The silence
There is a specific kind of silence in a bank boardroom after the Board has made the wrong call.
Not the silence of disagreement, that's loud, even when nobody speaks. This is the silence of relief. The hard thing was avoided. The uncomfortable data was explained away. The SOP pointed left, the instinct pointed right, and someone in the room had a slide deck that made left feel like wisdom.
I've been in that room. I've been the one who didn't fight hard enough.
The decision cost us. I won't say how much. But I'll tell you it changed the way I think about what data is for, and what happens when you have mountains of it and none of it thinks.
The moment
27% of community bank and credit union leaders listed AI as their top concern for 2026, surpassing cybersecurity. Concerns about AI's potential fell sharply, from 83% in 2024 to 50% in 2025, and 85% said institutions that adopt AI would gain a significant competitive advantage.
But here's what that data doesn't show: 66% of banks have drafted acceptable-use AI policies but only 62% are experimenting with limited use cases, meaning many institutions have a policy for AI they are not yet using and no policy for the vendor AI they already depend on.
That's not a technology gap. That's a governance gap.
AI is reshaping capital allocation, model risk exposure, third-party concentration and operational dependency. Yet oversight frameworks often remain anchored in a pre-AI view of risk. Most boards still see this as a technology discussion. AI differs from prior technology waves not because it is new, but because it embeds itself in decision authority. In most community and regional banks, AI is not developed internally. It is embedded in vendor platforms: loan origination systems with predictive underwriting layers, fraud engines that auto-score transactions, marketing systems that determine customer targeting, pricing algorithms that optimize deposit or credit offers.
You didn't decide to adopt AI. You already have.
The vendor problem nobody names
The concentrated Core Service Provider (CSP) market, where three providers serve over 70% of depository institutions, means that for most community banks, AI adoption is dictated by their provider's roadmap, not their own ambitions. The ABA's 2024 Core Platforms Survey reported overall satisfaction of just 3.19 out of 5, with innovation capabilities scoring even lower.
Here's what that means in practice:
If your fraud engine scores a transaction at 87 out of 100, do you know what variables it weighted? If your vendor pushed a model update last quarter, did your board approve it? Did anyone even know it happened?
From a regulatory standpoint, the issue will not be efficiency. It will be whether boards understood the risk implications of adopting AI at scale. From a governance standpoint, the question is simpler: If AI influences credit, capital, pricing and customer outcomes, how can it remain a secondary agenda item?
It can't.
What changed in Q1 2026
On February 19, 2026, the U.S. Department of the Treasury released two new artificial intelligence resources intended to help banks and other financial institutions adopt AI more securely and consistently: an Artificial Intelligence Lexicon, and a Financial Services AI Risk Management Framework.
Even as non-binding guidance, these resources are likely to become reference points for regulators, auditors, boards, and risk committees. Institutions deploying AI in higher-risk use cases (e.g., credit decisioning, fraud detection, identity verification, customer communications, or cybersecurity) should expect increased regulatory scrutiny of AI risk management governance and controls.
The voluntary framework won't stay voluntary in practice. Examiners will ask if you've read it. They'll ask if you've mapped your vendor AI to it. They'll ask who on your board owns the AI risk inventory.
Boards aren't AI experts so it's critical to "narrow the scope of what you take to the board to just the things that matter." But narrowing the scope requires knowing what's in scope. Most banks don't have that inventory.
The board question that matters
AI oversight should reside with the board risk committee rather than the technology committee. Boards should approve the institution's AI risk appetite, set boundaries on automated decisioning, review material AI deployments, receive periodic AI risk reports.
That's the framework. Here's the execution:
| Question | Why it matters | |--------------|---------------------| | What decision is this AI making, and at what dollar threshold does a human approve it? | When AI systems influence credit decisions, pricing structures, customer segmentation, fraud losses or capital deployment, they are no longer tools. They are decision authorities. | | What data does it access, and what's the audit trail? | If you can't reconstruct the decision, you can't defend it to an examiner. | | What changes when the vendor updates the model? | What changes when the vendor pushes a model update, and how do we know? Institutions that cannot answer those questions for each AI deployment are accumulating risk faster than they are capturing benefit. |
Those three questions separate governance from theater.
What Republic Bank did
Republic Bank of Chicago announced May 12 that it had selected AI-native platform for commercial banking Sympera to scale business banking efforts. The $2.7 billion community bank's decision follows pilot testing.
That's not the headline. The headline is pilot testing. They didn't buy the pitch. They tested the claim. They scoped the use case. They ran it through their risk framework before they scaled it.
That's the pattern that works. The smartest banks in 2026 aren't the ones who bet it all. They're the ones who picked the right partner, started smart, and built confidence before scaling up.
Community banks that implement AI thoughtfully, starting with high-ROI back-office use cases, building compliance into the process, and expanding methodically, will operate more efficiently, serve customers better, and compete more effectively than peers who wait.
The decision you're avoiding
The board chose comfort because comfort is what boards are structurally designed to choose. Employees are constantly evaluating how decisions are made, what is important to the leaders, and how they should respond and behave. Essentially, employees look to management to set the tone for how the company will operate.
If the board doesn't own AI governance, the organization won't either.
Here's what that looks like in practice: Shadow AI in the browser. Vendor-embedded models the legal team did not know existed. Acceptable-use policies written for tools the workforce had already moved past.
You don't fix that with a policy. You fix it by assigning fiduciary ownership. By making one person responsible for the AI inventory. By putting AI on the risk committee agenda every quarter. By asking the three questions that matter.
The data was always there. The clarity wasn't.
What I'm Working On
Edit this section in your admin dashboard to share what you're building right now.
Next week
NIM compression at a redacted community bank. What the data showed. What the temptation was. What the model said to do instead.
Until then.
James