The AI Already in Your Credit Union

Why the first job of AI governance is not policy. It is visibility

Guest Editorial by Lisa Pent, Founder and CEO, PentEdge

A $600 million credit union in the mid-Atlantic recently did something simple. The Chief Compliance Officer sent a one-question survey to every department head: which AI tools are your team using right now?

Eleven came back.

A generative AI tool drafting loan adverse action language. A chatbot answering member service questions in the call center. A marketing platform writing email subject lines and segmenting member lists. An analytics product flagging suspicious transactions. A scheduling assistant routing meeting requests for the executive team.

Two browser extensions summarizing internal documents. A coding assistant inside IT. Three more embedded inside vendor products the credit union already pays for.

None had been through formal vendor management. Two were touching member PII. The CEO asked what the board should be told. The next NCUA exam was six months out.

The CCO did not have an AI problem. She had a visibility problem. And visibility is not a technology discipline. It is a governance discipline.

The Reframe Credit Unions Need

Most conversations about AI risk start in the wrong place. They start with policy. Should we have an AI policy. What should it say. Who should sign it.

Policy without inventory is theater. You cannot govern what you cannot see, and AI inside a credit union does not show up the way other technology shows up. It is rarely a planned purchase with a signed master services agreement. It arrives three other ways.

It arrives embedded. The vendor you already use rolls an AI feature into the next release. You did not buy it. You inherited it the day you accepted the update.

It arrives on a free tier. A loan officer signs up for a writing assistant with a personal email and starts pasting in member narratives. The procurement process never sees it because there is no invoice.

It arrives quietly through behavior change. A vendor's model gets retrained between quarters and the outputs your team relied on last month behave differently this month. Nothing in your contract changed. The risk profile did.

This is why an inventory you took six months ago is already stale. AI is not a one-time onboarding event. It is a moving surface area.

Why This is Harder for Credit Unions

Credit unions are walking into the AI era with structural disadvantages that large banks do not face in the same way.

Smaller compliance teams. Fewer dedicated risk professionals. No model risk management function in most institutions under $2 billion in assets. NCUA guidance on AI is still catching up to where the technology actually is. And the member-owned structure raises the stakes when something goes wrong, because the people harmed by a bad AI decision are also the people who own the institution.

There is a temptation to say we are too small to need this. That argument worked for a while with cybersecurity. It does not work anymore, and it will not work with AI either. Examiners are not grading credit unions on a curve based on asset size. They are asking whether you can see your AI footprint and explain how you govern it. A $400 million credit union will be asked the same questions as a $4 billion one. The answers just have to be proportionate to the institution.

What Good Looks Like in Practice

Four moves separate credit unions that are ready for this conversation from credit unions that are not. None of them require a model risk team. All of them can start this quarter.

First, inventory. A real one, refreshed at a defined cadence, not a one-off spreadsheet. Capture every AI tool in use, every embedded AI feature in your existing vendor stack, and every free-tier sign-up by individual employees. The first pass will surprise you. The second pass will surprise you less. By the fourth pass, you have a discipline.

Second, risk-tier. Not every AI tool deserves the same level of attention. A scheduling assistant is not a credit decisioning model. Sort your inventory into tiers based on what the tool touches (member PII, lending decisions, fraud monitoring, regulatory reporting) and how autonomously it operates. Concentrate governance effort where the risk concentrates.

Third, assign ownership at the right level. AI governance belongs to the Chief Compliance Officer or the Chief Risk Officer, not the Chief Information Officer. This is not a slight to IT. It is recognition that the questions an examiner will ask are compliance questions and risk questions: fair lending, UDAAP, third-party risk, model risk, data privacy. IT owns implementation. Compliance and risk own the obligation.

Fourth, build a reporting rhythm the board can see. A quarterly AI governance summary to the board, with the inventory, the risk tiering, the incidents, and the changes since last quarter. Board members are getting the same questions from their peers at other institutions, and a clean reporting rhythm is what lets your board answer them with confidence.

The Honest Question

Every credit union in the United States already has AI inside it. The only credit unions that do not are the ones that have not looked yet.

The question is not whether to govern it. The question is whether you will govern it before the examiner asks, or after.

The first answer is a strategic posture. The second is a finding.

About the author

Lisa Pent is the Founder and CEO of PentEdge, a women-owned RegTech company that built the financial industry's first AI risk score. With 30+ years in financial services, including a decade at Thomson Reuters building SaaS for financial institutions, Lisa works with community banks and credit unions on practical, examiner-ready AI governance.