Corvus AdvisorsContact
00Insights/Governance

What examiners will ask about your AI program in 2026

A pragmatic anticipation of the questions regulators are beginning to formulate — and what institutions can do now to answer them with conviction.

2026 Outlook·8 min read

The supervisory posture toward artificial intelligence is shifting from curiosity to expectation. Examiners across the major prudential and conduct regulators have spent the last eighteen months building intellectual scaffolding around AI. In 2026 they will begin to use it. The institutions best positioned for that conversation are not the ones with the most ambitious AI roadmaps, but the ones whose leadership can describe, in operational terms, how AI is actually used, governed, and overseen across the enterprise.

Most institutions are not yet ready for that conversation. Not because they lack policy documents — there are plenty — but because the distance between policy and practice has widened faster than governance functions have been able to close it. The questions on their way are not abstract. They are concrete, operational, and uncomfortably specific.

From policy to evidence

The defining shift in 2026 will be from policy review to evidence review. Examiners will accept that institutions have AI principles, AI committees, and AI usage standards. What they will test is whether those artifacts produce decisions, controls, and outcomes that an outside reader can reconstruct.

Expect questions framed not as 'do you have a policy on X' but as 'show us where X was applied in the last quarter.' That reframing alone will surface most of the gaps that institutional AI programs carry today.

The questions to prepare for

The following are the questions we believe senior leadership should be able to answer cleanly, in plain language, with documentation behind each answer.

  • Where, specifically, is AI used inside the institution today — including embedded vendor capabilities and tools adopted by individual teams?
  • Who is accountable for each material use, and how is that accountability evidenced in performance objectives, committee minutes, or control attestations?
  • How are AI systems classified by risk, and what controls are differentially applied across those tiers?
  • What is the institution's process for approving a new AI use case, and how long does it actually take end-to-end?
  • Which third-party AI capabilities are in production, and what diligence supports their continued use?
  • How does the institution detect material change in a model's behavior, prompt configuration, or upstream data?
  • Where has human oversight been formally designed into a workflow, and how is the quality of that oversight measured?
  • What evidence exists that customers, employees, and counterparties are treated consistently when AI is involved in a decision that affects them?
The institutions best positioned will be the ones whose leadership can describe, in operational terms, how AI is actually used.

The quiet risk: shadow adoption

The most consequential examination findings of 2026 are unlikely to come from the institution's flagship AI initiatives. They will come from the long tail of unsanctioned use — teams running sensitive data through consumer-grade tools, vendors silently embedding generative features into existing products, individual contributors building agentic workflows without anyone in second line aware they exist.

An institution that cannot inventory its own AI usage cannot govern it. That is the simplest sentence in this entire essay, and the one most likely to be tested.

What to do now

Three actions, in our view, materially improve an institution's posture before the next supervisory cycle.

  • Establish a single, current inventory of AI usage that reconciles enterprise tooling, vendor capabilities, and team-level adoption — owned by a function that has authority to keep it accurate.
  • Translate AI policy into named decision rights and named accountable individuals for each material use, and make those visible in management reporting.
  • Define and rehearse the institution's own examination narrative — the story leadership would tell about how AI is governed — and stress-test it against the questions above before a regulator does.

An operating issue, not a paper exercise

AI governance is increasingly an operating and management problem rather than a documentation one. The institutions that recognise this early will treat the 2026 examination cycle not as an audit to survive but as a moment to demonstrate the seriousness of their approach. The institutions that do not will find themselves explaining, at speed, the gap between what their policies say and what their organisations actually do.

Related insights
Strategy

The institutional case against the use-case backlog

Why the proliferating list of AI pilots inside large institutions is a symptom of a missing strategy, and what to do instead.

Read essay
Data Integrity

Data lineage as the precondition for trustworthy AI

Drawing on the data-integrity work at the foundation of financial operations, an argument for why provenance must precede deployment.

Read essay
All insights