Access Connect
FinXTech Logo The Intersection of Financial Institutions and Technology Leaders

Some Risk Departments Are Blocking AI, But Banks Are Finding a Compromise

May 28, 2026

By Greg Neumann

It was one of those very rare moments of complete candor that caught everyone’s attention. 

Paul Becker, chair of the technology committee for the board of directors at $6.3 billion United Fidelity Bank, based in Evansville, Indiana, explained to a room full of community bankers in Texas this month what is stopping his bank from implementing new artificial intelligence (AI) tools. “ERM. We can’t get past [enterprise] risk management,” he said. 

Becker’s comment came during a session on generative artificial intelligence (AI) at May’s S&P Global Market Intelligence Community Bankers Conference 2026. One of the session’s presenters, Ben Udell, an AI consultant to financial institutions, responded by encouraging Becker and other bankers in the room to push their ERM teams on such issues. “I think we need to be more bold to say, ‘AI is not going away, and do we want to be the last people to turn the lights off?’” he said. “That’s a real risk for community bankers who want to be community bankers five and 10 years from now.”

While many bankers cite uncertain return on investment (ROI) or a lack of clear regulations as the main obstacles to implementing generative or agentic AI tools, Udell says too many community bank ERM teams are also stopping AI use without doing due diligence. 

“Can they go to the board of directors and say, ‘We need to make a risk management decision. Here’s pros, here’s cons, here’s what it means.’ Generally, I don’t see that actually happening,” Udell says. “I just think they’re responding to the headlines and they don’t want to have to be challenged by the FDIC on a topic they don’t know much about.”

ERM is a “process that manages enterprise risk so that ongoing decisions are consistent with the company’s risk appetite and stated performance goals,” wrote Bart Smith, a partner at Performance Trust Capital Partners, in a 2024 thought leadership article for Bank Director

ERM committees at financial institutions are often composed of the chief risk officer (if the institution has one), the CEO, chief financial officer, chief operating officer, chief lending officer, compliance officer and internal auditor.

Becker, who runs his own IT consulting firm, admits that ERM committees have good reason to be cautious about AI use. Many generative and agentic AI use cases can seem threatening to the basic risk function of a bank. But he feels there needs to be room for compromise and experimentation. 

“Open it up for everybody to be able to do whatever they want to do, to ask questions like, ‘How should we price our CDs? What’s the elasticity of the CD pricing curve?’ And these are questions that are prohibited,” he says. “Our [employee] use of AI in the bank is strictly limited to Microsoft Teams’ transcriptions right now.”

He and others say a reasonable AI use-case policy must be allowed for if a bank is to remain competitive.

Collaborate To Develop an AI Use Policy

Tension has always existed between pro-technology executives or board directors and ERM teams, says Nora Barefield, a one-time bank operational risk committee chair who now serves as a consultant to community banks for RLR Management Consulting. She says AI has taken that tension to another level. 

“It kind of puts the risk management folks in a difficult position where they’re [there] to create certainty,” Barefield says. “But AI introduces experimentation, and those two forces naturally will pull against each other.”

AI risks such as data leakage, hallucinations, regulatory scrutiny and reputational exposure are very real. But Barefield believes the lack of an AI policy statement is an even bigger risk for banks, because regulators are starting to expect it. “They’re saying, ‘Don’t wait for us to catch up. We want you to adopt AI in a responsible manner,’” she says. “You get extra points if you’re starting to do that and get your documentation in place.”

Udell advises his bank and credit union clients to have honest conversations before starting that process. “If we take a step back and say, ‘Let’s actually do the research, do the math, do the risk analysis, have a valid discussion,’ that’s the path to go,” he says.

RLR Consulting created a work program that walks client banks through simple questions to help them develop a document they can use as a starting point for an AI policy statement.  “What is our risk tolerance for AI? Who’s going to be responsible? Is it going to live in the IT world? Is it going to live under enterprise risk management? Is there going to be a separate steering committee?” Barefield says. 

And while some banks may be limiting AI use internally, their vendors are certainly using it. Barefield says banks should understand which vendors incorporate AI into their applications and how it is used. They should also understand the vendor’s protocols for protecting the bank’s data. All of that information should be documented in the vendor due diligence/third-party risk assessments as well as the bank’s own AI policy.

Sixty-six percent of bank CEOs, tech executives and board directors surveyed for Bank Director’s 2025 Technology Survey indicated that their institution has drafted an acceptable use policy for AI. But Barefield says the best policies don’t treat all forms of AI the same — and shouldn’t — because they are not all equal. 

A Tiered Approach to Risk
Risk tolerance is the key piece that banks must first define in order to develop a truly relevant AI use policy. Those that haven’t done that will struggle, says Hamza Qadir, director of innovation and digital strategy at $706 million 1st National Bank of Scotia, based in Scotia, New York. He advises bank ERM teams not to put all AI use cases in the same bucket. 

“In the instance of doing commercial lending at the speed of light using generative AI, that probably is a more advanced use case because it involves PII (personally identifiable information),” Qadir says. “Whereas, if I’m just doing research on my market and I just open it to Copilot or ChatGPT or Gemini and bring that into the fold, it’s a little bit easier to kind of get your feet wet and not risk it all at once.”

Barefield says the differences between AI tools and their use cases make it essential for banks to take a tiered approach to AI risk. “Tier one would be customer-facing, high-impact [uses], where there’s regulatory exposure. Tier two is related to internal decisioning [use cases] that may just have a moderate impact,” she says. “So, then the risk management team can apply controls that relate to each of those different tiers and it kind of breaks that down so that there are fewer ‘nos.’”

Becker believes that type of approach would benefit his bank tremendously. “We should create an AI inventory, deliver AI-risk tiers, approve an AI taxonomy, all those things,” he says. “If we did all that, then the OCC (Office of the Comptroller of the Currency) is going to say, ‘Well, OK, you’ve done your homework.’”

Barefield agrees with Udell that simply choosing not to explore such options will limit a financial institution’s growth. “When approvals take too long, when experimentation is blocked, and every idea requires a full validation cycle or all of these roadblocks, then that does stand in the way of the bank being competitive,” she says. 

Greg Neumann leads financial technology coverage for both Bank Director and FinXTech. Greg brings more than 30 years of combined experience in journalism and financial services to the role, previously working in television newsrooms across the country and leading communications for a financial industry trade association. He holds a bachelor of arts in mass communication from the University of Wisconsin-Milwaukee.

Previous
Next