April 22, 2026
The Questions That Build Better AI Partnerships
AI is now woven into almost every core, LOS, and digital banking roadmap. It often shows up as a feature release, not as a standalone AI project.
That is exactly why the questions you ask your vendors about their AI matter as much as the features themselves.
The NCUA's AI resource hub, updated in December 2025, makes this explicit: when partnering with AI companies, credit unions face distinct challenges that can extend beyond traditional third-party vendor management. The complexity of AI systems requires more deliberate due diligence and ongoing monitoring of vendor frameworks. The agency ties AI oversight directly to its existing third-party vendor guidance in Letters 07-CU-13 and 01-CU-20, while acknowledging that AI introduces additional dimensions those letters were not designed to address.
The goal is not to become AI engineers. The goal is to get crisp answers to a small set of questions that really govern risk, member impact, and exam readiness.
The model question
The first line of AI vendor due diligence is understanding what model you are actually buying. What model underlies this solution? Is it a proprietary model built by the vendor, a fine-tuned version of a foundation model, or an API wrapper around a third-party model like GPT or Gemini?
The answer determines where your data goes, who has access to it, and what governance the underlying model is subject to. If a vendor's AI product is built on a third-party foundation model, your contract with the vendor does not govern the third-party model's behavior. That layer of the technology sits outside your direct oversight chain. For a credit union using AI in lending decisioning or fraud monitoring, that is a material fact to understand and plan around.
The data question
Is member data used to train the model? If so, under what terms, with what consent framework, and what happens to that data if the vendor relationship ends?
AI models trained on member financial behavior create data relationships that do not end cleanly when a contract does. Understanding the data lifecycle — what is collected, how it is used, who owns the model outputs, and what deletion or de-identification actually looks like — is now a core component of AI vendor due diligence, not a technical footnote. Clear answers here protect both member trust and your ability to pivot if you change providers.
The bias and fairness question
For any AI used in credit decisions, underwriting, member segmentation, or collections, the fair lending question is not optional. ECOA nondiscrimination requirements apply regardless of whether a human or a model made the decision.
The due diligence question is: what testing has this vendor conducted for disparate impact across protected classes, and can they show you the results? That means the testing methodology, the sample, and the outcomes, not just a slide that says “no bias detected.” If a vendor can walk you through that work in detail, it gives your fair lending, compliance, and audit teams something concrete to stand on.
The explainability question
When a model produces an adverse action in a credit decision, can you generate a specific, compliant adverse action notice? This is a legal requirement under ECOA and Regulation B, and it is an area regulators and examiners already know how to examine.
Ask the vendor to walk you through an adverse action scenario before you sign. How do they trace a model decision to the reasons a member sees? Where are those reasons stored? Can they support both consumer and small business credit? The quality of that walkthrough tells you more than any generic compliance statement. AI models that function as black boxes, where no one at the institution or the vendor can explain why a specific decision was reached, cannot satisfy that requirement.
The ongoing monitoring question
Models drift. Behavior changes as the data a model encounters in production diverges from its training data. A model that performed well in testing can behave differently when member behavior shifts, new products launch, or fraud patterns evolve.
What ongoing monitoring does the vendor conduct for model drift, accuracy degradation, and fairness metrics? What is the notification protocol if the model's behavior changes materially? What does the vendor exit process look like, including what happens to model outputs and member data when you unwind the relationship? Putting these answers into the contract turns broad commitments into specific expectations your teams can manage against.
These are practical questions, not trick questions. They give your vendors a clear picture of what your risk, compliance, and member-facing teams need from them.
Shared accountability, not outsourced accountability
The shared responsibility model that good AI governance requires means credit unions cannot outsource accountability along with capability. The vendor manages the technology. The institution remains accountable for the member outcomes, the fair lending posture, and the exam story that goes with both.
At a simple level, responsibilities tend to fall into three buckets:
- The vendor owns how the model is built, trained, tested, and secured, including documenting its limits and known failure modes.
- The credit union owns member data quality, use case selection, thresholds and overrides, and how model outputs are turned into real decisions in lending, fraud, and member service.
- Both share responsibility for monitoring performance and fairness over time and for making sure decisions can be explained to members and examiners in plain language.
Once those roles are clear, AI stops being a mysterious feature inside someone else's platform and starts looking like part of your normal risk and member experience decisions. Asking these questions at due diligence time is what turns “the vendor said it is fine” into a documented, repeatable shared responsibility model your teams can actually manage.
What question do you wish you had asked an AI vendor before deployment that you did not think to ask at contract time?
