U.S. banking supervisors have increased their attention on how financial firms are integrating artificial intelligence, pressing banks to detail their AI deployments, governance frameworks and contingencies as the technology becomes more embedded across services.
Regulators have observed rapid adoption of AI across banks, from simple virtual assistants to more advanced applications such as regulatory monitoring and credit underwriting. That spread has prompted closer inquiry into potential cybersecurity and fraud vulnerabilities tied to these systems, according to sources familiar with supervisory discussions.
Regulatory inquiries during examinations
Officials at the Office of the Comptroller of the Currency and the Federal Reserve have begun to use routine bank examinations to ask lenders to map where and how AI is used, focusing on higher-risk areas such as lending, know-your-customer procedures and sanctions screening. Supervisors are posing granular questions about vendor relationships, the safeguarding of client data and whether firms maintain emergency deactivation mechanisms commonly described as "kill switches," according to people briefed on the interactions.
Those conversations are said to occur through both written questionnaires and verbal exchanges. One person familiar with the process stated that discussion of AI use has become part of every bank examination. The sources declined to be identified because the supervisory exchanges are not public.
What supervisors are probing
- Governance frameworks - Regulators are examining whether banks have formal guardrails, human oversight and clear decision authority over AI tools.
- Third-party risk - Firms are being asked how they ensure that vendors and subcontractors meet equivalent governance and security standards, and whether exit plans exist in case of vendor system failures.
- Data access and model limits - Supervisors are focused on whether AI systems can access or infer information beyond authorized boundaries, raising privacy, confidentiality and compliance concerns.
- Operational resiliency - Banks must demonstrate contingency plans for technology faults and show controls such as mechanisms to stop systems that act unexpectedly.
Rather than issuing immediate, AI-specific prohibitions, regulators are gathering information to deepen their understanding of current practices across the industry, the sources said. For now, agencies are relying on existing supervisory tools such as model risk management principles, third-party risk oversight processes and consumer protection laws to evaluate how firms are handling AI-related risks.
Vendor reliance and subcontractor exposure
A central area of regulatory concern is the growing reliance on external providers to supply AI capabilities. Supervisors are pressing banks to explain how they vet vendors, manage subcontractor relationships and maintain oversight when critical functionality is outsourced. They are also asking whether firms have defined exit strategies should a vendor's system suffer a safety breach or otherwise compromise bank operations.
Officials are particularly attentive to whether banks impose the same governance and security requirements on third parties that they apply internally, and how they monitor subcontractor performance and compliance over time.
Cybersecurity questions tied to advanced models
Regulators and Treasury officials are scrutinizing the cybersecurity implications of certain frontier AI models. Supervisory officials are evaluating how prepared financial firms are to confront vulnerabilities that could be exploited by sophisticated systems designed to extract or connect data across platforms. Cybersecurity specialists have warned that these models could present significant challenges to banks and to legacy technology architectures.
Agencies are seeking to understand the breadth of potential cyber risks and the extent to which firms have adapted existing defensive and incident-response frameworks to address them.
Principles-based supervision and the pace of change
Sources described the current supervisory posture as informational and principles-driven rather than prescriptive. Regulators recognize that the pace of AI development is rapid and may outstrip the customary cycle for regulatory learning and rulemaking, raising the risk that any formal guidance could become outdated soon after issuance.
For the moment, authorities plan to lean on broad supervisory frameworks while collecting industry input. That approach could evolve, however, depending on what the agencies learn.
In a May speech, Federal Reserve Vice Chair for Supervision Michelle Bowman summarized the interim stance: "Today, banks are relying on existing risk-management frameworks to guide their use of AI," she said. "While these supervisory tools are intended to support banks in applying sound governance and risk management, we should assess whether our supervisory guidance is fit for the future."
Formal information gathering
Regulators have signaled their intent to compile more systematic input on AI usage across the sector. Last year, the Government Accountability Office reported that agencies told it they were assessing AI risks within financial services. In April, the Office of the Comptroller of the Currency said that it, the Federal Reserve and the Federal Deposit Insurance Corporation planned a formal request for information on banks' use of AI, explicitly encompassing generative and agentic systems. That kind of request is designed to collect perspectives and does not itself establish new regulatory obligations.
Regulators declined to provide comment on the supervisory matters described by the sources, and one agency did not respond to a request for comment.
Outlook for supervision
Supervisors continue to prioritize information gathering and assessment of industry practices rather than imposing immediate, AI-specific constraints. Examiners are using existing supervisory frameworks as the primary yardstick for evaluating how banks manage AI-related risks, while remaining alert to whether new guidance or regulation will be necessary as the technology and its applications evolve.
The ongoing emphasis on governance, vendor oversight, data access controls and contingency planning indicates that regulators expect banks to demonstrate disciplined risk management as they expand AI use across critical functions.