February 9, 2026

We’re starting with governance intentionally. The NCUA is increasingly asking about AI oversight, and those conversations go much better when you’ve already established how you govern data. You can’t have responsible AI without trustworthy data underneath it.

So let’s begin there.

I’ve watched organizations fail at data governance from both ends of the spectrum.

Some build elaborate frameworks: governance councils, data stewards in every department, 50-page policies, only to watch them collapse under their own weight. Others skip governance entirely, treating data like it’s someone else’s problem, until an exam finding or a bad lending decision forces the conversation.

Both extremes miss the point.

Think of data governance like your loan policies. Every credit union needs lending policies. It’s foundational to operating safely and soundly. But a $100M credit union doesn’t need the same 200 page policy manual as a $10B institution. The principles are the same: sound underwriting, appropriate risk management, regulatory compliance. The implementation scales.

Data governance works the same way. The principle, ensuring your data is trustworthy, secure, and properly used, is universal. How you implement it should match your reality.

In conversations with executives and boards about appropriate governance levels, I keep coming back to four factors:

  1. Maturity: Where are you honestly on your data journey? Early-stage organizations need simpler structures.
  2. Resources: What can you realistically staff and sustain? A framework that requires five full-time roles won’t work if you have one data analyst.
  3. Business Complexity: How many systems, data sources, and business lines are you managing? Complexity demands more structure.
  4. Strategic Priorities: What are you trying to enable? AI-powered lending decisions require different governance than basic reporting.

Over the years I have been involved in numerous governance efforts. Early efforts at governance were very static and structured. Early governance was comprehensive and impressive but in reality delivered bureaucratic overhead that people worked around instead of adopted.  Governance isn’t about checking boxes or impressing auditors. It’s about creating just enough structure to ensure data supports good decisions. No more, no less.

Right-sized governance delivers value. Over-engineered governance creates bureaucracy. Under-governed data creates risk.

The goal isn’t governance for governance’s sake. It’s governance that matches your organization’s maturity, respects your resource constraints, addresses your actual complexity, and enables your strategic priorities.

When you think about your organization’s data governance:

  • Does it feel appropriately sized?
  • Or does it lean toward over-engineered or under-developed?
  • What drove it to that state?