AEGISAIStart Assessment

AI board reporting template

AI Risk Board Reporting Template for Banks and Credit Unions

Board oversight of AI risk is easier when management reports the same core facts every quarter: what AI is in use, what risk it creates, what evidence supports the control posture, and what needs escalation.

Use this page as a preview of a 10-slide AI board reporting structure for banks, credit unions, and fintechs. The full Starter Kit includes a board-ready template that can be adapted for risk committee, audit committee, or full board reporting.

Download the Board Report TemplateView Board-Ready Report

Why boards need AI risk reports now

AI is no longer limited to isolated innovation pilots. Financial institutions now encounter AI in fraud tools, credit analytics, customer communications, vendor platforms, cybersecurity tooling, document processing, and employee productivity systems. Some of those tools are internally governed; many arrive through third-party products where AI features can change quickly.

Boards do not need to approve every prompt, model feature, or vendor configuration. They do need a clear view of the institution's AI exposure, risk appetite, management controls, high-risk use cases, and unresolved gaps. Without a structured report, AI oversight becomes scattered across technology, compliance, model risk, vendor management, and business-line updates.

A useful board report connects AI activity to governance evidence. It tells directors which AI uses are approved, which are pending review, which vendors require enhanced diligence, what model risk issues are open, and what management is doing next.

What boards need to know about AI risk

Board-level AI reporting should translate technical and operational details into oversight questions. Which AI use cases could affect customers, members, credit decisions, compliance outcomes, security operations, or critical business processes? Which vendors provide AI-enabled functionality? Which models are validated, monitored, or awaiting review?

The report should also surface risk ownership. Boards should be able to see whether compliance, risk, IT, vendor management, legal, audit, and business owners understand their roles. A good deck does not bury accountability in a dense inventory; it makes ownership and escalation visible.

  • Approved and proposed AI use cases by business line
  • High-risk vendors with embedded AI functionality
  • Model inventory, validation status, and monitoring gaps
  • Data, privacy, security, and consumer-impact concerns
  • Open remediation items, owners, and due dates
  • New regulatory or supervisory developments

Regulatory expectations for board oversight of AI

Regulators generally expect risk management to be commensurate with an institution's size, complexity, and risk profile. For AI, that means board reporting should be proportional: a community bank may not need the same depth as a large bank, but it still needs evidence that management is identifying, assessing, controlling, and reporting material AI risk.

Third-party AI exposure should be tied to OCC Bulletin 2023-17 and the interagency third-party risk management life cycle: planning, due diligence and selection, contract negotiation, ongoing monitoring, and termination. Model-related AI exposure should be tied to current model risk governance language, including SR 26-2 and OCC Bulletin 2026-13, with SR 11-7 continuity mapping where legacy documents still use it.

The board package should avoid conclusory statements like 'AI risk is low' without evidence. Better reporting shows the basis for the risk view: inventory coverage, review status, testing evidence, vendor responses, exceptions, and remediation progress.

What a good board report includes

A 10-to-12 slide structure is often enough for recurring AI oversight. The goal is not to overwhelm directors; it is to give them a repeatable view of exposure, control status, and management action.

  1. 1Executive summary: AI exposure, risk trend, and board decisions needed.
  2. 2AI inventory snapshot: approved, pending, prohibited, and decommissioned use cases.
  3. 3Material use cases: customer impact, business owner, risk tier, and control status.
  4. 4Vendor AI exposure: critical vendors, diligence status, and unresolved evidence gaps.
  5. 5Model risk posture: validation status, monitoring results, drift issues, and open findings.
  6. 6Data and privacy controls: data use, retention, access, and training restrictions.
  7. 7Consumer and fairness risk: explainability, complaints, adverse-action support, and testing.
  8. 8Incidents and exceptions: AI failures, overrides, policy exceptions, and escalation history.
  9. 9Regulatory landscape: supervisory expectations, exam themes, and policy updates.
  10. 10Management action plan: top gaps, accountable owners, milestones, and next report date.

Download the board reporting template

The Starter Kit board reporting template includes a slide-by-slide structure for AI inventory, model risk, vendor risk, evidence readiness, and regulatory updates. It is designed to fit into existing risk committee reporting instead of creating a separate technical deck.

Download the Board Report TemplateView Board-Ready Report

FAQ

What should a board AI risk report include?

A board AI risk report should summarize the AI inventory, material use cases, vendor exposure, model risk posture, open incidents, regulatory developments, and management action items. It should be concise enough for board oversight and specific enough to support follow-up questions.

How often should boards receive AI risk reporting?

Many institutions start with quarterly reporting to the board or a board risk committee, with ad hoc reporting for material AI incidents, high-risk vendor changes, new customer-impacting use cases, or significant remediation delays.

Does board reporting need technical model detail?

Boards need decision-useful risk information, not a full technical validation package. Technical model documentation should be available to model risk, audit, and examiners, while board materials should summarize risk level, trend, control status, and escalation needs.

How does SR 26-2 affect AI board reporting?

SR 26-2 and related OCC model risk guidance emphasize governance, accountability, validation, monitoring, and reporting for model risk. AI board reporting should show that management understands where AI and model risk exist and how gaps are being remediated.

Make AI oversight repeatable.

Start with the free governance assessment, then use the board reporting template to turn AI risk into clear quarterly oversight, accountable remediation, and better exam readiness.

Get My Free AI Governance ScoreDownload the Starter Kit

Important limitation

This resource is for informational and educational purposes only. It does not constitute legal, regulatory, audit, supervisory, model validation, privacy, security, or compliance advice. Institutions should consult qualified counsel and risk, compliance, audit, privacy, security, and model risk professionals regarding their specific obligations.

  • Keep the same slide structure each quarter.
  • Escalate material AI changes between reporting cycles.
  • Tie every open gap to an owner and due date.
  • Retain board materials as governance evidence.