Topic AI Risk & Governance
The practitioner's guide to AI risk management.
Free templates, frameworks, and guides for compliance and risk teams navigating AI governance. No vendor pitch. No enterprise paywall. Just the tools you need to build a defensible AI risk program.
◆ Aligned with NIST AI RMF · SR 11-7 · emerging state AI laws
◆ Why this exists
Built for the person who just got handed AI governance.
◆ 01
Practitioner-first
Built for the person who just got handed AI governance and needs to show progress by next quarter. Not a 200-page consulting framework — actionable tools you can deploy this week.
◆ 02
US regulatory focus
Mapped to what US regulators actually cite: SR 11-7, NIST AI RMF, OCC guidance, Colorado AI Act, NYC Local Law 144. Written for financial services teams that answer to examiners.
◆ 03
Mostly free
AI governance is a fast-moving field. Most of these resources are free because getting the fundamentals right shouldn't require a procurement cycle.
◆ Template guides
Need an AI risk assessment or vendor questionnaire? Start here.
These guides explain what belongs in each template, show practical field examples, and point you to the working version when you're ready to use it.
◆ Employee-facing AI policy
Your MRM policy doesn't cover ChatGPT.
The AI Risk Framework above governs production AI/ML systems — credit scoring, fraud detection, AML monitoring — under the 2026 interagency revised MRM guidance. But it doesn't address what happens when an underwriter pastes a loan file into free ChatGPT, or when a finance team member uses an unapproved browser extension to summarize a pre-earnings draft. That's the GenAI Employee AUP.
$79 · One-time
GenAI Employee AUP Kit
Generative AI Acceptable Use Policy for governing employee use of ChatGPT, Claude, Copilot, and AI tools.
- • Data Classification × Tool Tier matrix — what you input determines what tool tier you can use
- • Approved Tool List with vendor DD (DPA, SOC 2, BAA, training opt-out) for M365 Copilot, Claude Enterprise, GitHub Copilot, ChatGPT Enterprise
- • 15 Pre-Approved Use Cases so employees self-serve common patterns without bottlenecking on compliance
- • Low-touch Employee Intake Form with auto-routing decision formula
- • 8-incident AI Incident Response Runbook (PII paste, MNPI exposure, hallucinated regulatory filing, prompt injection, shadow AI)
- • 26-paragraph Policy Language Library + Manager Talking Points
◆ Pairs with
The AI Risk Assessment Template covers production AI governance. The GenAI Employee AUP covers the employee-facing layer above that. Together they're the full AI policy stack for financial services.
◆ Regulatory anchor
NIST AI 600-1 Generative AI Profile (12 risk categories), FTC Operation AI Comply, Colorado AI Act (revised effective date January 1, 2027), ECOA / FCRA meaningful human review.
◆ Free resources
Start here. Free with email.
Frameworks, templates, and guides you can use today. We're building the resource center we wish existed when we started.
★ Free guide
AI Risk Assessment Guide
A free introductory guide to AI risk assessment for financial services teams.
- ◆ AI risk fundamentals overview
- ◆ Key risk categories and considerations
- ◆ Practical getting-started guidance
★ Free whitepaper
Threat Modeling for Agentic Payments
20,000-word deep dive on threat modeling for AI-powered autonomous payment systems. Formal taxonomy, tiered controls, and regulatory mapping.
- ◆ 5 threat categories, 7 control domains
- ◆ US, UK, and EU regulatory analysis
- ◆ Real attack scenarios from live infrastructure
◆ Coming soon
AI Model Inventory Template
Free Excel template to catalog every AI system in your organization. The universal first step every regulation requires — and the thing most companies still haven't done.
- ◆ Pre-built fields for SR 11-7 alignment
- ◆ Risk tiering with scoring criteria
- ◆ Covers in-house models and vendor AI
◆ Coming soon
Colorado AI Act Compliance Checklist
SB 205 requirements mapped to NIST AI RMF subcategories. The crosswalk nobody else has published — with the January 2027 deadline approaching fast.
- ◆ NIST AI RMF affirmative defense mapping
- ◆ Impact assessment template included
- ◆ Consumer notification requirements
◆ Coming soon
Shadow AI Governance Playbook
76% of organizations have unauthorized AI in production. This playbook covers detection, policy, and controls — without requiring an enterprise platform.
- ◆ Discovery and detection methods
- ◆ Acceptable use policy template
- ◆ Amnesty program framework
◆ Coming soon
AI Bias Audit Documentation Kit
Step-by-step bias audit documentation for NYC Local Law 144 and Colorado SB 205 compliance. The template almost nobody has published.
- ◆ Disparate impact testing methodology
- ◆ Audit documentation checklist
- ◆ Scoring rubric and escalation criteria
◆ Premium templates
When you need the full toolkit.
Operational templates with Excel dashboards, assessment checklists, and governance documentation. Built for teams that need to show progress to regulators and bank partners.
AI Risk Assessment Template & Guide
A complete framework for identifying, assessing, and mitigating AI-related risks in regulated financial institutions. Includes policy templates, pre-deployment checklists, AI Use Case Inventory with auto-tiering, bias assessment tools, 8 worked examples (Fraud Detection, Customer Chatbot, Credit Underwriting, AML Monitoring, Marketing GenAI, Shadow AI ChatGPT, BaaS KYC AI, Crypto Sanctions AI), a filled third-party vendor questionnaire (OpenAI), and an 8-response Bank Partner Response Library — mapped to the 2026 regulatory landscape: NIST AI RMF 1.1, the OCC's 2026 model risk management guidance (which replaced SR 11-7), Colorado AI Act, FS AI RMF (FinCEN), CFPB ECOA AI provisions, and EU AI Act high-risk requirements. Bank partners and regulators are starting to ask pointed questions about AI governance — and "we're working on it" isn't cutting it anymore. This kit gives you a structured assessment methodology with scoring criteria, a use case inventory you can populate in an afternoon, a third-party AI vendor questionnaire, pre-written responses to the most common bank partner AI governance questions, and worked examples for calibration. Built to complement your existing risk and compliance functions — so your team spends time on model-specific work, not rebuilding templates from scratch.
- ◆ AI Use Case Inventory tab with auto-tiering formula (consumer impact + decisioning role + PII + regulatory touchpoint)
- ◆ 44-question pre-deployment risk assessment scorecard across 11 risk domains
- ◆ 31-question third-party AI vendor due diligence questionnaire
- ◆ 8 pre-filled worked examples: Fraud Detection, Customer Chatbot, Credit Underwriting, AML Monitoring, Marketing GenAI, Shadow AI ChatGPT, BaaS KYC AI, Crypto Sanctions AI
- ◆ Filled vendor questionnaire (OpenAI) — what acceptable answers look like
- ◆ Bank Partner Response Library PDF — 8 pre-written responses to the most common bank partner AI governance questions
- ◆ AI Governance Dashboard tab and quarterly Board Report tab
- ◆ Shadow AI Register tab and discovery methodology
81+
AI risk & governance articles
8+
Years in risk & compliance
US
SR 11-7 · NIST AI RMF · state AI laws
◆ Latest insights
AI Risk & Governance Journal.
AI Risk
Agentic AI in Financial Services 2026: The Governance Framework Your Board Doesn't Know It Needs
SR 26-2 carved agentic AI out of model risk scope in April 2026. That didn't make the risk disappear — it moved the governance burden entirely onto you. Here's what a functional agentic AI governance framework looks like and why you need one before your next exam.
AI Risk
SR 26-2 for Community and Regional Banks: What the Proportionality Principle Actually Requires
SR 26-2 and OCC 2026-13 replaced SR 11-7 on April 17, 2026 — and the proportionality principle changes what model risk management looks like for banks under $100 billion. Here's what's actually required, what's still expected, and how to calibrate your program.
AI Risk
SR 26-2 and OCC 2026-13: What the New Model Risk Management Guidance Changes — and the GenAI Gap Your Program Needs to Close
The interagency guidance that replaced SR 11-7 on April 17, 2026 is voluntary and principles-based — and it explicitly excludes generative AI and agentic AI from scope. Here's what changed, what examiners will still test, and the gap your AI governance program needs to close before the AI-specific RFI lands.
AI Risk
EU AI Act August 2, 2026: Your 32-Day Compliance Checklist — What's Still Required After the Omnibus Deferral
The Digital Omnibus pushed Annex III high-risk AI to December 2027 — but August 2, 2026 still brings Article 50 transparency requirements and full GPAI enforcement powers. Here's your verified 32-day checklist.
AI Risk
NYDFS Put Every Regulated Entity on Notice About Frontier AI Cyber Risk — Here's What the May 21 Guidance Requires
On May 21, 2026, NYDFS issued two companion industry letters warning that frontier AI models will fundamentally change the speed and scale of cyberattacks against financial institutions. The guidance doesn't create new legal requirements, but it will be cited in exams. Here's what NYDFS expects and what to document.
AI Risk
CFPB Reg B Overhaul Takes Effect July 21: What the Disparate Impact Removal Actually Means for AI Credit Models
The CFPB's final rule removing disparate impact from Regulation B takes effect July 21, 2026. Here's what changed, what didn't, and what AI-driven lenders need to document before the deadline.
● Regulatory landscape
The AI regulatory landscape is moving fast.
Colorado's AI Act takes effect January 1, 2027. NYC Local Law 144 is already live. NIST AI RMF 1.1 dropped in March. OCC examiners are applying SR 11-7 to AI models right now. More than half of US states have introduced AI legislation.
We track all of it. Our journal covers every major regulatory development, enforcement action, and framework update — with practical guidance on what it actually means for your program.