Part 1 of this series made the strategic case: AI governance moved from voluntary best practice to examiner-ready obligation over the last twelve months, the federal framework and the 1,600-plus state AI bills have converged into a real regulatory weight on banks specifically, and the confidence-defensibility gap is widest where AI is embedded in vendor platforms and the browser layer.

The natural next question — and the one I am asked most often by bank leadership teams — is what the program should actually look like for this bank. The answer depends on the bank. A $400 million community bank in the upper Midwest, a $4 billion regional in the Southeast, and a $40 billion bank with international correspondent relationships should not be operating the same AI governance framework. The framework is the same backbone. The depth, the control count, the committee structure, and the staffing model are not.

Boards Already Govern Four Things — AI Sits Inside Them

Boards do not need a new committee for every emerging technology. They need to understand where this one fits among the responsibilities they already exercise.

Business strategy comes first. Every AI program implicitly answers a strategic question — is AI primarily a revenue play, an expense-reduction play, or both — and the answer changes the governance design. Compressing compliance cost, automating document review, or drafting customer correspondence is expense-reduction posture. Personalizing offers, dynamically pricing deposit products, or driving customer-facing decisions is revenue-generation posture. Most banks will end up in both. The controls, the reporting cadence, and the consumer-protection risk weight are different. Governance has to acknowledge that explicitly.

Technology appetite comes second. The build-buy-partner-refuse decision is now an AI decision more often than it is a core-system decision. As we have written across the recent CCG Catalyst articles on FCC technology, tokenized deposits, and the Same Day ACH $10 million limit, what a bank's core and adjacent providers can deliver is the constraint that shapes most strategic choices. AI is identical. A community bank cannot meaningfully build proprietary AI. It can buy AI embedded in its core, partner with fintechs delivering specific capabilities, or refuse to deploy AI where the risk does not justify the return.

Risk tolerance is the third pillar, with new dimensions in 2026 — model opacity in transformer-based systems, agentic-action authority, hallucination tolerance in customer-facing contexts, third-party AI concentration when multiple critical vendors depend on the same foundation model, data leakage when employees paste proprietary information into public AI tools, and fair-lending risk when ML models drive credit, pricing, or marketing decisions. None of these fit neatly into the model risk framework examiners have applied since 2011.

Cybersecurity is the fourth pillar, and it has moved the fastest. The browser-layer shadow AI problem covered in Part 1 sits here. So does the deep-fake enabled business email compromise threat, voice-cloned vishing, and the AI-enhanced social engineering the CSI 2026 survey identifies as the number one cyber concern. Governance is the operating system that holds these four pillars together. Without it, every AI decision the bank makes is improvisation.

The Size-Band Split

The Financial Services AI Risk Management Framework organizes its 230 control objectives across four AI adoption stages — Initial, Minimal, Evolving, and Embedded — explicitly so that institutions can apply proportional controls rather than uniform ones. That structure is the right tool for differentiating across size bands.

For community banks under $1 billion in assets, the AI footprint is almost entirely third-party. There is very little proprietary AI to govern because there is very little proprietary AI to build. What needs governance is the AI inside the core, the fraud platform, the marketing automation, the customer-service chatbot, and the browsers in branch and back-office workstations. The FS AI RMF "Initial" stage maps directly to this profile — twenty-one foundational control objectives organized around inventory, acceptable use, vendor disclosure, third-party evaluation, and basic incident response. The ICBA Artificial Intelligence Governance Policy template, released in 2025 and refined through 2026, is a practical starting point institutions can adapt rather than draft from scratch. One community bank, per ICBA, revised its AI policy five times in the first half of 2025 — that is the right cadence, not an indictment.

For regional banks between $1 billion and $10 billion in assets, the footprint is materially larger. These institutions typically operate some proprietary models — credit decisioning, fraud, marketing analytics, deposit pricing — alongside an extensive vendor AI stack. Commercial customers expect AI-enabled treasury management. The cyber attack surface is broader. Examiner scrutiny is calibrated to the size band. Governance has to span both vendor AI and internally developed or tuned models, with explicit standards for fair lending, explainability under ECOA and Regulation B, consumer disclosure, and complaint handling. The "Minimal" to "Evolving" stages are realistic targets — roughly 126 to 193 of the 230 objectives — prioritized by use case and risk.

For banks above $10 billion, "Embedded" and the full 230 objectives become the target with dedicated AI risk officers, formal model inventories, board AI committees, and continuous monitoring infrastructure.

The backbone is the same across size bands. NIST Govern, Map, Measure, Manage applies to a $400 million community bank and to a $40 billion regional. The depth, control count, committee structure, and staffing model are not. Treating them as if they should be is how community banks end up with policy bloat they cannot operate, and how regional banks end up with policy gaps examiners find.

Where ISO Fits Alongside the Federal Framework

U.S. regulators are not the only authority writing the AI governance rules. The international standards bodies have moved in parallel, and the standards they have published are increasingly relevant to U.S. banks for three reasons: examiner familiarity with international frameworks, vendor due diligence as major AI providers pursue certification, and the practical reality that any bank with international clients or multinational fintech partners will encounter these standards directly.

Four ISO standards matter for bank AI governance. ISO/IEC 42001:2023, the AI Management System Standard, is the first global, certifiable AI management system standard modeled on the Plan-Do-Check-Act structure familiar from ISO 27001. Unlike the FS AI RMF, ISO/IEC 42001 supports third-party certification. For banks already maintaining ISO 27001, extending to ISO/IEC 42001 is a natural progression rather than a parallel build. ISO/IEC 23894:2023 is the tactical risk-management complement, with an official NIST crosswalk mapping it to the NIST AI RMF functions. ISO/IEC 38507:2022 is the board-level standard — the most direct answer to a director asking, "what is my responsibility?" ISO 31000 is the ERM foundation already integrated into most regional bank enterprise risk programs.

The practical implication is that U.S. banks operate inside a layered standards environment. The Treasury FS AI RMF and the OCC bulletin set the U.S. supervisory expectation. NIST AI RMF provides the framework backbone. ISO/IEC 42001, 23894, 38507, and 31000 define the international and certification-grade expression of the same principles. Banks do not need to choose. They need to understand which framework satisfies which audience — examiners, auditors, vendors, customers, counterparties — and design a governance program that maps consistently across all of them.

Five Questions Your Board Should Be Asking

Before the next AI tool gets approved or the next strategic plan cycle, the board should be able to answer five questions.

1. What is our complete AI inventory, including vendor-embedded AI in the core, the fraud platform, the marketing engine, the contact center, and any generative AI tools accessed through browsers? Most banks cannot answer this today, and the inventory gap is where the largest unmanaged risks live.
2. Which of our AI use cases are revenue-generating and which are expense-reducing, and have we governed them differently? If the same policy applies to both, it is too thin for the revenue use cases and probably too heavy for the expense ones.
3. Where do we stand on the FS AI RMF adoption-stage scale, and what is our twelve-month target? "Initial," "Minimal," "Evolving," or "Embedded" should be a board-level conversation, not an internal compliance debate.
4. Who owns AI risk on this management team, and at what cadence does the board hear from them? An AI Risk Champion — typically the CRO, CCO, or a dedicated AI risk lead — should be named, accountable, and on the board calendar.
5. If our largest vendor's AI system failed, hallucinated, or made a discriminatory decision tomorrow, do we have a playbook? Not a policy — you need a playbook. Notification, containment, customer remediation, regulatory reporting, root-cause analysis, vendor accountability.

The Bottom Line

AI governance is not one framework. It is a scaled framework — NIST Govern, Map, Measure, Manage as the backbone, FS AI RMF at the control level for U.S. supervisory expectations, ISO/IEC 42001 as the certification-grade overlay for institutions that need one, the ICBA template as the starting policy for community banks, and a heavier control set for regional banks.

The institutions that match the program to the bank size, complexity, and market will operate AI governance as competitive advantage. The institutions that adopt a one-size framework will discover what their gaps are at the exam, in the audit, or after an incident.

Part 3 of this series, next week, goes underneath the framework: why traditional model risk management buckled, why data governance is the prerequisite most banks have not built, and how to govern the different categories of AI — from traditional ML to foundation models to autonomous agents — that now sit inside every banking institution.

CCG Catalyst advises community and regional banks, credit unions, and fintech companies on AI strategy, governance design, and regulatory readiness. If your institution is evaluating its AI governance framework, reach out to our team at www.ccgcatalyst.com.

See our latest announcement: CCG Catalyst's Paul Schaus Named a 2026 Top Consultant by Consulting Magazine

By: Paul Schaus | Founder & Managing Partner, CCG Catalyst Consulting

Disclaimer: The views expressed in this article represent the perspective of CCG Catalyst Consulting based on our direct experience advising financial institutions. This commentary is intended to stimulate industry discussion and does not constitute legal, accounting, or regulatory advice.