Bank Regulators Now Probe AI Use in Every Routine Examination

Federal Banking Oversight Expands to Cover AI Deployment

U.S. banking regulators have integrated artificial intelligence oversight into every routine examination of financial institutions, marking a significant expansion of supervisory scrutiny even as formal AI-specific rules remain unwritten.

Both the Office of the Comptroller of the Currency (OCC) and the Federal Reserve now treat AI as a standing topic in bank reviews, according to Reuters, which cited three people familiar with the process. No examination proceeds without some discussion of how the institution deploys the technology, particularly in higher-risk functions such as lending decisions, customer identity verification, and sanctions screening.

What Regulators Are Asking

Examiners are pressing banks to explain their AI governance frameworks in detail. Institutions must describe what technical constraints limit model behavior, how human oversight is structured, and whether emergency shutdown mechanisms—often called kill switches—exist to disable systems when problems emerge. Banks are also required to identify which personnel have authority to intervene during a system failure and to produce documented contingency plans.

Vendor risk has become a central focus. Regulators want to know whether the third-party AI suppliers banks contract with, and the subcontractors those vendors use, meet governance and security standards comparable to what banks themselves face. Institutions must also demonstrate they have plans to disengage from a vendor whose system is compromised.

Another area drawing attention is data boundary enforcement—whether AI tools are accessing or drawing inferences from information they were never authorized to use. This risk is amplified by the way machine learning models synthesize data from multiple sources, raising concerns about privacy and regulatory compliance.

Why It Matters

This shift represents a fundamental change in how banking supervision addresses emerging technology. Rather than waiting for Congress or agencies to write new AI-specific regulations, examiners are adapting existing frameworks for model risk, vendor management, and consumer protection to evaluate AI deployments. The approach gives regulators immediate visibility into how banks are using the technology while allowing flexibility as the field evolves—but it also creates uncertainty for institutions trying to understand what standards they will ultimately be held to.

No Formal Rules Yet

The three federal banking regulators—the OCC, Federal Reserve, and FDIC—issued updated model risk management guidance on April 17, 2026, clarifying that practices should be tailored to a bank's size and complexity. The guidance does not establish enforceable standards, and non-compliance will not trigger supervisory criticism. Notably, the OCC stated that generative AI and agentic AI models fall outside the scope of this guidance, and the agencies plan to issue a separate request for information on those technologies.

Federal Reserve Vice Chair for Supervision Michelle Bowman acknowledged the challenge in a May speech. "Today, banks are relying on existing risk-management frameworks to guide their use of AI," Bowman said. "While these supervisory tools are intended to support banks in applying sound governance and risk management, we should assess whether our supervisory guidance is fit for the future."

The urgency of that assessment is underscored by the pace of adoption. JPMorgan Chase, the largest U.S. bank by assets, plans to deploy autonomous AI agents capable of operating without human intervention for hours at a time later this year.

These details were first reported by Reuters.