Every routine bank examination now has an AI section. The OCC and Federal Reserve have made AI controls a standing item in their supervisory process, asking banks detailed questions about governance frameworks, data access limits, vendor oversight, and whether institutions can shut down AI systems if something goes wrong.
The questions aren’t vague. Supervisors want to know whether a bank’s AI can access or infer data beyond its authorized scope, a real risk with any large language model sitting on top of customer data. They want a credible answer on kill switches: can you actually turn this off? And they’re following the vendor chain down to subcontractors, asking whether third-party AI providers meet the same governance standards as the bank itself.
Here’s what this signals: the exam questions are today’s informal fact-finding and tomorrow’s formal checklist. The GAO confirmed in May 2025 that regulators were already conducting AI-focused examinations. Then in April, the OCC, Fed, and FDIC published revised model risk management guidance, explicitly setting aside generative and agentic AI for a separate forthcoming request for information, per OCC Bulletin 2026-13. When that RFI drops, the current questioning phase ends and the documentation requirements begin.
Seventy percent of banking CEOs plan to allocate 10% to 20% of budgets to AI this year, per KPMG. That spend is about to have a compliance cost attached. Banks that haven’t mapped their vendor AI chains, who their ML providers subcontract to and what data those subs can touch, don’t have a governance problem yet. They will.
The RFI hasn’t dropped. When it does, “we’re still figuring out our AI strategy” stops being a defensible exam answer.
Nathan Zakhary