Field notes on AI governance, security leadership, and what it actually looks like to run technology inside a regulated institution — when the examiners show up and the system fails at the same time.
NIST AI RMF 1.0 is a useful starting point — but the gap between "MAP your AI systems" and "explain this model's output to a NCUA examiner" is where institutions actually fail. This is what I've learned sitting in both chairs.
The new Govern function isn't just a reorganization — it's a fundamental shift in how the framework treats accountability. Here's how I mapped it to our existing program and what we had to rebuild from scratch.
It's not a part-time CIO. It's not a consultant who attends the monthly IT meeting. The fractional model works when an institution has real technology decisions to make and needs someone with the experience to make them confidently.
Running a multi-agent stack isn't just a technical exercise — it's a governance one. Egress fencing, human approval gates, append-only audit logs: these aren't theoretical controls. They're what I had to build to feel confident in my own system.
The third-party AI problem isn't coming — it's here. Every major core system vendor is embedding AI into their platform. Most institutions have no governance framework ready to evaluate it. Here's how I'd approach it.
Most IT budgets are built from the prior year plus a cost-of-living adjustment. That math stops working the moment your technology strategy changes — and right now, it's changing fast.
If you're putting together a conference track, podcast series, or leadership event on AI governance, financial technology, or security leadership — I talk about what I've actually done, not what the slide deck says you should do.