Back to Insights
AI & Banking13 min read

AI Governance for Bank Boards: The 2026 Playbook

Co-authored by Jim Marous and Michael Clark.

For most of the last decade, artificial intelligence sat comfortably outside the boardroom. It lived in innovation labs, in data-science teams, in proofs of concept that were applauded in town halls and quietly shelved a quarter later. Directors heard about it the way they heard about most emerging technology: as a line in the technology update, a source of optimism, and occasionally a source of unease. It was someone else's job to build, and someone else's job to govern.

That era is over. By 2026, AI is no longer a technology the board hears about. It is a technology the board is accountable for. Models now sit inside credit decisions, fraud screening, anti-money-laundering alerts, customer service, pricing, collections and the first drafts of the very papers directors read. The question for a bank board is no longer whether to govern AI. It is whether the board is governing it deliberately, or by accident.

The uncomfortable truth is that most boards are doing the latter. They have inherited an AI estate they did not design, cannot fully see, and do not yet know how to oversee. This playbook is written to close that gap — not with a compliance framework that smothers the upside, but with a working model of accountability, cadence and judgment that a board can adopt in its next meeting.

Why this is now a board problem, not an IT problem

The instinct to treat AI as an operational matter — interesting, technical, best left to management — is understandable. It is also the single most dangerous assumption a board can make in 2026.

AI has crossed three thresholds that move it decisively into board territory. The first is materiality. When a model influences who gets a loan, what they pay for it, and how the bank treats them when they fall behind, the model is making decisions that sit at the heart of the institution's conduct, fairness and financial outcomes. Those are not engineering concerns. They are the concerns directors are appointed to oversee.

The second threshold is opacity. Traditional systems failed in legible ways. A rules engine that declined an application could be inspected line by line. A modern model cannot always explain itself in terms a director — or a regulator, or a customer — would accept. The bank can be fully compliant on paper and still unable to answer the only question that matters when something goes wrong: why did the system do that, and who decided it should be allowed to?

The third threshold is speed. AI does not roll out the way core-banking projects did, over years, through change-advisory boards. It diffuses. A capability bought for one purpose is quietly repurposed for five others. A vendor ships a new feature and the institution is using a different model than the one it last reviewed. Governance designed for periodic, project-shaped change is structurally unable to keep up with technology that changes continuously.

Put those three together and the conclusion is unavoidable. Data and the models built on it have become a board-level liability — and a board-level asset — in exactly the way credit risk, capital and conduct already are. The board that continues to receive AI as an innovation story, rather than govern it as a risk-and-value discipline, is not being prudent. It is being passive.

The accountability question

Every governance failure we have seen begins in the same place: nobody can answer, cleanly, who owns the AI decision.

This is the question a board must be able to resolve for any consequential use of AI in the institution. Not "which team built the model" and not "which committee approved the project," but who is accountable for the decision the model makes, and where that accountability sits in the operating model. When the answer is a diagram with arrows pointing in several directions, the institution does not have AI governance. It has the appearance of it.

The failure is rarely a failure of intent. It is a failure of design. Data sits with one function, the model with another, the customer outcome with a third, and the regulatory relationship with a fourth. Each does its part competently. None owns the whole. The accountability falls into the gaps between them, and the gaps are exactly where AI risk concentrates.

The fix is not another committee. It is a single, named accountability path for every material AI use case — a person, not a forum, who owns the outcome and can be asked, in front of the board, to explain it. Underneath that person the work is shared across data, technology, risk and the business. But accountability does not divide. The principle a board should insist on is simple and old: AI can accelerate the work, but a human being owns the consequential decision and its consequences. The technology amplifies judgment. It does not absorb responsibility.

The regulatory direction directors cannot delegate

Regulators are converging on a simple expectation, even where the specific rules differ by jurisdiction: AI now sits squarely inside model-risk and conduct governance, and the board is expected to understand its institution's exposure rather than delegate that understanding to the technology function. Europe's AI Act is the most visible move in that direction, and supervisors in the UK, the US and Asia have signalled the same intent in their own idioms. The detail will keep changing; the direction will not.

There is a deeper point here worth a board's attention: the real danger is that we keep trying to govern AI as though it were simply another piece of technology, when what it actually does is make consequential decisions. Govern the technology and you will produce documentation. Govern the decisions and you will produce accountability. Only the second satisfies a regulator — or a customer — who asks why an application was declined.

Directors do not need to read the model cards. They do need to be able to answer a small number of questions without turning to management. Where a model affects a customer's access to credit or the price they pay, can we demonstrate meaningful human oversight rather than a rubber stamp? If a supervisor asked us tomorrow to produce an inventory of the AI in our consequential decisions, how long would it take, and would we be confident it was complete?

The honest answer to the last question, in most institutions, is weeks rather than days, and "not confident." That gap is itself a finding. A board cannot govern an estate it cannot enumerate. The first deliverable of any serious AI governance effort is not a policy. It is an inventory — a living register of where AI is used, what it decides, who owns it, and how material it is.

A governance framework that does not smother the upside

The reflex, once a board grasps the risk, is to clamp down: a heavyweight approval gate, a long checklist, a committee that meets quarterly and says no. This is the second-most common failure, and it is nearly as damaging as neglect. A bank that governs AI by friction will simply watch the upside accrue to faster competitors while its own teams route around the controls.

Good governance is proportionate. It distinguishes between an AI that drafts an internal summary and an AI that declines a mortgage, and it applies its weight accordingly. We find four layers useful.

The first layer is the inventory and tiering already described: know what you have, and rank it by how much it could hurt a customer or the institution. Most of the estate is low-stakes and should move at the speed of the business, with light oversight. Effort concentrates on the small number of high-stakes uses.

The second layer is ownership: every high-stakes use has a single accountable owner and a documented purpose, so the institution can always say what a model is for and who answers for it.

The third layer is oversight proportionate to stakes: for the uses that affect customers materially, genuine human review, tested explainability, monitoring for drift and bias, and a defined point at which a human can and must intervene. Not human oversight as theatre — a person who clicks approve on a thousand decisions a day oversees nothing — but oversight with the authority and the information to actually change an outcome.

The fourth layer is review cadence: because AI changes continuously, governance must be continuous too. A model approved last year on data that no longer reflects the world is not a governed model. It is a liability with a stale certificate.

The point of the framework is not to slow the institution down. It is to let the institution move fast where the stakes are low and move carefully where the stakes are high — and to know, at all times, which is which.

The execution gap is a governance failure

Here the two of us have argued, at times, from different starting points — one of us from the banking transformation that stalls between pilot and production, the other from the operating-model design that determines whether transformation can stick at all. We have arrived at the same conclusion. The celebrated "execution gap" in banking AI — the chasm between impressive pilots and almost no production impact — is not primarily a technology problem. It is a governance and operating-model problem wearing a technology costume.

The numbers are stark. Only about seven percent of banks achieve the digital outcomes they set out to achieve, and sixty percent of credit unions entered 2026 with no clear digital plan at all. The industry spent on the order of five hundred billion dollars on transformation last year and most institutions still struggle to stand out. The gap between ambition and execution has become the single largest competitive risk in retail banking — and it is not, at its root, a money problem. It is a clarity and accountability problem, which is to say a governance one.

Pilots succeed because they are ungoverned in the productive sense: small, owned by one motivated team, free of the accountability questions that production forces. Scaling fails because the moment a model touches real customers at real volume, every unanswered question — who owns it, who is accountable when it errs, how it is monitored, who can switch it off — arrives at once, and the institution has no machinery to answer them. So the pilot stays a pilot. The board sees activity and mistakes it for progress.

This is why a board should treat the persistent inability to move AI beyond pilots not as a delivery hiccup but as a governance signal. It means the institution has built the capability to experiment but not the operating model to be accountable at scale. The remedy is upstream of any individual project: clarify accountabilities, build the inventory, define the oversight a production model requires, and the pilots that deserve to scale will finally have a path to do so. Governance, done well, is not the brake on AI's value in a bank. It is the road.

Three failure modes boards should watch for

The first is the orphaned model. A capability is built, deployed, and then its team is reorganised, its champion leaves, and it keeps making decisions that no current person owns. Orphaned models are where bias goes undetected and drift goes uncorrected. The board's defence is the inventory and the single-owner rule: nothing material runs without a named, current owner.

The second is oversight theatre. The institution can point to a human in the loop, but that human has neither the time, the information, nor the authority to disagree with the machine. On paper there is human oversight. In reality there is automation with a signature. The board should probe, for its highest-stakes uses, what proportion of model recommendations the human actually overrides, and why — a number near zero is not reassurance, it is a warning.

The third is the silent vendor swap. Much of a bank's AI is not built in-house; it arrives inside vendor products and updates continuously. The model the institution reviewed is not the model running today. The board should expect management to know which consequential decisions depend on third-party models, and to have contractual and monitoring arrangements that mean a vendor cannot change the institution's risk profile without the institution knowing.

The board-pack template

A board can only govern what it sees. Most AI board papers today are either too technical to be useful or too promotional to be honest. The following is a template for a recurring AI governance section in the board pack — written so that a director can read it in ten minutes and leave able to ask the right questions.

The estate at a glance. A single page: how many material AI use cases the institution runs, in which functions, how many are classified high-risk, and what changed since the last review. New uses added, uses retired, models materially updated. If this page cannot be produced, the institution does not yet have an inventory, and that is the headline.

The high-stakes register. For each high-risk use — credit, pricing, fraud, collections, anything touching a customer's money or access — the named accountable owner, the decision the model influences, the form of human oversight in place, the override rate, and the date of last review. The board does not read every line every meeting. It reads the exceptions: anything new, anything overdue for review, anything where the override rate moved sharply.

Incidents and near-misses. What went wrong, or nearly did, since the last meeting. A model that drifted, a bias finding, a customer complaint traced to an automated decision, a vendor change that surprised the institution. A board pack with no incidents in a large AI estate is not evidence of safety. It is evidence of under-reporting.

Regulatory posture. Where the institution stands against applicable AI regulation and supervisory expectations: which uses carry the highest risk, documentation status, any gaps and the plan to close them. One paragraph, honestly written.

The single ask. Every governance section should end with the one decision or judgment the board is being asked to make this meeting — a use case to approve, a risk to accept, a tolerance to set. Governance that asks the board for nothing is governance that is keeping the board decorative.

Cadence: what to review, and how often

Continuous technology cannot be governed annually. We suggest three rhythms. Every board meeting: the estate-at-a-glance page and any incidents — a standing item, never an occasional one. Quarterly: a deeper review of the high-stakes register, including override rates and review currency, ideally at the risk committee with the full board briefed. Annually: a review of the governance framework itself — is the tiering still right, are the accountabilities still clean, has the institution's AI ambition outgrown its oversight. The annual review is where the board steps back from the models to ask whether the machinery governing them is still fit for the scale the institution now operates at.

The director's bottom line

A bank board does not need to understand how a transformer works to govern AI well. It needs to insist on a small number of unfashionable things: that the institution knows where its AI is and what it decides; that every consequential decision has a human owner who can be asked to explain it; that oversight is real rather than ceremonial; that governance is continuous because the technology is; and that the board is asked, every meeting, to actually decide something.

None of this smothers the upside. The institutions that govern AI this way are precisely the ones that will be able to scale it — because they will be the ones able to answer, calmly and quickly, the questions that stop everyone else at the pilot stage. In 2026, the boards that treat AI governance as a constraint will be overtaken. The boards that treat it as the discipline that makes ambition safe will be the ones still standing when the regulators, the customers and the markets ask the question every institution will eventually be asked: who decided this, and could you explain it to me?

Board-ready resource

The board-pack template

A fillable, two-page template for the recurring AI governance section of your board pack — the estate-at-a-glance, the high-stakes register, incidents, regulatory posture, the single ask, and the review cadence. Adapt every field to your institution.

Jim Marous

Apply this thinking

Want this thinking applied to your business?

Book a 30-minute call with Jim to scope an engagement — a keynote, an executive briefing, or longer-term advisory.