The Language of AI Governance
The terms a community bank leader needs to read a vendor contract, answer an examiner, and brief a board — defined in plain English.
A working reference for the AI governance, model risk, and regulatory vocabulary shaping community banking. For the full framework behind these terms, see the Handbook and the Toolkit.
Adversarial Attack
A deliberately engineered input designed to make an AI model produce an incorrect output — for example, structuring a transaction to slip past a fraud model. Adversarial risk is a reason AI systems need monitoring for manipulation, not just for accuracy.
Adverse Action Notice
A disclosure a lender must provide when it denies credit, or offers less favorable terms, explaining the principal reasons for the decision. When an AI or machine-learning model informs that decision, the institution remains responsible for giving specific, accurate reasons — which is why explainability and documentation matter long before a denial is ever issued.
Adverse Impact Ratio (AIR) / Four-Fifths Rule
A fairness statistic comparing the favorable-outcome rate (e.g., loan approval) for a protected group against the rate for the most-favored group; a ratio below 0.80 — the "four-fifths rule" — is a long-standing flag for potential disparate impact. For a community bank, the AIR is the number a validator or examiner is most likely to cite when testing an AI lending model; note that since the April 2026 removal of disparate impact from Regulation B, the exposure such testing addresses now runs primarily through the Fair Housing Act, state fair-lending laws, and reputational risk rather than ECOA.
Agentic AI
AI systems that can plan, reason, and carry out multi-step tasks with limited human intervention — researching a borrower, assembling a credit package, drafting a recommendation, and routing it for approval. Agentic AI is the next frontier for community banks and the hardest to govern, because it reduces the number of points at which a human can step in; the guardrails, oversight, and kill switches have to be designed in before deployment, not added after something goes wrong.
AI Agent
An AI system, typically built on a foundation model, that can plan and take actions on its own by calling tools, APIs, or other systems to accomplish a goal — not just answer a question. For a community bank, AI agents are arriving inside vendor platforms now, and because they act rather than merely advise, they need to be scoped, permissioned, and governed separately from chatbots.
AI Audit (Algorithmic Auditing)
A formal, often independent inspection of an AI system's design, data, performance, and controls to confirm it works as intended and complies with policy and law. For a community bank, AI audit is the third line of defense's evolving role — the independent assurance that governance is not just documented but actually working.
AI Governance
The framework of policies, roles, controls, and oversight an institution uses to manage how artificial intelligence is selected, deployed, monitored, and retired. For a community bank, AI governance connects board accountability, committee structure, risk assessment, and vendor oversight into a single program a regulator can examine and a board can stand behind.
AI Governance Committee
A cross-functional body — typically spanning risk, compliance, IT, and lending — that owns the day-to-day governance of AI systems and reports to a board-level risk committee. Its charter defines membership, meeting cadence, decision authority, and the reporting line that carries AI risk up to the board.
AI Incident
Any failure, bias event, security breach, or unexpected behavior of an AI system that requires escalation and response. Defining incident categories and response steps in advance is what makes a bank's reaction fast and consistent instead of improvised. (Toolkit: AI Incident Response Policy.)
AI Inventory
A maintained record of every AI and machine-learning system in use across the institution — tools built in-house, AI the bank knowingly licensed, and AI features that arrived through vendor upgrades. Each entry captures business purpose, owner, risk tier, and validation status. The inventory is the foundation the rest of the program depends on.
AI Policy
The governing document that sets the rules for how an institution may and may not use artificial intelligence — acceptable use, approval paths, prohibited uses, and accountability. A workable policy is short enough to be followed and specific enough to guide real decisions about new tools and vendors.
AI Risk Assessment
The structured evaluation of an AI system to determine the risk it poses, based on the materiality of the decisions it informs, the data it uses, and its potential for harm. The result is a risk tier — Minimal, Moderate, High, or Critical — that drives how much governance, validation, and monitoring the system requires.
AI Supply Chain
The full chain of components behind an AI tool — the foundation model, training data, cloud infrastructure, and downstream vendors — any of which the bank may not directly control. For a community bank, AI supply-chain risk means a weakness or change several layers below your vendor can still reach your customers, which is why due diligence has to ask what sits underneath the product.
Algorithm
A set of rules or instructions a computer follows to solve a problem or make a decision. Algorithms range from simple, fully transparent logic to complex machine-learning models; the more consequential and opaque the algorithm, the more governance it warrants.
Algorithmic Bias
Systematic, unfair differences in a model's outputs across groups of people, often arising from biased training data or proxy variables rather than explicit intent. In banking, algorithmic bias is a fair-lending concern because a model can produce disparate outcomes even when protected characteristics are never used as inputs.
Artificial Intelligence (AI)
Technology that enables computers to perform tasks that traditionally required human judgment, pattern recognition, or decision-making. In banking the term is deliberately broad — spanning machine learning, robotic process automation, natural language processing, and generative AI — because effective governance has to cover all of it, including the AI a bank never consciously chose to adopt.
Automation Bias
The human tendency to over-trust an automated system's recommendation and stop applying independent judgment — accepting an AI output even when other information contradicts it. For a community bank, automation bias is the quiet failure mode that hollows out a "human in the loop" control: the human is present but no longer truly deciding.
Backtesting
Running a model against historical data with known outcomes to evaluate how well it would have performed. Backtesting is a standard validation technique and a practical way to challenge a vendor's performance claims before a model goes live.
Black-Box Model
A model whose internal logic cannot be readily inspected or explained, common with complex machine-learning and AI systems. Opacity does not make a model unusable, but it raises the bar on validation and monitoring: the institution must document what it cannot fully explain, justify the residual risk, and put compensating controls in place.
Board Oversight
The board of directors' responsibility to govern AI risk — approving the governance framework, receiving regular reporting on the institution's AI risk posture, and documenting that oversight in the minutes. Under current guidance, board engagement with AI is explicit rather than implied.
CFPB Circular
A policy guidance document the Consumer Financial Protection Bureau uses to explain how it interprets and enforces existing consumer-financial law. For a community bank, CFPB circulars are how the Bureau signaled its AI expectations — notably that a bank cannot use a complex or "black-box" model as an excuse for failing to give specific, accurate adverse-action reasons (Circulars 2022-03 and 2023-03; 2022-03 was later withdrawn in May 2025, though the underlying ECOA/Reg B notice requirements remain).
Concentration Risk
The risk that comes from relying heavily on a single vendor, model, or platform whose failure or disruption could materially affect the bank. In AI governance it usually shows up as dependency on one AI vendor or cloud provider, and it is a reason to plan contingencies before they're needed.
Concept Drift
The gradual decline in a model's accuracy as the real-world patterns it was trained on change over time (also referred to as model drift). Drift is the reason validation is not a one-time event: a model that performed well at deployment can degrade quietly, which is why ongoing monitoring with predefined thresholds is expected.
Conceptual Soundness
A core model-validation activity that asks whether a model's underlying theory, method, assumptions, and variable choices are appropriate for its intended use — the "does this model make sense at all?" check. For a community bank relying on a vendor's AI model, conceptual soundness is the review that should happen before the model is ever trusted with real decisions, and it remains an expectation under the 2026 model-risk guidance.
Content Provenance
The ability to verify where a piece of digital content came from and whether it has been altered, often through cryptographic signing or embedded metadata standards. For a community bank, content provenance is an emerging defense against deepfakes and synthetic documents — a way to check that an image, video, or file is what it claims to be.
Contestability (Right to Appeal)
The principle that a person affected by an automated decision can challenge it and obtain meaningful human review. For a community bank, contestability is both a fairness expectation and a practical complaint-management safeguard for AI-influenced denials — and it is increasingly written into state automated-decision laws.
Data Governance
The policies, roles, and standards that define how an organization's data is owned, classified, secured, and kept accurate across its lifecycle. For a community bank, data governance is the foundation AI sits on: models are only as trustworthy as the data feeding them, and clear ownership and classification are what let the bank decide which data may be used for AI at all.
Data Lineage
The documented trail of data from its source, through any transformations, to its use in an AI system. Clear lineage is what lets a bank answer where a model's inputs came from and whether they can be trusted — a question examiners and validators both ask.
Data Loss Prevention (DLP)
Technology and processes that detect and block the unauthorized movement of sensitive data outside the organization — including customer data being pasted into an external AI tool. DLP is one of the primary technical controls a bank uses to contain shadow AI.
Data Minimization
The privacy principle of collecting and retaining only the personal data actually needed for a defined purpose, and no more. For a community bank, data minimization is a core control on AI: it limits how much customer data can be exposed if an AI tool is misused or breached, and it prevents loan or servicing data from quietly being repurposed as model training data.
Data Poisoning
The deliberate corruption of the data used to train an AI model, so that it learns incorrect patterns or hidden malicious behaviors. The risk is greatest when models are retrained on data the bank does not fully control, including some vendor and open-source pipelines.
Data Readiness
How prepared a bank's data is to support reliable AI, measured across completeness, accuracy, consistency, timeliness, accessibility, and governance. The principle behind it is blunt — dirty data produces dirty AI — and no governance framework can fix outputs built on a fragmented data foundation. (Toolkit: Data Readiness Scorecard.)
Deepfake
Synthetic image, video, audio, or document content generated by AI to convincingly imitate a real person or artifact. For a community bank, deepfakes are now a front-line fraud vector — used to defeat identity verification, impersonate executives in payment-authorization scams, and fabricate supporting documents — and were the subject of a 2024 FinCEN alert.
Disparate Impact
A neutral practice or model that nonetheless produces a significantly worse outcome for a protected class, with no need for discriminatory intent. In lending, the doctrine's reach narrowed when the April 2026 CFPB rule removed disparate impact from Regulation B and ECOA — but the exposure persists through the Fair Housing Act, state fair-lending laws, and reputational and safety-and-soundness risk, which keeps bias testing of AI-driven decisions a core practice.
Effective Challenge
The informed, constructive questioning of an AI system's assumptions, methods, and results by people with enough knowledge, authority, and independence to push back. Effective challenge is what separates a governance committee that genuinely oversees AI from one that merely rubber-stamps it, and examiners look for evidence that it actually happens.
Excessive Agency
The risk — named in the OWASP Top 10 for LLM Applications — that an AI system is given more autonomy, permissions, or tool access than its task requires, so that a single error or manipulation can cause real damage. For a community bank deploying AI agents, excessive agency is the central control gap; the fix is least-privilege access plus human approval for consequential actions.
Explainability
Also called explainable AI, or XAI. The degree to which a model's outputs can be understood and communicated in human terms. Explainability supports adverse action notices, model validation, examiner questions, and board reporting — it is the practical answer to the governance challenge posed by opaque models.
Fair Lending
The body of law and supervisory expectation requiring that credit decisions not discriminate against protected classes, anchored by the Equal Credit Opportunity Act and the Fair Housing Act. Disparate-treatment protections under ECOA remain in force; since the April 2026 removal of disparate impact from Regulation B, disparate-impact exposure now runs primarily through the Fair Housing Act, state law, and reputational risk. As AI enters underwriting, pricing, and marketing, fair-lending review extends to the models themselves and the outcomes they produce.
False Positive
A case an AI system flags as problematic that turns out, on review, to be legitimate — a valid transaction declined as fraud, or a normal transfer flagged as suspicious. Managing false-positive rates is central to fraud and BSA/AML model governance, because too many erode both staff trust and customer experience.
Foundation Model
A large, general-purpose AI model trained on broad data that is then adapted to many downstream tasks; most generative AI tools are built on one. A community bank rarely licenses a foundation model directly, but nearly every AI vendor product sits on top of one — which makes the underlying model a source of concentration and supply-chain risk the bank should understand.
Generative AI
AI systems that produce new content — text, images, code, or audio — in response to prompts, typically built on large language models. In community banking, generative AI shows up in drafting, summarization, customer service, and vendor features, each carrying its own governance, accuracy, and data-handling considerations.
GLBA (Gramm-Leach-Bliley Act)
The 1999 federal law governing how financial institutions collect, share, and protect customers' nonpublic personal information, implemented chiefly through its Privacy Rule and Safeguards Rule. For a community bank, GLBA is the baseline privacy and data-security obligation that any AI use touching customer data must satisfy — it is the reason customer NPI cannot be fed into an unapproved tool.
Guardrails
Technical and policy controls that constrain what an AI system can accept as input or produce as output — blocking disallowed prompts, filtering unsafe responses, and keeping a tool inside its approved purpose. For a community bank, guardrails are the practical test of whether a vendor's AI tool can actually enforce your policies in production, rather than relying on staff to use it correctly.
Hallucination
A confident but incorrect or fabricated output from a generative AI system. Because hallucinations are delivered in the same fluent tone as accurate answers, any use of generative AI in a regulated process calls for human review and controls proportionate to the stakes of the decision.
Human-in-the-Loop
A system design in which a person reviews, validates, or can override an AI decision before it takes effect. Human-in-the-loop control is a core safeguard for higher-risk use cases, and the safeguard that agentic AI most directly challenges.
Human-on-the-Loop
A control model in which a person supervises an AI system's operation and can intervene, but does not review every individual decision — oversight of the process rather than approval of each output. For a community bank, human-on-the-loop suits higher-volume, lower-stakes automation, while higher-risk decisions still call for a human in the loop on each one; knowing which model applies is a core design choice.
ISO/IEC 42001
The first certifiable international standard for an AI management system, published in December 2023. It sets requirements for establishing, operating, and continually improving AI governance across an organization — the AI counterpart to better-known standards like ISO 27001 for information security. For a community bank, ISO/IEC 42001 is most useful as a signal in vendor due diligence: a vendor certified to it has had its AI governance independently audited, which is stronger assurance than a self-attestation. It is not a standard a community bank is expected to adopt or certify to itself.
Key Performance Indicator (KPI)
A measurable metric used to track an AI system's performance and risk over time. KPIs are the backbone of ongoing monitoring; defining them — and the thresholds that trigger escalation — before deployment is what makes monitoring meaningful.
Kill Switch
A mechanism for immediately halting an AI system when it produces harmful, erroneous, or unauthorized output. Kill switches become more important as agentic AI removes the natural human checkpoints that once caught problems before they reached a customer.
Large Language Model (LLM)
A type of AI trained on very large text datasets to understand and generate human language. LLMs power most generative AI tools, including the assistants increasingly embedded in banking software. Their scale and opacity put explainability, data governance, and vendor oversight at the center of using them responsibly.
Machine Learning
A branch of AI in which systems learn patterns from data rather than following explicitly programmed rules, improving as they are exposed to more examples. Most AI relevant to banking — credit scoring, fraud detection, BSA monitoring — is built on machine learning, which places it squarely within model risk management.
Materiality
The significance of a model's risk relative to a bank's size, complexity, and risk profile. SR 26-2 uses materiality to scale oversight — high-materiality models receive full validation and senior attention, while low-materiality models can be governed more lightly. It is the mechanism that turns proportionality from a principle into a practical rule.
Model
Under supervisory guidance, a model is any quantitative method or system that processes inputs to produce an output used in a business decision. Current guidance reads this definition broadly enough to include AI and machine-learning systems, including AI embedded in third-party software.
Model Card / System Card
A standardized "nutrition label" for an AI model (or, for a deployed system, a broader system card) that documents its intended use, training data at a high level, performance, limitations, and known risks. For a community bank, a model or system card is one of the most useful concrete artifacts to request from an AI vendor during due diligence — its absence is itself a finding.
Model Change Management
The governed process for reviewing, approving, and documenting any change to a model — new data, retraining, re-tuning, or a vendor update — before it reaches production. For a community bank, this matters acutely with vendor AI: a silent model update pushed in a routine software release can change lending or fraud outcomes overnight without anyone deciding it should.
Model Documentation
The written record of how a model was developed, what data and assumptions it relies on, how it was tested, and how it should be operated and monitored. For a community bank, model documentation is what makes a model reviewable, validatable, and defensible to an examiner — and with vendor AI, the documentation a vendor will or won't provide is itself a due-diligence signal.
Model Drift
Another name for concept drift — the gradual decline in a model's accuracy as the patterns it learned shift over time. See Concept Drift.
Model Governance
The policies, roles, and controls that govern a model across its life cycle — development, implementation, use, validation, and retirement. Model governance is the structure that keeps model risk managed deliberately, surfacing problems before they reach a decision rather than after.
Model Inventory
A central register of every model the bank uses, recording each model's owner, purpose, risk tier, and lifecycle status. It is the foundation examiners expect a model-risk program to rest on, and it is closely related to — but narrower than — an AI inventory, which also captures non-model AI such as generative tools and vendor features.
Model Lifecycle
The full set of stages a model moves through — development, validation, approval, deployment, ongoing monitoring, change management, and retirement. For a community bank, thinking in lifecycle terms is what keeps a model governed after go-live, rather than validated once and then forgotten as conditions and vendors change around it.
Model Risk
The potential for loss or harm arising from a model that is flawed, misused, or relied upon beyond its intended purpose. Model risk grows as models become more numerous, more automated, and more opaque — the trajectory AI has put nearly every institution on.
Model Risk Management (MRM)
The discipline of identifying, measuring, monitoring, and controlling the risks that models pose to an institution. For community banks, MRM has moved from a large-bank concern to a universal expectation as AI and machine learning spread through core systems. The current federal framework is set out in SR 26-2.
Model Validation
The independent review of a model to confirm it works as intended and is sound for its purpose, covering conceptual design, data, testing, and outcomes. For opaque AI models, validation shifts toward documenting limits, testing behavior, and verifying that monitoring is in place.
MRA (Matter Requiring Attention)
A written supervisory finding in which bank examiners direct management and the board to correct a deficient practice, tracked to closure by both the bank and the agency. An MRA tied to weak AI or model governance is the most common way an examiner's concern becomes a documented obligation a community bank's board must formally resolve. (The Federal Reserve's more urgent version is an MRIA — Matter Requiring Immediate Attention.)
Multimodal AI
AI that processes more than one type of data at once — text, images, audio, or video. Multimodal systems expand both what AI can do and the governance surface a bank has to cover, since each data type carries its own risks.
Natural Language Processing (NLP)
AI techniques that let computers understand, interpret, and generate human language. NLP underlies the chatbots, document-summarization tools, and large language models entering community banking, and it brings data-handling and accuracy questions with it.
NIST AI Risk Management Framework (AI RMF)
A voluntary framework from the National Institute of Standards and Technology (NIST AI 100-1, January 2023) for managing the risks of AI, organized around four functions: Govern, Map, Measure, and Manage. It is not a regulation, but examiners, auditors, and AI vendors increasingly treat it as a common reference point — a shared vocabulary for what good AI risk management looks like. For a community bank, the AI RMF is the framework most worth knowing by name: aligning your governance program to its four functions makes your program legible to regulators and reconcilable with the U.S. Treasury's financial-sector AI framework and with ISO/IEC 42001, both of which track the same structure.
NPI (Nonpublic Personal Information)
The category of personally identifiable financial information that the Gramm-Leach-Bliley Act protects — essentially, what a customer provides to get a financial product, plus anything resulting from that relationship. For a community bank, NPI is the precise data class that must never flow into an unapproved AI tool, and defining it clearly is what makes an AI acceptable-use policy enforceable.
Ongoing Monitoring
The continuous tracking of a model's performance after deployment — accuracy metrics, drift detection, and exception handling — against thresholds set in advance. Current guidance expects monitoring to be deliberate and documented, with cadence defined before problems surface.
Outcomes Analysis
A core model-validation activity that compares a model's predictions against actual real-world results over time, using techniques such as backtesting and benchmarking. For a community bank, outcomes analysis is how you confirm an AI model's predictions actually held up in practice — and it is one of the few specific validation steps the 2026 guidance still names for vendor models.
OWASP Top 10 for LLM Applications
A widely referenced, regularly updated list from the Open Worldwide Application Security Project naming the most critical security risks in applications built on large language models — including prompt injection, sensitive-information disclosure, and excessive agency. For a community bank, it is the most practical baseline checklist to put in front of any vendor selling a generative AI tool.
PII (Personally Identifiable Information)
Any data that can identify a specific individual on its own or combined with other data — name, account number, Social Security number, and the like. For a community bank, PII is the broad category an AI acceptable-use policy must protect; in financial services it overlaps heavily with the narrower, GLBA-defined category of NPI.
Prompt Injection
An attack that feeds crafted input to a generative AI system to bypass its safety controls or extract confidential information. It is a live risk anywhere a bank deploys chatbots or other large language model tools, and a reason that customer-facing AI needs guardrails and monitoring rather than trust.
Proportionality
The principle that governance should be sized to an institution's complexity, risk profile, and use of models. Proportionality is what makes AI governance achievable for a community bank: the expectation is a documented, deliberate, and defensible program appropriate to the institution, scaled to fit its resources.
Proxy Variable
A data element that correlates with a protected characteristic and can therefore drive discrimination indirectly, even when the protected characteristic itself is never used. ZIP code standing in for race is the classic example, and proxy variables are why a model can produce disparate impact without anyone intending it.
RACI Matrix
A framework that assigns Responsible, Accountable, Consulted, and Informed roles across a process or governance activity. In AI governance a RACI matrix prevents the accountability gaps that arise when "the vendor," "IT," and "the business line" each assume someone else owns a system.
Responsible AI
An approach to building and using AI that emphasizes fairness, transparency, accountability, and human oversight. In a regulated institution, responsible AI is the operating philosophy that governance, validation, and monitoring exist to put into practice.
Retrieval-Augmented Generation (RAG)
A technique that grounds a large language model's answers in a specific, trusted set of documents retrieved at the time of the query, rather than relying only on what the model learned in training. RAG can reduce hallucinations and is common in tools that answer questions from an institution's own policies or knowledge base.
Risk Appetite
The level and type of AI risk a bank is willing to accept in pursuit of its goals, set by the board. A clearly stated risk appetite gives the governance committee a yardstick for approving, conditioning, or rejecting AI use cases, rather than deciding each one from scratch.
Risk Tier
The governance classification assigned to an AI system based on its risk assessment — Minimal, Moderate, High, or Critical. The tier determines how much documentation, validation, monitoring, and oversight a system requires, letting a community bank concentrate limited governance resources where the risk is greatest.
Robotic Process Automation (RPA)
Software that automates repetitive, rules-based tasks such as data entry, reconciliation, and report generation. RPA is often a bank's first step into automation, and because modern RPA increasingly blends in machine learning, it can quietly cross the line into AI and into model risk scope.
Scope Creep
The gradual expansion of an AI system's use beyond its originally approved purpose, risk tier, or data inputs, without formal reassessment. Scope creep is a common and under-recognized governance failure — a chatbot meant to answer branch-hours questions that drifts into giving financial advice is a textbook case.
Shadow AI
AI tools used inside an institution without the knowledge or approval of governance — staff using consumer chatbots for work, or AI features quietly activated inside existing vendor products. Shadow AI is a primary reason a complete AI inventory is difficult to build, and a primary reason it matters.
SHAP (Shapley Values)
A widely used explainability technique that attributes a model's prediction to each input variable, showing how much each factor pushed a given decision up or down. For a community bank, SHAP and similar methods are how a complex AI credit model can be made to yield the specific principal-reason statements an adverse action notice requires — though the explanation must reflect the actual model, not a simplified stand-in.
SR 11-7
The Federal Reserve and OCC supervisory guidance on model risk management issued in 2011 — for fifteen years the closest thing U.S. banks had to a unified model risk standard. It was retired in April 2026 and superseded by SR 26-2, which extends its three-pillar framework to AI and machine learning.
SR 26-2
The model risk management guidance that replaced SR 11-7 in April 2026, extending the long-standing framework to cover AI, machine learning, and third-party AI. It broadens the model definition, sharpens expectations for validating opaque models, makes ongoing monitoring more prescriptive, and makes board-level oversight explicit. Read the practitioner breakdown of what SR 26-2 changes for community banks.
Stress Testing
Evaluating how an AI model behaves under extreme, unusual, or adverse conditions rather than typical ones. Stress testing surfaces the weaknesses that normal testing misses — the scenarios where a model fails quietly and a human needs to be ready to step in.
Supervisory Guidance
Written expectations issued by banking regulators — bulletins, interagency statements, and letters such as the Federal Reserve's SR series — that explain how agencies expect institutions to manage particular risks. Unlike regulations, supervisory guidance does not carry the force of law, but examiners use it as the yardstick for sound practice, which is why a community bank treats the relevant AI and model-risk guidance as the standard it will be measured against.
Synthetic Data
Artificially generated data that mimics the statistical properties of real data without containing actual customer records. Synthetic data lets a bank test or train models while protecting privacy, though it has to be validated to ensure it reflects reality.
Thin-File Applicant
A borrower with limited credit history, for whom traditional scoring models may be unreliable. AI and alternative-data models are often aimed at thin-file applicants, which makes them valuable for expanding access but also a heightened fair-lending risk that needs testing.
Third-Party AI Risk
The risk introduced by AI that lives inside vendor products — credit decisioning, BSA monitoring, fraud detection, and document tools. Current guidance treats AI inside vendor software as the institution's model risk to govern, which reshapes the questions a bank asks during vendor due diligence.
Three Lines of Defense
The risk-management structure — updated by the Institute of Internal Auditors in 2020 to the "Three Lines Model" — that separates ownership of risk in the first line, governance and oversight in the second, and independent assurance in the third. In a community bank the three lines may be three people rather than three departments, but the separation of duties remains the backbone of credible AI and model governance.
Use Case Intake
The standardized process for proposing, reviewing, and approving a new AI use case before it is deployed, so nothing goes live ungoverned. A simple intake step is often what stands between a controlled rollout and another instance of shadow AI. (Toolkit: Use Case Evaluation Scorecard.)
Vendor Due Diligence
The structured evaluation of an AI vendor's model transparency, bias testing, data handling, security, and compliance — before signing and throughout the relationship. For community banks, which access most AI through vendors, it is the single highest-leverage governance activity. (Toolkit: AI Vendor Due Diligence Questionnaire.)
Voice Cloning
A form of deepfake that reproduces a specific person's voice from a short sample, enough to pass casual phone-based identity checks. For a community bank, voice cloning directly threatens call-center and phone-banking authentication and executive-impersonation controls — a reason voice alone is no longer a safe verifier.
From definitions to a working program.
The Handbook and Toolkit turn this vocabulary into an examiner-ready AI governance program — policies, risk assessments, board reporting, and a 90-day Quick Start built for community banks.
