June 2, 2026
The Governance Spine connects five layers, Appetite, Strategy, Controls, Evidence, and Reporting, into one defensible chain. When AI governance fails an exam, it is almost always because one layer is disconnected from the next.
May 26, 2026
Most governance practitioners use AI to draft faster. The higher-leverage move is to use it as a structured challenger. Here is the method, the discipline, and what it changes about the work.
May 19, 2026
OCC Bulletin 2026-13 excluded generative and agentic AI from Model Risk Management. The artifact that just became the only thing an examiner can ask for is the Determination, and most institutions do not have one.
April 24, 2026
Vercel's April 2026 breach was not an AI vendor incident. It was an identity governance failure with an AI tool as the attack vector. Mid-market financial institutions share the exact same failure surface.
April 21, 2026
You deployed SailPoint, CyberArk, and Entra ID. Examiners still issued findings. The problem was never the tools — it was the governance architecture the tools were asked to automate.
April 18, 2026
OCC Bulletin 2026-13 rescinds the model risk guidance that governed AI classification since 2011 and explicitly excludes generative AI from scope. That is not a free pass. It is a governance vacuum your own architecture needs to fill.
April 17, 2026
When an examiner asks who approved your AI deployment, silence is not an acceptable answer. A Decision Authority Matrix maps approval authority to risk tier and creates the evidence trail that proves governance existed before the question was asked.
April 15, 2026
Federal regulatory expectations for AI governance are converging fast. Here is what examiners will be asking and what your institution needs to prove before the next exam cycle.