AEGISAIStart Assessment

Small bank AI governance checklist

AI Governance Checklist for Small Banks Using Current Model Risk Expectations

Small banks and credit unions are already exposed to AI through vendor platforms, fraud tools, marketing systems, underwriting models, customer service software, document automation, and staff productivity tools. The question is not whether AI exists in the environment. The question is whether the institution can identify, govern, monitor, and evidence that use.

This AI governance checklist for small banks turns the AegisAI readiness framework into a practical 30-question review. It is designed for compliance, risk, audit, IT, vendor management, and executive teams that need a clear starting point.

Why small banks need AI governance now

AI governance is not only a concern for the largest institutions. Smaller institutions often rely heavily on third-party providers, which means AI risk may appear inside vendor products before the bank has a formal AI program. Regulators have repeatedly emphasized risk-based oversight, model governance, vendor management, operational resilience, consumer protection, and evidence. Current model risk language should reflect updated supervisory guidance, including SR 26-2 / OCC Bulletin 2026-13, while retaining SR 11-7 mapping where teams need to translate legacy policies, audit workpapers, and model inventories. FFIEC IT Examination Handbook resources and CFPB AI-related guidance reinforce the same operating reality: financial institutions should understand how automated tools affect risk and customers.

The checklist below helps a small bank create a first-line view of what exists, what is missing, and what should be remediated first.

The complete 30-question checklist

Use Yes, Partial, or No for each question. A No or Partial answer should become a gap item with an owner, target date, evidence requirement, and reporting path.

AI Policy & Governance

Assesses whether AI use is governed by clear policies, accountable oversight, and documented approval practices.

  • Does your organization maintain a written AI governance policy?
  • Has the board or a board-level committee formally assigned oversight for AI risk?
  • Do you maintain an inventory of AI systems, models, and AI-enabled tools in use?
  • Does your model risk management policy address AI and machine learning systems using current supervisory terminology?
  • Is there a documented approval process before new AI use cases go live?

Vendor & Third-Party AI Risk

Reviews how AI vendor relationships are identified, contracted, diligenced, monitored, and security reviewed.

  • Do you maintain an inventory of vendors that provide AI-enabled products or services?
  • Do contracts include AI-specific provisions for data use, transparency, audit rights, and accountability?
  • Does vendor due diligence assess AI governance, model controls, data practices, and compliance risk?
  • Are AI vendors subject to ongoing monitoring after onboarding?
  • Are AI vendor products reviewed for information security, privacy, and access-control risks?

Model Risk Management

Measures alignment with current model risk governance expectations, including ownership, inventory, validation, monitoring, change controls, and documentation.

  • Are AI models governed in a manner aligned to current model risk guidance, with SR 11-7 mapping retained where legacy documentation still uses it?
  • Do high-risk AI models receive independent validation before production use?
  • Are model assumptions, limitations, intended uses, and prohibited uses documented?
  • Are AI model updates and material changes governed by a documented change-management process?
  • Do you monitor AI model performance, drift, exceptions, and control effectiveness over time?

Data Governance & Privacy

Checks whether AI data sources, bias risks, retention rules, privacy reviews, and incident processes are documented.

  • Are training, testing, and production data sources documented for AI systems?
  • Do you assess AI systems for bias, disparate impact, or unfair outcomes where applicable?
  • Are data retention and disposal rules defined for AI inputs, outputs, and supporting evidence?
  • Do AI use cases receive privacy review before customer, employee, or sensitive data is used?
  • Is there an incident response process for AI-related data, privacy, or model failures?

Board & Audit Reporting

Evaluates whether AI risk is visible to the board, ERM, audit, issue tracking, and escalation channels.

  • Does management provide periodic AI risk reporting to the board or a designated committee?
  • Is AI risk included in enterprise risk management reporting and risk assessments?
  • Has internal audit reviewed AI governance, model risk, or vendor AI controls?
  • Are AI-related findings, issues, and remediation plans tracked to closure?
  • Is there a defined escalation path for material AI risks, incidents, or policy exceptions?

Evidence & Compliance

Assesses whether the organization can prove governance activity, attest control status, and maintain exam readiness.

  • Do you retain evidence of AI governance decisions, approvals, reviews, and control activities?
  • Do business owners or control owners attest to AI governance and compliance responsibilities?
  • Can you produce AI governance documentation and supporting evidence for auditors or examiners?
  • Do you track regulatory guidance, enforcement trends, and supervisory expectations related to AI?
  • Do you maintain a prioritized roadmap for closing AI governance and compliance gaps?

How to use the checklist

  1. Start with a working AI inventory. Include vendor tools, internal models, AI-enabled SaaS features, and experimental use.
  2. Ask each domain owner to answer only with evidence they can produce. If the answer depends on memory, mark it Partial.
  3. Prioritize No answers in vendor risk and current model risk governance first, especially if they affect customers, credit, fraud, security, or regulatory reporting.
  4. Turn the top five gaps into a 30/60/90-day remediation plan with owners, dates, and required evidence.
  5. Report material AI risks and remediation status to management, the board, audit, or the appropriate oversight committee.

What to do after the checklist

A checklist creates visibility, but the next step is scoring and prioritization. The AegisAI calculator converts the same governance framework into a score out of 60, domain breakdown, score band, top gaps, and recommended next steps. That gives teams a clearer way to brief executives and sequence remediation.

For more on how the scoring works, see the AI Governance Calculator guide, which explains score bands, domain breakdowns, and how gaps are prioritized.

Start the 5-Minute Assessment

Important limitation

This checklist is for informational self-assessment only. It does not constitute legal, regulatory, audit, model risk, or compliance advice and does not prove regulatory compliance.