope, the duty to govern those systems falls to the institution's own risk-management practices, not to a single rulebook.
This page is the hub: the framework matrix below shows which authority governs which AI use, and each section links to the full guide on that topic.
It is not a second compliance program bolted onto the side of your bank. It is one defensible program that answers, with evidence, the questions an examiner, a risk committee, and an enterprise buyer will all ask about your AI.
For a financial institution, AI governance has four moving parts. The first is a current AI inventory that names every model, large language model, and generative system in use, including the shadow deployments nobody registered. The second is a risk classification that tiers each system by its impact and its regulatory exposure, so a model that informs a credit decision is treated differently from a tool that drafts internal email. The third is a control crosswalk that maps governance work onto the frameworks and supervisory expectations you already answer to, so one control set answers several regimes at once. The fourth is ongoing monitoring and documentation, because supervisors expect AI to be governed over its life, not signed off once and forgotten.
The reason this is harder than traditional model governance is that the supervisory map is fragmented. There is no single AI rule for US banks. Instead, different uses of AI fall under different authorities, and one system can sit under several at the same time. The matrix below is the fastest way to see which authority governs which use, and it is the practical asset this hub exists to provide.
Map your AI by what it does, then govern it under the authority that reaches it. A single system can appear in more than one row.
| AI use in your institution | What primarily governs it | What that means in practice |
|---|---|---|
| A traditional model that informs a credit, pricing, or capital decision | SR 26-2 model risk (in scope) plus fair lending (ECOA, Reg B, Fair Housing Act) | Inventory, independent validation, documentation, and ongoing monitoring; add bias and disparate-impact testing wherever the model touches credit. |
| A generative-AI assistant or LLM copilot used for drafting, summarizing, or search | Outside SR 26-2 scope; third-party risk, UDAP, and your own risk-management practices | Govern it under an adapted approach: inventory, risk tiering, human review, and an acceptable-use policy. SR 26-2 does not reach it directly, and the carve-out is not a no-obligations void. If the assistant wraps or calls a traditional model, that underlying model stays SR 26-2 in-scope. |
| An agentic AI system that takes actions or chains tools | Outside SR 26-2 scope; third-party risk, fair lending if it touches credit, UDAP | Same adapted governance plus action controls and full logging; the agencies have signaled a forthcoming AI-specific request for information that will address these systems directly. |
| A vendor-supplied or embedded AI feature | 2023 interagency third-party risk management guidance | Due diligence, contract controls, and monitoring of the vendor. A vendor's ISO/IEC 42001 certificate is an upstream attestation, not coverage of your own deployment. |
| AI you place on the EU market | EU AI Act (risk-tiered obligations) | Classify the system and map obligations to its tier. Relevant only if you place AI on the EU market, and it sits on top of the US supervisory stack, not instead of it. |
| Board and procurement assurance | NIST AI RMF; ISO/IEC 42001 (voluntary) | Use these to demonstrate a managed program to your board and enterprise buyers. US examiners supervise AI through the supervisory stack above, not through ISO/IEC 42001. |
The matrix makes one point that a sophisticated risk leader will recognize immediately: the carve-out in the model-risk guidance does not remove obligations, it moves them. Generative and agentic AI fall outside SR 26-2, but they remain subject to third-party risk guidance, fair lending law, UDAP, and your institution's own risk-management practices. Governing them is now your program's job, with an adapted approach rather than the documented-and-reproducible playbook traditional model risk was built on.
The supervisory anchor for model risk changed in 2026, and it changed the boundary of what model-risk management is expected to cover.
SR 26-2, the Revised Guidance on Model Risk Management issued on 17 April 2026, supersedes SR 11-7 (2011) and SR 21-8. It is non-binding guidance that does not set enforceable standards, it is most relevant to banks above $30 billion in assets, and it explicitly excludes generative and agentic AI from its scope. The agencies signaled a forthcoming AI-specific request for information to address those systems. For the full breakdown of what changed and what banks need to do now, read SR 26-2 vs SR 11-7: what changed for AI model risk management.
Most banks still run machine-learning and AI systems that do behave like models in spirit, informing a credit, pricing, or capital decision. Those belong inside an adapted model-risk process: an inventory, independent validation suited to non-deterministic behavior, documentation, and ongoing monitoring. The practitioner walkthrough of how to extend model-risk discipline to AI lives in AI model risk management and SR 11-7.
The hardest case is the one SR 26-2 set aside on purpose. When generative and agentic systems take actions or chain tools, the question of what law still applies is answered by third-party risk, fair lending, and UDAP rather than the model-risk guidance. The control architecture for that gap is covered in agentic AI governance for banks and the SR 26-2 gap.
Pick one primary framework to organize the program, then crosswalk to the rest. And be clear about which of the two jobs you are actually doing.
For a US financial institution, the most useful organizing framework is the NIST AI Risk Management Framework, because its Govern, Map, Measure, and Manage functions give the program a structure that maps cleanly onto supervisory expectations. How banks and fintechs operationalize it, function by function, is the subject of NIST AI RMF for financial services.
It also helps to separate two things that get conflated. Governing AI is the engineering and risk work of making a system behave and stay defensible; proving compliance is the evidence work of showing a regulator or a customer that you did. Readiness comes first, and the distinction matters for how you sequence the program. That split is unpacked in AI governance vs AI compliance in financial services.
Four obligations that apply regardless of what the model-risk guidance covers. These are where governance programs most often have gaps.
Fair lending law does not care whether a denial came from a scorecard or a neural network: a disparate-impact problem is a disparate-impact problem. Where AI touches credit, validation has to include bias and disparate-impact testing under ECOA, Regulation B, and the Fair Housing Act. The validation framework is laid out in the AI fair lending model validation framework for US banks.
Most banks consume AI through a vendor rather than building it, which puts the 2023 interagency third-party risk guidance squarely in scope. A vendor's certificate is an upstream attestation, not coverage of how you deploy the system. The structured approach is in the third-party AI vendor risk assessment checklist for banks and fintechs.
For generative AI specifically, the first control most institutions need is a written acceptable-use policy that defines what staff can and cannot put into a model and how outputs are reviewed. The drafting guide is the responsible GenAI use policy for financial services.
If your institution places AI systems on the EU market, the EU AI Act adds risk-tiered obligations on top of the US supervisory stack, and your counsel owns the legal interpretation. What it means for US institutions is covered in the EU AI Act for US banks and fintechs.
Each financial-institution class answers to different examiners. Start on the page mapped to your charter.
Self-score your readiness in about ten minutes, or scope a fixed-fee engagement on a 30-minute call. Either way you leave with a clearer picture of the gaps.
Not ready for a paid engagement yet? Start with the free AI governance audit-readiness checklist: 14 self-scored items across NIST AI RMF, mapped to ISO/IEC 42001 and US supervisory expectations. When you are ready for senior-led work, the AI Governance Readiness engagement for banks and fintechs turns this hub into a defensible inventory, a risk classification, a gap assessment, and a remediation roadmap. To see exactly what that produces, walk through a redacted sample Snapshot deliverable. If the more urgent question is whether a deployed system can be broken, AI red teaming and LLM security testing is a separate engagement. All of the downloadable workbooks sit in the financial services compliance resource library.
DSE provides AI governance and compliance readiness consulting and AI security testing. We are not an accredited certification body and do not issue ISO/IEC 42001 certificates or certify EU AI Act or NIST AI RMF compliance. Only accredited certification bodies or notified bodies do that.
We cannot guarantee passing an audit or avoiding enforcement, and we do not provide legal advice. We work alongside your counsel. Where we describe "mapping to" SR 26-2, third-party risk, fair lending, UDAP, NIST AI RMF, ISO/IEC 42001, SOC 2, or ISO 27001, that means advisory alignment, not certification.
All engagements are governed by a signed SOW / MSA that includes a limitation of liability. DSE prepares organizations for audit and does not certify. Established 2026.