April 21, 2026

There is a version of exam prep that a lot of credit unions are waiting on.

It sounds like this: “Once NCUA finalizes its AI exam framework, we’ll build our governance program around it. Until then, we’ll keep watching.”

That posture is understandable. It is also, right now, the riskier one.

Here is what the record actually shows about where NCUA is on AI, and what that means for how you think about readiness.

What NCUA has actually said

In May 2025, GAO called out NCUA for not having the tools it needs to oversee credit union AI use. They flagged two gaps: thin model risk guidance and no direct authority over many of the tech providers credit unions lean on for AI‑driven services. NCUA is still leaning on SR 11‑7, which predates everything we are doing with AI today.

Chairman Hauptman’s response was basically, “We get it, and we will tighten this up.” Since then, NCUA has done two important things:

  • It stood up an AI resource hub and pointed everyone at NIST, COSO, CISA, and the existing third‑party vendor letters.
  • It published its own AI Compliance Plan for how the agency will govern its own AI use.

What it has not done is publish a neat “AI Exam Booklet” for credit unions. So examiners are going to reach for what they already know: third‑party risk, model risk, safety and soundness, and fair lending.

How that shows up in an exam

Look at the 2026 supervisory priorities and you see where AI lands without ever using the buzzword.

The focus is on:

  • Lending and credit risk
  • Interest rate and liquidity risk
  • Third‑party risk management, especially when you outsource lending, servicing, or collections

If you plug in AI, it becomes pretty simple. Any AI‑powered tool that touches those areas is now part of the story you have to tell:

  • Decision engines in underwriting
  • AI‑based fraud detection
  • Collections automation and segmentation

There is no separate “AI tab” in the exam workpapers. These tools just change the complexity of the third‑party and model risk questions examiners already know how to ask.

The questions will feel familiar

Picture an examiner sitting across from you and asking, about a vendor model you use for loan decisions:

  • What model is this, and who built it?
  • What data goes in, and how do you control that data?
  • If a member asks “Why was I denied?”, can you explain it in plain language?
  • What happens when the model is wrong?
  • Who owns oversight, and where is that oversight documented?

None of those questions are new. They are the same ones you get for non‑AI models, vendors, and processes.

AI does not change the questions. It just makes lazy answers harder to defend.

How the new strategic plan changes the backdrop

NCUA’s new 2026–2030 Strategic Plan adds an important backdrop to all of this.

Three things matter for AI:

  1. NCUA is going to use AI too. The plan is explicit about expanding the use of data, analytics, and AI inside the agency to strengthen supervision. That means examiners will have sharper tools to see patterns in your data, your portfolio, and your outliers. If your AI and data governance are a mess, the gap will show up faster and more clearly.
  2. “Responsible innovation” is now on the scoreboard. NCUA is not telling credit unions to sit on their hands. The plan talks about enabling access and innovation while protecting members and the fund. In practice, that means AI pilots with no governance, no documentation, and no clarity on who owns the risk are going to look increasingly out of step.
  3. Your governance is part of NCUA’s own risk story. As NCUA leans on its own AI and analytics, the quality of your model and vendor oversight directly affects how reliable their tools are. That is another reason they will push harder on how well you understand and document the AI you are using.

So the strategic plan is not just a long PDF to file away. It tells you the direction of travel: more data, more AI, more emphasis on responsible use, not less.

What the leading programs are doing differently

The credit unions that look most ready, at least from the outside, are not waiting for an AI checklist.

They are doing three concrete things:

  • They start from the frameworks, not the headlines. NIST, COSO, SR 11‑7, the third‑party letters. They take those seriously and ask, “If this is the playbook, how does each AI use case map back?”
  • They write it down. For every AI tool, they keep a short, boring document: purpose, data, model owner, vendor responsibilities, key risks, controls, and how they would explain decisions to a member. That file becomes the exam artifact before anyone ever asks for it.
  • They treat AI as part of existing risk, not its own religion. The same teams that handle model validation, fair lending, and vendor management are in the room for AI. It is not a side project in a lab.

None of this is glamorous. But it is exactly the sort of boring clarity that plays well when an examiner is looking at your third‑party list and your model inventory and sees “AI” next to a core lending or collections function.

The real question

The absence of a formal AI examination framework is not a green light. It is an invitation to build something defensible on your own terms, while the rules are still mostly principles and expectations, not line‑item checklists.

So the question is not “When will NCUA tell us exactly what to do?”

The question is, “If an examiner walked in tomorrow and asked us to walk through our AI use like any other core vendor or model, would we be able to tell that story without flinching?”