AI Governance: Definition and Use in Compliance

What is AI Governance?

AI Governance is the set of policies, processes, controls, and accountability structures that define how an organization builds, deploys, monitors, and retires AI systems. In financial services, it's the difference between deploying a model because it tests well in development and deploying it because it's documented, validated, explainable, and auditable.

The scope is wider than most compliance teams expect when they first encounter it. AI Governance covers the full model lifecycle: data sourcing and preprocessing, algorithm selection, fairness and bias testing, pre-deployment validation, production monitoring, and eventual decommissioning. It covers vendor oversight too. If a bank buys an AI tool from a third party, the bank still owns the governance obligation for how that tool behaves in production.

What makes AI Governance different from earlier generations of model risk management is the explainability requirement. Legacy scoring models could often be described with a weight table. Modern machine learning systems can't. Regulators and courts now expect financial institutions to produce a full decision explanation for consequential outputs: why a Suspicious Activity Report (SAR) was filed, why a credit application was declined, why an account was flagged for enhanced review. "The algorithm said so" isn't an acceptable answer to an examiner or a court.

The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, defines four core governance functions: GOVERN, MAP, MEASURE, and MANAGE. GOVERN is foundational. It requires organizations to establish policies, roles, and accountability chains before any AI system goes into production. The full framework is available at https://airc.nist.gov/RMF.

A concrete example: a mid-sized US bank deploying an AI fraud detection system. Under sound AI Governance, the bank would run a pre-deployment validation, assign a model owner accountable for ongoing performance, set monitoring thresholds that trigger a mandatory review, and document the escalation path if the system begins to degrade. Without those structures, the system runs uncontrolled. That's not a hypothetical failure mode; it's the pattern examiners find when they ask for model inventories and get spreadsheets with half the columns blank.

How is AI Governance used in practice?

Compliance and risk teams operationalize AI Governance through three core processes: model inventory management, review committee governance, and ongoing performance monitoring.

The model inventory is the foundation. Every AI system in production, from the fraud scoring engine to the automated Customer Due Diligence (CDD) platform, gets a record: version, owner, purpose, data inputs, validation date, last performance review, and the name of the person accountable for it. OCC examiners have cited banks for incomplete inventories in recent exam cycles. The inventory needs to reflect reality, not aspiration.

Model review committees are the governance gate before deployment. A typical committee includes the model developer, an independent validator who had no role in building it, a compliance representative, and a business owner. They review the validation report, the bias assessment, and documentation of how the model handles edge cases. The committee approves, rejects, or approves with conditions. The written record of that decision goes in the audit file and stays there.

Ongoing monitoring is where many programs break down. A model that performs well at launch can drift. Transaction patterns shift after fraud typologies change. A system trained in 2022 may not handle patterns that emerged in 2024. AI Governance requires concrete thresholds: if recall drops below a defined rate or false positives rise above a defined ceiling, the governance process triggers a mandatory review, not a meeting.

The Three Lines of Defense model applies directly here. The first line (business units) owns the model and monitors daily performance. The second line (risk and compliance) sets governance standards and reviews adherence. The third line (internal audit) independently tests whether those controls are actually working: whether model inventories are complete and current, whether validations were genuinely independent, and whether monitoring alerts are being acted on rather than closed without investigation.

We've seen banks with well-written governance policies that fail on the third line because nobody checked whether the policy was being followed. The documentation and the operational reality need to match.

AI Governance in regulatory context

The regulatory baseline for AI Governance in US banking is SR 11-7 / OCC 2011-12, the joint model risk management guidance from the Federal Reserve and OCC. Published in 2011, it predates modern machine learning, but regulators have consistently applied it to AI systems since. It requires model inventory, independent validation, ongoing monitoring, and clear ownership. Banks that ignore these requirements for AI tools face supervisory action under this framework now, regardless of whether specific AI legislation applies. The full text is at https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm.

The EU AI Act (Regulation 2024/1689), in force since August 2024, adds mandatory new requirements. It classifies AI used in credit scoring, fraud detection, and identity verification as high-risk, triggering conformity assessments, human oversight provisions, and registration in the EU AI Office database before deployment. For banks operating across EU jurisdictions, this is a hard legal obligation with enforcement authority.

The Financial Action Task Force (FATF) addressed AI in its 2021 report on opportunities and challenges of new technologies for AML/CFT. FATF's position is direct: AI tools used in transaction monitoring must be explainable, must demonstrate outputs consistent with the institution's risk-based approach, and must not create new compliance gaps. A system that cuts false positive rates by 40% but simultaneously reduces detection of high-risk typologies has failed the governance test regardless of its headline performance metric.

In the UK, the FCA and PRA published a joint discussion paper (DP5/22) in 2022 calling for AI governance standards that address model explainability, fairness, and accountability. The FCA has stated that financial institutions bear full regulatory responsibility for any AI system they deploy, whether built internally or purchased from a vendor. That principle applies equally to the model the bank trained and the vendor tool the bank licensed.

The practical signal: AI Governance isn't a future obligation. Exam findings from 2023 and 2024 show examiners requesting AI inventories, validation records, and bias assessments in standard bank reviews, not as special AI-focused exams. The expectation is current.

Common challenges and how to address them

The three most consistent AI Governance failures are incomplete model inventories, shadow AI, and validation that isn't genuinely independent in practice.

Incomplete inventories happen because AI deployment outpaces governance. A business unit buys an AI tool, integrates it into a workflow, and the model risk or compliance team finds out during an audit. The fix is requiring IT procurement to flag any AI system purchase to the model risk team before contract execution. This adds time to vendor onboarding. The alternative is discovering deployed, unreviewed systems during an exam, which is more expensive.

Shadow AI is harder to eliminate. Teams build or use AI tools outside the formal governance process: a fraud analyst uses an AI summarization tool to draft SAR narrative sections, or a KYB team uses a third-party AI enrichment service without a formal vendor review. These systems are in production, making consequential decisions, with no inventory record and no validation. The answer is a clear policy with real enforcement consequences and a reporting culture where teams flag new tools rather than avoid disclosure.

Validation theater is when independent validation is nominally independent but practically captured. The validator sits on the same team as the developer, reviews the model in a day without substantive challenge, and signs off. Examiners detect this by examining the depth of the validation report. Real independence produces written documentation of limitations and conditions, not just confirmation that the model produces expected outputs.

The Explainability requirement is a persistent pressure point for teams using complex models in transaction monitoring or review workflows. If the system can't generate a readable decision rationale that a compliance officer, a court, or a regulator can evaluate, the governance program has a gap. Identifying and addressing that gap before an exam is significantly less costly than addressing it after a finding is issued.

Related terms and concepts

AI Governance connects directly to Model Risk Management (MRM), the older discipline it evolved from. The distinction matters in practice. Model risk management focuses on whether a specific model is accurate and stable. AI Governance adds fairness, explainability, lifecycle accountability, and the legal consequences of AI decisions at an institutional level. Most banks now run both frameworks under a unified policy, but they need separate ownership: model risk management typically sits within the risk function, while AI Governance policy often sits in compliance or a dedicated AI ethics function with board-level visibility.

Model Validation is the technical process within AI Governance that tests whether a model does what it claims. An independent validator runs the model on data it hasn't encountered before, tests for overfitting, runs sensitivity analysis, and documents limitations. For AI systems in regulated contexts, that validation report is a primary document examiners request on day one of a review.

AI Bias and Fair Lending sit directly within the AI Governance framework for banks. A fraud detection or credit scoring model that produces disparate outcomes for a protected class creates legal exposure under the Equal Credit Opportunity Act and Fair Housing Act, independent of intent. Governance programs must test for this before deployment and monitor for it continuously in production. That's an existing legal obligation, not a future standard.

AI Risk Management is the operational counterpart to AI Governance. Where governance defines rules and structures, risk management identifies, measures, and controls the specific risks that AI systems create: operational risk if a model fails mid-process, legal risk if outputs can't be explained in litigation, reputational risk if a model produces discriminatory outcomes at scale.

The Audit Trail is the physical output of AI Governance in production. Every decision the AI system makes, every alert it generates, every parameter change across its lifecycle needs a tamper-proof, retrievable record. Without that record, governance is a policy document without a control. Regulators, courts, and internal auditors all require it, and they require it to be complete.