Picture this. You're sitting across from the examiner who just asked a question that ended a room full of executives mid-sentence: "Show me the evidence that this AI system was approved at the appropriate governance level."
Could you? The system has been running for eight months. It touches customer data. It influences a downstream lending workflow. The best anyone could produce was a Slack thread where a VP said "looks good, let's roll it out."
That is not governance. That is an MRA waiting to be written.
If you are a CISO, CRO, or CTO at a community or regional bank right now, this scenario is not hypothetical. It is the most predictable regulatory event on your horizon, and the window to get ahead of it is narrower than most people realize.
What do federal examiners actually test in AI governance? Federal examiners do not test whether you have an AI policy. They test whether your institution can produce contemporaneous, system-generated evidence that AI systems were approved at the correct governance level, classified by risk tier, and monitored with traceable artifacts. The question is not what the policy says. It is what the walkthrough reveals.
The Convergence You Can Get Ahead Of
Two forces are defining what AI governance looks like for community banks in 2026. The OCC prevoiusly named AI and emerging technology risk as a supervisory priority. The NIST AI Risk Management Framework has established the vocabulary regulators are converging on: Govern, Map, Measure, Manage. It is not a mandate yet, but it is rapidly becoming the lens through which examiners evaluate whether an institution has a governance architecture or just a governance policy.
The trajectory is the same one cybersecurity governance followed a decade ago. Institutions that built the architecture early had 12–18 months of evidence compounding by the time expectations crystallized. If you lived through that transition, you know which side of it you want to be on this time.
What Examiners Actually Ask
From a decade of preparing governance programs for examination cycles at a financial institution moving through a bank charter acquisition into federal supervision, and from the conversations I have had with CISOs and CROs preparing for their first AI-focused exam cycle, examiner questions about AI governance cluster into four specific areas. None of them are about whether you have a policy.
AI Inventory and Classification
Can you produce a complete inventory of AI tools, models, and integrations in use across your institution? Including the ones embedded in vendor platforms your team did not realize had AI features? The CRM vendor's new "smart summary" button. The core banking platform's anomaly detection module. The document management system's classification AI. Every one of them is AI. Every one of them needs to be in the inventory, classified by risk tier. If the examiner asks "what AI is your bank running?" and the answer takes more than a few seconds of silence to begin, that is a finding in progress.
Decision Authority
Who approved the deployment of each AI system? At what level? Is there documentation showing the approval authority matched the risk tier? The examiner is not asking if you have an AI policy. They are asking if you have a decision authority structure and whether it has ever been exercised.
Evidence of Governance, Not Just Documentation
Examiners have read enough policy documents to know a policy is not a control. They want evidence that governance is operational: meeting minutes with actual decisions recorded, approval artifacts with signatures, monitoring outputs that show someone is watching. "We have an AI governance policy" and "we can prove our AI governance program is functioning" are separated by an ocean of operational maturity. Examiners test for the latter. And they test for it by pulling samples, not by reading the binder.
Model Risk Overlap
For institutions subject to OCC 2011-12, examiners are probing whether you have performed a Model vs. Non-Model Determination for each AI system in your environment. OCC 2011-12 defines a model specifically as a system that produces quantitative estimates for business decisions: a credit scoring algorithm qualifies, a meeting summarizer does not. The examiner's question is not whether every AI tool is a model. It is whether you evaluated the question for each one, documented the rationale, and can produce the Determination on request. An institution that never performed the Determination that never asked the question at all, is the one that produces the finding.
The V³ Diagnostic
I structure every AI governance diagnostic around three vectors. Not because frameworks are interesting, but because these are the three operational questions that examiner scrutiny ultimately reduces to in practice. Together, the vectors form the visible face of V³ — the Void Vanguard Domain Assessment framework. It maps to how the NIST AI RMF functions translate into operational governance: Visibility aligns with Map, Velocity with Measure and Manage, Verification with Govern’s evidence and reporting requirements.
Visibility: Can You See It?
A complete AI inventory. Risk classification. Named ownership. If you cannot enumerate every AI system in your environment and name the person accountable for each one, you have a visibility gap the examiner will find before you do.
Velocity: Can You Move on It?
Decision authority, access controls, policy enforcement, incident response capability. Governance that exists only in documents (without operational enforcement mechanisms) is governance theater. Examiners can tell the difference in about ten minutes.
Verification: Can You Prove It?
Attestation cycles, audit trails, monitoring outputs, examiner-ready documentation. Every control must generate its own evidence, or it is an assertion without proof. Assertions do not survive examinations.
What to Do in the Next 90 Days
Days 1–30: Visibility
Conduct the AI census. Identify every AI tool, model, and vendor integration you can see directly — what your employees downloaded, what your IT team deployed, what AI features are activated in platforms you already run. For vendor-embedded AI, initiate the outreach in Week 1 but do not hold the census hostage to vendor response timelines (those typically run 30–60+ days). Classify what you can see, flag what requires vendor confirmation, and build the evidence that you asked the question. This alone puts you ahead of the majority of community banks.
Days 31–60: Velocity
Establish decision authority. Define who can approve, deploy, modify, and retire AI systems by risk tier. Document the first round of retroactive approvals. Build the evidence artifact that proves governance existed before the examiner asked for it.
Days 61–90: Verification
Activate the evidence loop. Ensure every governance control produces a traceable artifact. Run the first governance review cycle. Produce the first board-ready report that demonstrates AI governance posture with evidence, not narrative.
This is not a multi-year transformation. It is a 90-day sprint that produces a defensible foundation. The institutions that build governance architecture now will have 12–18 months of evidence by the time examiner expectations fully crystallize. Those that wait will be building under pressure... reactive, rushed, and without the evidence trail that only time can produce.
Bottom Line
The distance between "we need AI governance" and "we can prove we have it" is shorter than most institutions think. A 90-day sprint can produce a defensible foundation (lightweight, but defensible) — inventory, decision authority, evidence loops, board reporting — is achievable inside a single quarter. The institutions that build it now will have 12–18 months of compounding evidence by the time examiner expectations fully crystallize.
Frequently Asked Questions
What AI does my community bank already have that I should be inventorying?
More than you think. Your core banking platform probably has embedded AI for anomaly detection or fraud flagging. Your CRM likely has AI-powered summarization or customer insights. Your document management system may have classification AI. Your collaboration tools almost certainly have generative AI features that were turned on by the vendor without a governance review. The AI census is not just about what your team downloaded, it is about what your vendors embedded in systems you were already paying for. Expect to find 3–5x more AI exposure than your initial guess.
What is the difference between an AI policy and AI governance that examiners will accept?
An AI policy is a written declaration of what should happen. AI governance is the operational machinery that makes it happen and generates evidence as a byproduct. Examiners test the latter, not the former. If your AI governance posture is "we wrote a policy and the board approved it," that is a policy layer with no architecture underneath. Examiners look for four things: inventory with risk classification, decision authority with documented exercises, evidence with traceable artifacts, and reporting with a defined cadence. Miss any of the four and the program fails the walkthrough.
Does OCC 2011-12 apply to AI systems at community banks?
It depends on what the AI system does and the examiner expects you to have made that determination deliberately. OCC 2011-12 defines a model as a system that produces quantitative estimates for business decisions. A credit scoring algorithm, a fraud detection model, and a loan pricing engine all qualify. A meeting summarizer, a grammar checker, and a document search tool do not. The governance action is a Model vs. Non-Model Determination for each AI system: evaluate it against the OCC 2011-12 definition, document the rationale, and produce the classification on request. The finding comes when the institution never performed the Determination at all.
How long do I have before examiners start asking these questions?
The 2024 OCC Semiannual Risk Perspective named AI as a supervisory priority, and that language sharpens rather than softens over time. If your bank has an exam cycle in 2026, the probability of AI-focused questions is high. If your cycle is in 2027, the probability is near certain. Either way, the 90-day sprint to a defensible foundation needs to start now, because 12–18 months of evidence compounds in ways that a panicked pre-exam scramble cannot replicate.
What is V³ Domain Assessment?
V³ is the Void Vanguard Domain Assessment framework. It evaluates governance across three vectors — Visibility, Velocity, Verification — with nine specific domains underneath them at the full matrix level. For AI governance specifically, the three vectors map to the examiner's core questions: can you see the AI environment, can you act on it with decision authority and enforcement, and can you prove it with evidence. The framework is what I use on every diagnostic I run for mid-market regulated institutions.