How to Prepare for a Regulatory Exam When Using AI in Compliance Workflows

A regulatory exam that includes AI is not fundamentally different from one that does not. The same supervisory principles apply: accountability, documentation, consistency, control. The institution that prepares well treats the AI as one more model and one more vendor inside the existing framework.
Artificial Intelligence (AI)

What Examiners Will Ask

When AI is part of the compliance workflow, examiners typically ask versions of: What is the AI used for? How was the use case approved? What policies is the AI calibrated to? How do you validate the AI? How do you monitor performance? How do you handle changes? Show me a case from start to finish. Show me an exception clearance and the rationale. Show me how your reviewers use the AI's outputs. Show me your QA function and recent findings.

None of these questions is new. They are the model risk questions of SR 11-7 and the vendor questions of the Interagency Guidance on Third-Party Relationships, applied to a newer tool. Note that the agencies issued revised, principles-based interagency model risk management guidance in April 2026, SR 26-2, so exam teams will increasingly frame model questions in its terms while the underlying expectations remain familiar. For BSA/AML workflows specifically, the exam procedures come from the FFIEC BSA/AML Examination Manual.

A program that can answer each of these with documented artifacts passes the conversation. A program that requires retroactive reconstruction does not.

The Pre-Exam Preparation Package

Maintain a continuously updated AI exam package that includes:

  1. Program overview. The AI use cases inside the compliance program, the owners, the risk classification of each use case, and the current status.
  2. Policy and governance. The policies governing AI use, the AI governance body and its charter, the use-case approval documentation for each AI deployment, and the risk-rating methodology and how AI maps to it.
  3. Configuration documentation. The configuration of each agent persona, the policy mapping for each configuration, the version history, and the change management documentation.
  4. Validation and monitoring. The validation methodology, the most recent validation reports, the performance monitoring reports, and the override-rate and exception trend reports.
  5. Vendor documentation (for vendor AI). The vendor due-diligence file, the contract with key terms, the vendor's model documentation, and the most recent vendor monitoring artifacts.
  6. Sample case files. A range of case files showing the workflow end to end, cases with clean dispositions and cases with exceptions, and the audit trail for each.
  7. QA function. The QA charter, the QA sampling methodology, the most recent QA reports, and the remediation tracking.
  8. Reviewer training. The training program, recent training completion records, and the reviewer authority matrix.
  9. Board and senior management reporting. The cadence and content of AI reporting to senior management and the board.

The Day-One Conversation

The opening exam conversation about AI typically establishes the institution's overall AI posture, the use cases, the governance approach, the validation discipline, and the available evidence. Lead with the program overview. Walk through the use cases. Reference the artifacts.

The Sample File Walkthrough

A common request is to walk through a specific case. Be prepared to open the case file, show the intake documentation, show the AI analysis with citations, show the reviewer's actions and rationale, show the final disposition, and show the audit trail.

The walkthrough is a test of the program's documentation discipline. For BSA/AML case files, examiners will also test the underlying obligations directly: customer due diligence under the FinCEN CDD Final Rule and suspicious activity reporting under 31 CFR 1020.320.

Anticipating Specific Questions

  • "How do you know the AI is working as designed?" The validation discipline, the performance monitoring, the override-rate analysis.
  • "What happens when the vendor updates the model?" The contractual material-change notification, the formal evaluation, the re-validation.
  • "How do reviewers exercise judgment?" The authority matrix, the exception clearance process, the QA sampling.
  • "How is the board informed?" The board reporting cadence and content.
  • "How does the AI affect fair lending or consumer protection?" The Privacy-First architecture, the evidence-grounded outputs, and the citation-backed rationale aligned to CFPB Circular 2023-03 expectations for specific adverse-action reasons under Regulation B.

What Not to Do

  • Do not minimize the AI's role.
  • Do not over-claim the AI's role. Reviewers make decisions.
  • Do not produce documentation that did not exist before the exam.
  • Do not bypass governance because the exam is friendly.

How StandardC AI Approaches This

StandardC AI produces exam-ready documentation as a side effect of normal operation. Configurations are version controlled. Outputs are citation backed. Audit trails are complete. The vendor due-diligence package includes architecture documentation, model documentation aligned to SR 11-7 expectations, deterministic processing evidence, SOC reporting, contractual rights covering audit and material-change notification, and ongoing monitoring artifacts.

Frequently Asked Questions

How early should we begin exam preparation?

A continuously updated exam package is more effective than a pre-exam scramble.

What if the examiner is unfamiliar with AI?

Lead with principles, not technology. Explain the governance, the documentation, and the controls.

What if the examiner asks for something the program does not have?

Acknowledge the gap honestly, document the response, and add the artifact to the program.

Authoritative Sources