Members of the four-person IT team at Unison Bank in Jamestown, North Dakota, pride themselves on their technical knowledge. But Andrew Workman, the bank’s senior vice president of information systems and security, says their expertise doesn’t extend to artificial intelligence (AI).
“No, we have very, very little experience,” says Workman, who has worked at the $591 million subsidiary of North Star Holding Co. for 25 years. “I think for a lot of community banks, particularly our size, I think a lot of them would fit into that same situation where AI is a relatively new technology.”
That lack of expertise became a growing concern for Workman in recent years due to the competitive pressures from fintechs and neobanks offering AI-powered products and services to the same customer base. “And if we don’t offer it, then they’re not even going to look at us as being an option for their banking purposes,” Workman says.
A growing number of large banks are creating chief AI officer (CAIO) roles to ensure they have enterprise-wide plans in place for all AI use. Joan McGowan, head of U.S. financial services industry consulting for the data and AI software company SAS, says these positions are becoming a strategic imperative. “Doing nothing is not a viable option. AI is already present in financial institutions through vendors, embedded decisioning systems and informal employee use,” she says. “It is the CAIO’s role to set an AI strategy aligned to business outcomes, establish governance and guardrails around data usage and model risk, and ensure that AI adoption complies with regulatory expectations.”
While Workman would love to hire a full-time CAIO, like most small financial institutions, Unison Bank simply can’t afford it. So they turned to a partner of 20 years, SBS CyberSecurity, which recognized several of their other banking customers were facing the same dilemma. The company in 2025 decided to develop and launch a potential solution: the virtual chief AI officer (vCAIO). Chad Knutson, CEO of SBS CyberSecurity, says a virtual CAIO works remotely with the financial institution to help develop an AI policy and plan. “One of the first parts of it is really looking at their strategic plan as a bank or credit union,” he says. “Where are they looking to go and how does AI align with that?”
Several other firms are also now offering vCAIOs or fractional CAIOs, and McGowan says the service is a viable option for smaller financial institutions to consider. “The value lies less in advice and more in preventing unmanaged risk,” she says. “Many institutions only discover AI exposure during audits or regulatory exams. A virtual CAIO can help avoid that outcome by creating visibility and structure before issues arise.”
Starting With Risk and Governance
While Workman wants AI to eventually boost Unison Bank’s competitiveness, he needed to address that risk management aspect first and foremost. “It’s the control features, making sure that we have proper governance over the use of AI within our organization to ensure any sort of data leakage or loss of data that could result in some fraudulent event doesn’t occur,” Workman says.
Working with the bank on a continuous basis since October, the vCAIO helped Workman’s team develop AI governance and risk management policies. That includes language clearly stating the bank’s information security officer is responsible for identifying and assessing all AI risks, and ensuring its AI program complies with state and federal laws and regulations. McGowan says that type of language is critical, because regulators expect named executives within the institution to own those decisions. “Outsourcing expertise does not outsource responsibility, particularly for model risk and operational outcomes,” she says.
Unison Bank is now coordinating with its vCAIO on a work plan, which includes building out its long-term AI planning. The vCAIO will likely take a step back in March, when Workman hopes he will be ready to start training the bank’s employees on actual AI solutions, starting with Copilot, a generative AI solution now available to most financial institutions through Microsoft 365 that allows users to create new content. Knutson says basic generative AI training that includes suggested prompts is a common first step for the community banks his vCAIOs are assisting. “The use cases they start out with are, ‘I heard this can help me write better emails,’ or, ‘I heard I can take an interview with someone and turn it into a blog post,’ those kinds of things,” he says. ”They want to make the tasks easier with AI and surely we’re going to help them do that and build out their training.”
Innovation Vista is another tech consulting firm that offers vCAIO services to a wide range of industries. CEO Jeff Roberts says the best vCAIOs find ways to encourage even the most cautious institutions to use AI to help them grow. “You want that balance and someone to say, ‘Look, I will make sure we keep our nose clean with respect to data legal requirements and anything we’ve committed to our counterparties contractually. We’re going to stay clean on that. But we’re also going to find a way to move as quickly as possible within those constraints and parameters, and we’re going to figure out a way that AI really works for this organization,’” he says.
How Do You Hire the Right vCAIO?
Because of his long-standing, successful partnership with SBS CyberSecurity, contracting for a vCAIO was easy for Workman. But he knows he is lucky. “Just starting from scratch and trying to identify a firm that I would trust and that I would feel confident in guiding our AI adventure? Yes, it would bring some anxiety,” he admits.
Knutson says easing that anxiety starts with hiring a vCAIO that has a background in banking. “Because you can talk the language on what lenders need and back office people need and what marketing people do in a bank,” says Knutson. “The three people that we have working on all of our vCAIO services right now, all three of them have a banking background.”
Roberts agrees, and says it is also important to find a vCAIO that brings more than just the technical expertise required. “Human nature is undefeated. And so, if you go about an AI initiative without taking human nature into account successfully, then you’re set up to fail. People won’t share all the details that they should. They’ll drag their feet, they’ll give you a simplified version of the story rather than mentioning all the exceptions to the rule,” he says. “Because you have a change management challenge in a lot of organizations, you really need for the vCAIO to be diplomatic, to understand leadership, culture and communication.”
Along with checking those boxes, McGowan says it is important for financial institutions to ask for specific deliverables from a vCAIO, which she says should include:
• An AI inventory or baseline assessment.
• Clear governance principles and ownership.
• A prioritized, risk-aligned AI road map.
• Executive and control-function education.
“[Return on investment] should not be measured purely in near-term revenue,” McGowan says. “In regulated institutions, risk reduction, avoided missteps and regulatory readiness are meaningful and often provide substantial returns. Establishing these foundations early positions institutions to scale AI responsibly later.”
Previous