The credit union’s AI roadmap

This article is the second in a three-part series exploring the watershed moment that AI brings, the journey to be compliant, and the AI uses cases within a credit union.

Credit union leaders are at a watershed moment with AI while challenges mount. Behemoths like Wells Fargo are rolling out advanced AI workflows, many of us are caught between board inquiries and vendor hype, with regulatory uncertainty creating enterprise risk. For credit unions, this uncertainty widens the gap with peers. AI compresses margins and elevates member expectations on personalization and speed. This article cuts through the noise to provide a clear, NCUA-aligned roadmap for visionary leaders to move forward with confidence.

Many credit unions are already employing AI in a limited capacity, whether that's in their call center or combating fraud. However, there's greater value with AI as it can 10x a management team, supercharge a strategy, or offer member hyper-personalization. Certainly AI in banking will be revolutionary and just might lead to some future mergers, but it starts with the mundane or even boring. Governance is where a credit union must start to deliver on the greater promise of AI.

The AI regulatory landscape is moving quickly and the current direction points to a much more AI-friendly regulatory environment. Under the Biden Administration, it seemed the United States was going more of the European model, where those wanting to use AI had to demonstrate its safety first before wider adoption. Having attended some of the executive agency policy working groups as an Army Reserve Officer, it was insightful to hear federal policy makers pushing for AI explainability and burdensome regulations. I listened and knew the impossible reality of what they were asking, which may have been the point.

The federal AI regulatory landscape shifted considerably between administrations, the direction for credit unions is becoming clear. In its 2025 'Credit Union Artificial Intelligence (AI) Resources,' the NCUA signaled its alignment: it will align with the National Institute for Standards and Technology (NIST) AI Risk Management Framework (RMF). This provides management with enough direction to begin the AI journey now, rather than waiting for more explicit guidance. This is where credit union leadership makes the most difference. Will leadership wait or will they start using this new super tool that is AI?

On the NCUA’s new AI resource page, they provide guidance on AI in respect to risk, considerations, and controls, with an emphasis on managing third party risk. At the center of the resource page is AI governance. The NCUA also touches on implementation, security, and usage with a specific call out for countering fraud. For each of these considerations the NCUA provides linked resources to add more depth to the consideration.

NIST designed this framework to help organizations manage the risks associated with AI. For credit union management, its value lies in providing a structured and systematic approach to building trustworthy and responsible AI. Instead of focusing on specific technical solutions, the framework outlines a flexible process that can be integrated into a credit union's existing enterprise risk management and controls. The framework is built around four key functions: Govern, Map, Measure, and Manage.

The Govern function establishes a foundation for responsible AI, requiring executives to set a clear vision, allocate resources, and create policies that reflect the organization's ethical principles and risk tolerance. For a credit union, this means formally establishing who is responsible for AI governance and ensuring that any AI system aligns with the mission of member protection and financial security.

The Map function involves identifying and understanding the specific risks of an AI system, considering its context and potential impact on members and the institution. This step is crucial for identifying potential harms before they occur, such as bias in a lending algorithm or a chatbot that provides inaccurate information.

The Measure function helps a credit union quantify and analyze identified risks by developing metrics and conducting assessments. This allows management to track and report on the performance of their AI systems, such as monitoring the accuracy of a fraud detection tool or the efficiency of a loan application bot.

Manage function focuses on implementing controls and continuously monitoring the AI system, including third parties to ensure risks are mitigated over time. This cyclical process ensures that a credit union can not only deploy AI innovations but also maintain compliance and trust by systematically addressing new risks as they emerge.

Now that we understand the basic structure of the NIST AI RMF, let’s discuss what a credit union’s roadmap to responsible AI actually takes, based on what we know now.

The first step is to ensure there is a strategic alignment between the Board and management. This is a critical first step that often gets overlooked. There is added peril here too, given there are so many definitions of what AI is and is not. This takes a deliberate discussion between the Board and management to ensure agreement of definitions and uses. It is then that the two can have a meaningful and productive risk appetite discussion on AI.

Once agreement between the Board and management is reached on AI, then management starts the foundational work. Several things need to happen and all take careful work. That data governance document that IT likely had responsibility for the last 20 years, needs to be reviewed and aligned with modern practices. Considering what data is shareable with what controls is at the heart of the review. It means a lot of consideration with data may or may not be shared with vendors. This is critical, as most Credit unions will use cloud-based AI systems. Cloud-based AI solutions are affordable alternatives to building an AI factory in-house, where the hardware and talent costs can be astronomical.

Meanwhile, management may conduct the critical task that is the AI risk assessment. This risk assessment is not only considering how the credit union will use its data and AI, but also getting deep into understanding what and how their vendors are using AI. A word of caution, with the marketization of the term “AI,” there are many vendors that are not actually using AI or they are using AI that is outside of the scope of regulatory care. Vendor due diligence will reveal which vendors will be subject to enhanced AI due diligence.

The risk assessment also should touch on how the credit union is adapting to AI-enabled cyber risk, not only traditional cyber attacks, but also new fraud like deepfakes and synthetic identities. Will your accounting team be ready when a fraudster calls them using the voice of the CEO that asks for a wire. These are just a few of the new cyber risks presented by AI.  The credit union will need to update their incident management procedure and BCP for these new AI risks as well.

The AI risk assessment should also acknowledge and document the current regulatory and legal environment. This is not only at the federal level, but also at the state and local level. Some cities and states over the past few years advanced very burdensome AI policy that in some cases actually became law. Agreement between the Board and management on the AI vision is key for the risk assessment. The applications and safe data handling risk and controls must also be addressed, which is guided by the agreement. Further, this agreed upon AI vision sets the regulatory scope from federal, state, and local.

We all know that culture eats strategy for breakfast, and management must consider the very real concerns of their people as part of the risk assessment. Management needs to have a plan of how they will make their people feel safe and confident that AI is here to help them care for members, not just take their jobs. AI is the intersection of people, process, and technology—more consequential than any we’ve seen in the past 40 years. Helping the credit union’s people feel comfortable with the change is imperative for success.

With the credit union’s AI risk assessment complete, the policy for the Board is ready to go forward. I strongly encourage that management work with a committee or appointed Board champion to prepare the policy. It is important that the Board is well-informed and are participants in crafting the AI policy. This will prevent months, perhaps years of revisions due to the frequency of Board meetings. All this work is to bring the policy in front of the Board, in quorum for a vote recorded in the minutes.

Generally, I recommend that credit union leaders also communicate the use of AI to their membership on the website. In that, a general disclosure of how AI is used and allow a member to opt-out of AI in some cases if they choose. This practice aligns with the principles of ethical AI that I strongly advocate for: AI must be disclosed, consensual, human augmenting, and human accountable. This practice is important as society learns to trust AI and move past media-created fears of the Terminator.

There is no doubt that the credit union industry is at an inflection point. Decisions we make today will decide whether we are able to continue to serve our membership in the future. AI is going to accelerate margin compression and further expose the gaps between member expectations and what a credit union can deliver. Credit union leaders can choose to embrace AI now and grow with the technology. It is a word of caution that the AI models we’re using today are the worst ones you will ever use, as their capabilities will only improve from here.

AI promises to help credit unions care for their members and scale with technology. In doing so, continue to deliver on the experience our members love about their credit union. This inflection point is why a credit union visionary must start the road to AI today. AI allows credit unions to deliver on the hyper-personalization experiences at the speed of the digital world. This roadmap gives credit union leaders the structure to begin responsibly. The next step is moving from policy and governance to deployment, which will determine whether credit unions lead with AI or are left behind.