AI Governance Best Practices: Lessons From Regulated Industries
TL;DR
- Only 28% of organizations say their CEO oversees AI governance, and just 17% report board-level oversight — even as 51% experienced at least one negative AI-related incident in the past year (McKinsey State of AI 2025).
- Regulated industries — financial services, healthcare, insurance — are learning AI governance the hard way. Earnest Operations paid $2.5 million to Massachusetts for AI underwriting models that discriminated against Black and Hispanic applicants.
- This article covers the tactical HOW: build a model inventory, implement tiered oversight, stand up a cross-functional committee, enforce documentation standards, and design monitoring that catches drift before regulators do.
Your Governance Framework Means Nothing Without These Practices
You can have the most elegant AI governance framework on paper. Beautiful structure. Clear roles on a slide. A policy document nobody reads.
None of that matters if you can’t answer a basic question your examiner will ask: “Show me every AI model in production, who approved it, and when it was last validated.”
That’s the gap. McKinsey’s 2025 State of AI survey found that only 28% of organizations have their CEO directly overseeing AI governance, and a mere 17% report board-level oversight. Meanwhile, 51% of organizations experienced at least one negative AI-related incident in the past year — inaccuracy, compliance failures, reputational damage, privacy violations, or unauthorized actions.
The organizations getting AI governance right aren’t doing anything exotic. They’re executing a handful of unglamorous practices consistently. Here’s what regulated industries have learned — often painfully.
Practice 1: Build a Complete Model Inventory (Yes, Including the “Not a Model” Models)
Every AI governance failure starts the same way: an organization doesn’t know what it has. Shadow AI is rampant — a 2025 WalkMe survey found that 78% of employees use unapproved AI tools at work. Gartner predicts that by 2030, more than 40% of enterprises will experience security or compliance incidents linked to unauthorized shadow AI.
You can’t govern what you can’t see. A model inventory is the foundation of everything else.
What belongs in your inventory
Every AI and ML model, every rule-based system with quantitative outputs, every vendor-provided scoring model, and every generative AI application your people touch. OCC Bulletin 2011-12 and Fed SR 11-7 define “model” broadly — any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates.
The most common mistake? Excluding tools because “it’s not really a model.” If it takes inputs and produces outputs that inform a business decision, it’s in scope.
Minimum inventory fields
| Field | Why It Matters |
|---|---|
| Model name and ID | Unique identifier for tracking and audit trail |
| Model owner (business line) | Accountability — someone signs off on risk |
| Model developer (internal/vendor) | Identifies build vs. buy risk profile |
| Risk tier (Critical/High/Medium/Low) | Drives validation frequency and oversight level |
| Use case and business function | Maps model to regulatory requirements |
| Data inputs (including PII flags) | Privacy and fair lending compliance |
| Deployment date | Tracks how long a model has run without revalidation |
| Last validation date | Exam readiness — the #1 question regulators ask |
| Approval authority and date | Who signed off and when |
| Vendor and contract details | Third-party risk management linkage |
How regulated firms are doing it
The best model inventories in financial services aren’t spreadsheets (although many start there). They’re living registers connected to change management workflows. When a new model goes to production, it doesn’t deploy without an inventory entry, a risk tier assignment, and an owner. When a model gets decommissioned, the inventory reflects it.
The Treasury’s FS AI RMF, released in February 2026, makes this explicit with its 230 control objectives — model inventory is foundational across governance, data, model development, and monitoring domains.
Start here: Run a discovery sweep. Ask every business unit: “What AI tools, models, or automated decision systems do you use?” Include vendor-provided models and SaaS tools with embedded AI. You will be surprised by what you find.
Practice 2: Implement Tiered Oversight by Risk Level
Not every model needs the same level of scrutiny. A chatbot answering FAQ questions doesn’t carry the same risk as a credit decisioning model that determines who gets a loan.
Tiered oversight is how you apply proportional governance without drowning in bureaucracy. The OCC’s 2025 bulletin on model risk management for community banks specifically emphasized that “the practical application of the OCC’s model risk management guidance should be customized… to be commensurate with the bank’s risk exposures, its business activities, and the complexity and extent of its model use.”
A practical tiering model
| Tier | Criteria | Validation Frequency | Approval Authority | Examples |
|---|---|---|---|---|
| Critical | Consumer-facing decisions, regulatory impact, material financial exposure | Annual full validation + quarterly monitoring | Board/Risk Committee | Credit scoring, AML transaction monitoring, algorithmic trading |
| High | Significant business impact, uses PII, moderate financial exposure | Annual validation + semi-annual monitoring | CRO/Model Risk Committee | Fraud detection, pricing models, customer segmentation with PII |
| Medium | Supports internal decisions, limited consumer impact | Biennial validation + annual monitoring | Department head + Model Risk | Demand forecasting, internal risk scoring, workforce analytics |
| Low | Informational, no consumer or material financial impact | Triennial validation + ad hoc monitoring | Model owner self-attestation | Internal search, document summarization, employee chatbots |
Why tiering matters for enforcement
The Massachusetts AG settlement with Earnest Operations ($2.5 million, July 2025) is a textbook case. Earnest used an AI underwriting model that relied on a Cohort Default Rate — the average rate of loan defaults at specific colleges — which resulted in disparate impact against Black and Hispanic applicants. The company also used immigration status as a knock-out factor until 2023, creating national origin discrimination risk.
The critical failure wasn’t the model itself. It was the governance around it: no disparate impact testing, no bias audits, no ongoing fair lending monitoring. A proper tiering system would have flagged a consumer credit decisioning model as Critical and required annual fair lending testing as a baseline control.
Practice 3: Stand Up a Cross-Functional AI Governance Committee
An AI governance committee isn’t a nice-to-have in regulated industries — it’s rapidly becoming a regulatory expectation. The NIST AI RMF’s Govern function (GV 1.1) explicitly calls for organizational structures that assign authority and accountability for AI risk.
Who sits at the table
| Role | What They Bring |
|---|---|
| Chief Risk Officer / Head of Risk (Chair) | Enterprise risk perspective, exam readiness |
| Chief Data Officer / Head of Data Science | Technical assessment, model understanding |
| Chief Compliance Officer | Regulatory mapping, consumer protection |
| General Counsel / Privacy Officer | Legal risk, data protection, fair lending |
| Business Line Leaders (rotating) | Use case context, business risk appetite |
| Internal Audit (observer) | Independent assurance, not a voting member |
| IT/Information Security | Cybersecurity, data infrastructure, access controls |
What the committee actually does
The committee isn’t a rubber stamp. It reviews and approves new AI use cases before deployment, sets risk appetite thresholds for AI applications, reviews model validation results and exception requests, monitors aggregate AI risk metrics, escalates material issues to the board, and approves the model risk management policy annually.
Meeting cadence: Monthly for organizations in early maturity. Quarterly once processes stabilize. Ad hoc for critical escalations (failed validation, regulatory inquiry, material incident).
How high performers differentiate
McKinsey’s 2025 survey found that high-performing organizations are three times more likely than peers to have senior leaders who demonstrate ownership of and commitment to AI initiatives. That ownership isn’t performative — it shows up in committee attendance, decision velocity, and resource allocation.
The difference between governance theater and real governance? Whether the committee can say “no” to a model deployment — and whether that decision sticks.
Practice 4: Enforce Documentation Standards That Survive Exams
Documentation is where AI governance lives or dies in regulated industries. Regulators don’t just ask “do you have a governance framework?” They ask to see the evidence.
The documentation stack
For every model in production, maintain:
- Model development documentation — methodology, training data characteristics, feature selection rationale, known limitations, and performance benchmarks
- Validation report — independent assessment of model performance, assumptions testing, sensitivity analysis, and outcomes analysis (including fair lending testing for consumer models)
- Approval record — who approved deployment, on what date, based on what evidence, and with what conditions
- Monitoring dashboard — ongoing performance metrics, drift detection results, input data quality metrics
- Change log — every material change to the model, who authorized it, and what testing was performed
- Incident log — any model failures, unexpected outputs, or complaints, with root cause analysis and remediation
The GAO’s findings on oversight gaps
The GAO’s May 2025 report on AI in Financial Services (GAO-25-107197) found that federal regulators primarily oversee AI using existing laws, regulations, and risk-based examinations. But the report flagged a critical gap: NCUA lacks both detailed model risk management guidance for credit unions and the authority to examine technology service providers — despite credit unions’ increasing reliance on third-party AI services.
The takeaway for practitioners: regulators are using existing frameworks to examine your AI. OCC Bulletin 2011-12 wasn’t written for generative AI, but examiners will absolutely apply its principles to your LLM-powered customer service bot if it’s making decisions that affect consumers.
Document like you’ll be examined tomorrow. Because increasingly, you will be.
Practice 5: Design Monitoring That Catches Drift Before Regulators Do
Model monitoring in regulated industries isn’t a dashboard you glance at quarterly. It’s a control system with triggers, escalation paths, and documented response procedures.
Minimum monitoring controls
- Performance drift detection: Set thresholds (±5% from baseline metrics is a common starting point) with automated alerts when breached
- Input data quality monitoring: Track missing values, distribution shifts, and data freshness — model outputs are only as good as inputs
- Fair lending / bias monitoring: For consumer-facing models, run disparate impact analysis on a schedule aligned to your risk tier (monthly for Critical, quarterly for High)
- Explainability checks: Verify that feature importance hasn’t shifted significantly, which may indicate the model is picking up on unintended patterns
- Output reasonableness testing: Compare model outputs against human judgment on a sample basis — catches edge cases automated checks miss
The regulatory trajectory
The regulatory landscape for AI monitoring is converging fast. The EU AI Act’s high-risk system requirements take full effect in August 2026, mandating post-market monitoring, logging, and human oversight. Colorado’s AI Act (SB 205) — now in effect as of February 2026 — requires deployers of high-risk AI systems to use reasonable care to protect consumers from algorithmic discrimination, including ongoing testing and impact assessments.
And the Treasury’s FS AI RMF dedicates an entire domain to monitoring and control objectives, making it clear that build-and-forget model deployment is no longer acceptable in financial services.
So What? Start With What You Can Control This Quarter
You don’t need a two-year transformation program. You need to start executing. Here’s a 90-day action plan:
Days 1–30: Inventory sweep
- Survey every business unit for AI/ML models and automated decision tools
- Build your initial inventory register (start with a spreadsheet — perfect is the enemy of done)
- Assign a preliminary risk tier to every identified model
Days 31–60: Governance structure
- Stand up your AI governance committee with named members and a charter
- Hold the first meeting — review the inventory, prioritize Critical and High-tier models for validation
- Draft your model risk management policy (or update the existing one to cover AI)
Days 61–90: Monitoring baseline
- Implement drift detection thresholds for all Critical-tier models
- Run a fair lending / bias audit on your highest-risk consumer model
- Document everything — build your evidence binder for the next exam
None of this is glamorous. That’s the point. AI governance best practices in regulated industries aren’t about innovation — they’re about discipline, documentation, and showing your work.
Need a head start? The AI Risk Assessment Template & Guide gives you the risk taxonomy, tiering model, and assessment framework to accelerate your first 90 days.
For the complete governance framework — roles, policies, maturity model, and implementation roadmap — see The Complete AI Governance Framework: Building Accountability Into Your AI Program.
FAQ
What’s the difference between AI governance best practices and an AI governance framework?
A framework is the structure — the organizational chart of who does what. Best practices are the operational muscle: how you actually inventory models, run validations, document decisions, and catch problems before regulators do. You need both. The framework without practices is a PowerPoint deck. Practices without a framework lack accountability. Start with the practices described here, then formalize them into a framework structure. For a complete framework guide, see The Complete AI Governance Framework.
How do small banks and fintechs implement AI governance without a dedicated team?
The OCC’s 2025 bulletin on model risk management for community banks directly addresses this — governance should be “commensurate with the bank’s risk exposures, its business activities, and the complexity and extent of its model use.” A fintech with three AI models doesn’t need a 10-person model risk team. Assign an owner for each model. Run your governance committee as a standing agenda item in an existing risk meeting. Use your risk tier to focus validation resources on Critical models first. The OCC is telling you proportionality is acceptable — take them at their word.
Which regulatory framework should I follow for AI governance — NIST, EU AI Act, or the Treasury’s FS AI RMF?
If you’re a U.S. financial institution, start with the Treasury’s FS AI RMF — it was specifically designed for financial services and maps directly to the NIST AI RMF with 230 control objectives tailored to banking. If you have EU operations, layer in EU AI Act requirements for high-risk systems (full compliance deadline: August 2026). The NIST AI RMF is the conceptual foundation underlying both. For a complete implementation guide on NIST, see NIST AI Risk Management Framework: The Complete Implementation Guide.
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.