Most banks apply the same governance to internal chatbots and customer-facing credit decisions. That’s either too heavy (killing innovation) or too light (missing real risks).

Probably both, depending on which system you’re looking at.

I’ve seen this pattern repeatedly: Bank creates “AI governance framework.” Framework specifies requirements for validation, documentation, monitoring, approval processes. Every AI system must comply with all requirements. No exceptions, no tiers, one-size-fits-all.

Result? Either the governance is lightweight (so simple tools can comply) which means high-risk systems don’t have adequate controls. Or the governance is rigorous (appropriate for high-risk systems) which means low-risk innovation dies under bureaucratic weight.

You can’t govern an internal meeting summarizer the same way you govern an algorithmic trading system. They’re not the same risk. They don’t deserve the same governance intensity.

Risk-based approach: proportionate controls.

The Problem with One-Size-Fits-All

Let me paint two scenarios.

Scenario 1: Bank builds an internal tool that summarizes meeting transcripts using an LLM. Employees upload recordings, get back summaries and action items. Saves time, improves productivity.

What’s the risk? If the summary is wrong, someone re-reads the transcript. Annoying but not catastrophic. No customer impact, no regulatory exposure, no financial loss. This is a productivity tool.

Scenario 2: Bank builds a loan decisioning system that uses AI to assess credit risk and recommend approve/deny decisions. Decisions affect customers (can they get a loan?) and the bank (credit portfolio risk).

What’s the risk? If the system is wrong, customers get inappropriately denied (Fair Lending Act violations) or inappropriately approved (credit losses). Regulatory scrutiny, financial impact, reputation damage. This is a material decision system.

If you apply the same governance requirements to both, you’ve made a mistake.

Heavy governance on Scenario 1: You’ve just made meeting summarization so bureaucratic that nobody will use it. Six months of validation and approval for a productivity tool? Innovation killed.

Light governance on Scenario 2: You’ve deployed a high-risk system without adequate controls. When it discriminates or makes bad credit decisions, you’re explaining to regulators why you didn’t validate it properly. Regulatory risk realized.

The solution is risk-based tiering: categorize AI systems by risk, apply proportionate governance.

A Three-Tier Framework

I’m going to propose a simple three-tier model. You can make this more granular, but three tiers (High, Medium, Low) cover most use cases effectively.

Tier 3: Low Risk - Internal Advisory and Productivity

Examples:

  • Meeting summarization
  • Code completion assistants (GitHub Copilot)
  • Internal research assistants
  • Document drafting tools
  • Email writing assistance

Characteristics:

  • Internal users only (no customer exposure)
  • Advisory outputs (humans make final decisions)
  • Low stakes (consequences of errors are minor)
  • Easy to verify outputs (humans review before using)

Impact if wrong: Annoying but not material. Worst case: Wasted employee time, need to redo work.

Control intensity: Baseline

  • Acceptable use policy (what’s allowed, what’s not)
  • Basic access controls (who can use the tool)
  • Cost/usage monitoring (track spending)
  • Simple feedback mechanism (thumbs up/down)
  • Incident reporting process

That’s it. Don’t make this complicated. Low-risk tools need lightweight governance so people actually use them.

Tier 2: Medium Risk - Customer-Facing Advisory or Internal Material Decisions

Examples:

  • Wealth management advice chatbot (advisor reviews recommendations)
  • Compliance document review assistant (compliance team verifies)
  • Underwriting assistance (underwriter makes final call)
  • Customer service chatbot with human escalation
  • Internal fraud detection alerts

Characteristics:

  • May involve customers or material business decisions
  • Human oversight on critical decisions
  • Some regulatory sensitivity
  • Moderate consequences if wrong (but humans catch most errors)

Impact if wrong: Material but not catastrophic. Bad advice gets caught by human review. Customers might have degraded experience. Some financial or compliance risk.

Control intensity: Standard

  • All Tier 3 controls, plus:
  • Documented use case and risk assessment
  • Validation methodology (test the system works for intended use case)
  • Performance monitoring (track accuracy, quality metrics)
  • Incident response process
  • Audit trails (log decisions and outputs)
  • Periodic reviews (quarterly or annual governance check)

This is substantive governance without being burdensome. You’re validating the system works, monitoring for issues, maintaining audit trails.

Tier 1: High Risk - Automated Material Decisions

Examples:

  • Loan approval/denial automation
  • Credit scoring models
  • Algorithmic trading decisions
  • Fraud blocking (automatic account suspension)
  • Regulatory compliance decisions (e.g., transaction monitoring, sanctions screening)

Characteristics:

  • Automated decisions with material impact
  • Customer-facing or business-critical
  • High regulatory sensitivity
  • Significant consequences if wrong

Impact if wrong: Regulatory violations (Fair Lending, AML), customer harm (wrongful denials), financial loss (bad credit decisions), reputation damage. This is where things get serious.

Control intensity: Maximum

  • All Tier 2 controls, plus:
  • Independent validation (separate team validates the system)
  • Advanced monitoring (model drift, bias, fairness, performance degradation)
  • Board-level oversight (risk committee reporting)
  • Continuous control testing (ongoing validation, not just initial)
  • Formal change management (any changes to prompts, models, data go through approval)
  • Detailed documentation (development decisions, validation results, monitoring)
  • Regulatory reporting (as required)

This is full-rigor governance. It’s appropriate for high-risk systems. It’s too much for low-risk systems.

How to Categorize Your Use Cases

Risk assessment isn’t arbitrary. Ask these questions:

Who is impacted?

  • Internal users only → probably Tier 3
  • Customers involved → at least Tier 2, maybe Tier 1

What’s the decision impact?

  • Advisory only (human makes final decision) → Tier 2 or 3
  • Automated decision → Tier 1
  • Human oversight present → Tier 2

What’s the financial materiality?

  • Cost of being wrong is low (< $10K, minimal customer impact) → Tier 3
  • Moderate cost ($10K - $1M, some customer impact) → Tier 2
  • High cost (> $1M, significant customer/business impact) → Tier 1

(Adjust dollar thresholds for your organization’s scale)

What’s the regulatory sensitivity?

  • No specific regulatory requirements → Tier 3
  • Some regulatory considerations (data privacy, general compliance) → Tier 2
  • Direct regulatory requirements (Fair Lending, AML, credit reporting) → Tier 1

Is there human oversight?

  • Human reviews all AI outputs before action → Tier 2 or 3
  • Human spot-checks some outputs → Tier 2
  • Fully automated, no human review → Tier 1

Walk through these questions for each use case. The answers point you to the right tier.

Let me show you with real examples:

Example: Customer service chatbot

  • Who: Customers (external)
  • Decision: Answers questions, can escalate to humans
  • Financial: Low direct impact
  • Regulatory: Data privacy, customer treatment
  • Oversight: Humans available for escalation

Assessment: Tier 2. Customer-facing, some regulatory sensitivity, but humans handle complex issues.

Example: Meeting summarizer

  • Who: Internal employees only
  • Decision: Advisory (humans decide what to do with summary)
  • Financial: Minimal (just wasted time if wrong)
  • Regulatory: None specific
  • Oversight: Humans review outputs naturally

Assessment: Tier 3. Internal, low stakes, easy to verify.

Example: Loan approval automation

  • Who: Customers (credit decisions)
  • Decision: Automated approve/deny
  • Financial: High (default risk, origination volume)
  • Regulatory: Fair Lending, FCRA, ECOA
  • Oversight: Minimal human review (automated system)

Assessment: Tier 1. High impact, high regulatory risk, automated decisions.

Be honest in your assessment. Don’t under-tier a risky system just to avoid governance overhead. That’s how you end up explaining to regulators why you didn’t have adequate controls.

Control Intensity by Tier

Let me be specific about what controls look like at each tier.

Tier 3 - Baseline Controls:

  • One-page acceptable use policy
  • Access controls (LDAP/SSO, basic permissions)
  • Monthly cost reports
  • Thumbs up/down feedback in UI
  • Incident reporting email alias

Time to implement: Days to weeks Ongoing effort: Minimal (monitor usage, collect feedback)

Tier 2 - Standard Controls:

  • Documented risk assessment (8-step FINOS heuristic process)
  • Validation: Test system with 50-100 example queries, verify accuracy
  • Monitoring dashboard: Track usage, errors, feedback scores
  • Incident response: Defined escalation process, root cause analysis
  • Audit logging: User, timestamp, query, response
  • Quarterly reviews: Check metrics, identify issues

Time to implement: Weeks to 2 months Ongoing effort: Moderate (monthly monitoring review, quarterly governance check)

Tier 1 - Maximum Controls:

  • All Tier 2 controls, plus:
  • Independent validation: Separate team validates system (not the builders)
  • Advanced testing: Bias testing, adversarial testing, edge case analysis
  • Continuous monitoring: Automated drift detection, fairness metrics, performance tracking
  • Board reporting: Quarterly risk committee updates
  • Change management: All changes require approval and re-validation
  • Documentation: Detailed technical docs, validation reports, governance evidence
  • External audit: Annual review by internal audit or third-party

Time to implement: Months (3-6 months for complex systems) Ongoing effort: High (continuous monitoring, regular reporting, change management overhead)

The effort scales with risk. That’s the point - you invest governance effort where it matters.

The Governance Benefit

Risk-based tiering enables innovation.

With three tiers, you can say “yes” quickly to low-risk experiments (Tier 3). Employees want to try a new AI tool for productivity? Sure, here’s the acceptable use policy, go try it. If it works, great. If not, no big deal.

You move deliberately on medium-risk systems (Tier 2). Customer-facing chatbot? Let’s do a proper risk assessment, validate it works, set up monitoring, then launch. Not instant, but not a multi-month ordeal either.

You’re rigorous on high-risk systems (Tier 1). Credit decisioning model? We’re doing this right - independent validation, bias testing, continuous monitoring, board oversight. This takes time and effort because the stakes are high.

Resource allocation becomes rational. Most AI use cases are Tier 2 or 3. Few are Tier 1. You can run 20 Tier 3 experiments with the same governance effort as one Tier 1 system. That’s the right allocation - lots of low-risk innovation, careful scrutiny on high-risk deployment.

This approach aligns with how regulators think about risk. They don’t expect the same controls for a meeting summarizer as for a credit model. They expect risk-based governance: more controls for more risk.

(Regulators in banking have been doing risk-based model governance for years. This isn’t a new concept - it’s adapting existing risk management principles to AI systems.)

Start with Tiering

If you’re building AI governance, start by tiering your current and planned AI use cases.

Make a list. Categorize each one as Tier 1, 2, or 3 using the questions above. Be honest about risk - don’t under-tier to avoid governance.

Then design governance intensity to match:

  • Tier 3: Lightweight, enabling, fast
  • Tier 2: Standard, balanced, documented
  • Tier 1: Rigorous, validated, monitored

You’ll find most use cases are Tier 2 or 3. That’s good - it means you can move faster on most things. The few Tier 1 systems get the attention they deserve.

Don’t make the mistake of governing everything like it’s Tier 1 (too slow) or everything like it’s Tier 3 (too risky). Match controls to risk.

Your employees will thank you (they can innovate on low-risk tools). Your risk team will thank you (high-risk systems have proper controls). Your regulators will view you as competent (you understand risk-based governance).

Tier your AI systems. Apply proportionate controls. Enable innovation while managing risk. That’s governance that actually works.