Executive Summary
The OCC's 2025 model risk management clarification (Bulletin 2025-26) brought AI governance into explicit focus for community banks and mid-size institutions. If you're evaluating AI tools for any part of the lending process, examiners now expect documentation, governance, and oversight proportionate to the risk.
At the same time, most commercial underwriting teams spend roughly 70% of their time on data extraction, not credit analysis. Spreading tax returns, tracing K-1 distributions, chasing documents, reconciling financials. AI has gotten good enough to handle that work reliably. The question is how to deploy it in a way that holds up when an examiner pulls the file.
This guide covers both sides: what the technology can do today, and what the governance around it needs to look like. It's written for CLOs, CCOs, credit administrators, and model risk officers at community banks, credit unions, regional banks, and specialty lenders. Inside, you'll find a vendor-agnostic evaluation framework (three non-negotiables any tool should meet), six use cases already in production with what examiners see for each, the regulatory expectations under SR 11-7 and OCC 2025-26, a 30/60/90-day implementation timeline, and an examiner readiness checklist you can bring to your next vendor evaluation or share with your model risk officer.
Section 01
What's Pushing AI Into Commercial Underwriting
The Manual Work Is the Bottleneck
Every commercial deal requires a lot of analyst time before anyone applies any credit judgment. Document chasing, spreading, cross-checking financials against tax returns, assembling the credit memo. Roughly 70% of the work is just moving data from one format to another and making sure the numbers tie.
A single deal can produce 500 to 1,000+ pages of tax documents across entities and years: three years of returns per entity, multiple entities, multiple guarantors. That's one to two full working days of manual spreading before any credit analysis begins. It works when you're running 15 deals a month. It doesn't work at 30.
Hiring doesn't fix it. Good commercial underwriters already have jobs. Junior analysts take six to twelve months to get up to speed, and during that ramp they're consuming senior analyst time, not freeing it.
So you end up triaging. The $500K deal gets the same credit policy applied, but not the same depth of analysis as the $5M deal. That's rational. It's also the kind of inconsistency that concerns examiners.
Turnaround Time Matters More Than Most Lenders Track
A borrower walks into two banks with the same CRE deal. Both can offer competitive terms. One gets back with a term sheet in three days. The other takes two weeks. The borrower doesn't wait.
This dynamic is most visible in SBA lending, where borrowers routinely submit to three or four lenders simultaneously. But the same pressure shows up across every commercial lending vertical: the CRE deal with a closing deadline, the C&I credit where the business owner needs working capital before they miss a contract, the acquisition loan where timing determines whether the deal happens at all.
The deals that aged out of your pipeline, where the borrower quietly went somewhere faster, don't show up on any report. They're worth paying attention to.
Examiner Expectations Are Tightening on Consistency
There's also an examiner angle. Two underwriters spreading the same tax return will make different calls on add-backs, normalization, and one-time item treatment. When an examiner samples loan files across a portfolio, those inconsistencies become findings.
The OCC's 2025 clarification on model risk management (Bulletin 2025-26) brought AI governance into explicit focus for community banks up to $30B in assets. Explainability is now a threshold requirement. If you're using AI tools in any part of the lending process, examiners expect documentation, governance, and oversight proportionate to the risk.
This cuts both ways. Well-implemented AI tools can improve consistency: same thresholds, same policy rules, same treatment on every application. But poorly governed ones create new categories of risk. The governance side matters as much as the technology, which is most of what this guide is about.
The Technology Crossed a Threshold
None of these pressures are new. What changed is that the technology actually works now.
Previous automation approaches failed because tax returns aren't standardized tables. They're semi-structured documents with continuation sheets, supplemental statements, handwritten amendments, and schedules that reference other schedules. Large language models changed this. Not just better character recognition, but actual comprehension of what a line item means, how it relates to other line items on other forms, and whether the numbers make sense in context.
Two years ago, automated spreading tools could handle clean, typed personal returns with moderate accuracy. Today, purpose-built systems handle multi-entity partnerships with tiered K-1 flows, cross-reference financial statements against tax returns, and produce global cash flow analyses with source-document traceability at accuracy levels that match or exceed careful manual work.
That doesn't mean it's safe to deploy blindly. The accuracy makes deployment feasible. The governance framework around it is what makes it defensible, and that's what most of this guide covers.
Ungoverned AI Is Already in Most Lending Shops
At most commercial lending shops right now, an analyst gets a 1065 with a complex K-1 structure, they're behind on the deal, and they open ChatGPT. They paste in pages from the tax return and ask it to help trace the distributions. Or they upload financial statements and ask it to flag inconsistencies. They're not being reckless. The tools are available, the pressure is real, and the alternative is another two hours of manual work.
The analysts doing this tend to be the good ones. Resourceful enough to find a faster path.
The issue is that borrower tax returns, personal financial statements, and guarantor information are flowing into consumer tools with no data governance, no audit trail, and no way to explain to an examiner what happened to that data. If a regulator asked "what tools are your analysts using to support their underwriting work?" the honest answer at most institutions would be uncomfortable.
That's a governance gap worth closing, not because AI is inherently risky, but because the compliance exposure is avoidable.
Section 02
Three Non-Negotiables for AI-Assisted Credit
The technology works. But working and being safe to deploy in a regulated environment are different things. These three principles are the minimum bar. They apply regardless of vendor.
Non-Negotiable 1: Explainability — Every Number Needs a Paper Trail
Examiners don't accept "the AI said so." Every output needs to trace back to a source document, a specific page, a specific line of text.
This is what separates tools built for regulated lending from general-purpose document extraction. A general-purpose tool can pull numbers out of a PDF. But can it show you which page the number came from? The confidence level of the extraction? When a calculated ratio like DSCR uses that number as an input, can you see the full formula and every input?
When an examiner pulls a loan file, they'll trace the analysis back to source documents. If the spread says revenue was $4.2M, they need to see that $4.2M on page 3 of the tax return, and they need to see that the system showed it to the underwriter too.
Accuracy matters, obviously. But the examiner question is whether you can prove it.
Non-Negotiable 2: Human Decision Authority — The Underwriter Is Always Right
The distinction between "AI-assisted underwriting" and "automated underwriting" matters to regulators. In an AI-assisted model, the technology handles data extraction, calculation, and flagging. A human reviews every output, overrides errors, authors the credit memo, and makes the recommendation. There is no code path where a loan moves forward without a human signing off.
What this looks like in practice:
- Underwriters can override any AI-extracted value. The original AI value is preserved in the audit trail alongside the human correction.
- Overrides are tagged as manual, not blended back into the AI output.
- Risk flag dismissals require a written justification: "Declining revenue reflects planned asset sale, not operating deterioration. See note 7 on page 23."
- Dismissed flags remain visible in the record with the reason, user attribution, and timestamp. No silent deletions.
| Function | AI Role | Decision Authority |
|---|---|---|
| Document extraction | Extracts and classifies data | Human reviews and corrects |
| Financial analysis | Computes ratios and trends | Human validates and interprets |
| Risk flag generation | Identifies potential issues | Human reviews and dispositions |
| Credit memo | Provides data and context | Human authors the memo |
| Credit decision | None | Human decides, committee approves |
AI Proposes
- Extracts & classifies data
- Computes ratios & trends
- Generates risk flags
- Builds memo framework
- Traces K-1 distributions
No decision authority
Human Decides
- Reviews every output
- Overrides errors
- Applies credit judgment
- Authors the credit memo
- Makes the recommendation
Full decision authority
Record Preserves
- AI value logged
- Human value logged
- Override reason captured
- Full attribution & timestamp
- Decision lifecycle queryable
Examiner-ready in real time
Non-Negotiable 3: Audit Trail — If It's Not Logged, It Didn't Happen
Examiners reconstruct the full lifecycle of a credit decision. Every action needs attribution.
- Every document upload, AI extraction, human override, flag dismissal, and credit decision, logged with user and timestamp
- Historical records maintained. Every prior state, not just where things stand today
- Queryable in real time, not a report you run after the fact
Pull up a completed loan. Show every action that was taken on it, by whom, and when. If you can do this in real time while an examiner watches, your audit trail is real. If you need to "pull a report" or "check with IT," it isn't.
Section 03
Six Use Cases Already in Production
Ask any experienced underwriter what they'd do differently if they had twice the time on every deal. Nobody says "I'd spread the numbers differently." It's always the stuff they know they should be doing but can't get to: actually reading the footnotes, cross-referencing tax returns against financial statements, tracing every K-1 instead of spot-checking.
That's the best guide to where AI belongs in underwriting: the work your team already knows matters but can't do consistently because of volume.
Each use case below follows the same pattern: the manual reality you'll recognize, what AI handles, what humans still own, and what examiners see.
Use Case 1: Automated Spreading & Global Cash Flow
The Manual Reality
A typical commercial deal lands as a stack of PDFs: personal returns, partnership returns, S-corp returns, K-1s, sometimes organized by entity and year, more often as a single bulk upload. For a clean 1040, spreading takes 20 to 30 minutes. For a multi-entity 1065 with numerous K-1s and rental schedules, it's over an hour. Then comes the hard part. A guarantor owns 40% of an LLC filing a 1065, which owns 60% of another LLC filing a separate 1065. The underwriter traces K-1 distributions across tiered ownership structures, reconciles amounts, builds the entity map by hand. One miskeyed K-1 amount cascades through the entire global cash flow analysis. One to two full working days per deal, before any credit analysis begins.
What AI Handles
The best tools classify each document (1040, 1065, 1120, 1120-S), identify the tax year and filing entity, and extract the specific line items that matter for credit analysis. Not generic OCR. These are models trained on the specific fields an underwriter would key into their spreading template. Where the automation is most valuable is K-1 tracing and entity mapping. The system matches K-1 distributions to corresponding partners, traces ownership percentages across entities, and builds the entity structure automatically. Entity-level spreads roll into a consolidated global cash flow, with every DSCR input traceable to its source document.
What the Human Still Owns
Reviews every extracted value. Overrides errors on scanned or unusual-format documents. Applies judgment on edge cases: amended returns vs. originals, mid-year S-corp elections, which entities to include. Determines add-backs per credit policy. The AI flags edge cases rather than silently deciding.
What Examiners See
Every number links to the exact page and line of the source tax return. Override history shows original AI value vs. human correction with attribution. Same methodology applied to every deal, not varying by analyst. In parallel validation, lenders typically find AI-produced spreads match or exceed manual accuracy, and catch K-1 tracing errors the manual process missed.
In Practice: When an examiner asks to trace a DSCR back to source, the underwriter should be able to click the ratio, see the formula and every input, click any input, and see the source document page highlighted. Any tool in this space should be able to demonstrate this level of traceability.
Use Case 2: Financial Statement Deep Reading
The Manual Reality
Everyone spreads the ratios. Almost nobody reads the footnotes. That's where things get missed. An audited financial statement is 30 to 50 pages. The balance sheet and income statement take up 3. The rest is footnotes: contingent liabilities, related-party transactions, lease commitments, subsequent events, accounting policy changes. Meanwhile, a borrower's P&L says revenue was $4.2M and their tax return says gross receipts were $800K. Same company, same year. That discrepancy means someone is showing the bank one set of books and the IRS another. An underwriter under time pressure spreads the numbers from the summary pages, runs the ratios, and moves on. Not because they don't know the notes matter. They don't have time.
What AI Handles
AI reads every page of every document, not just the summary numbers. It identifies contingent liabilities, related-party transactions, concentration risks, and subsequent events. It cross-references financial statements against tax returns and flags discrepancies: revenue that doesn't reconcile, assets that don't match depreciation schedules. This is why second-pass validation matters. The first pass extracts numbers. The second pass asks "does this make sense?" If revenue on the P&L is three times what's on the tax return, without a second-pass check the system just extracts both numbers and moves on, confident but wrong. With validation, that discrepancy becomes a flag the underwriter has to address before proceeding.
What the Human Still Owns
Interprets flagged items in context and determines materiality. A related-party transaction that's routine for this industry versus one that signals concentration risk. The AI can surface it, but only a human can tell you which one it is.
What Examiners See
Analysis citing specific footnotes and page references. Evidence that the underwriter considered the full document, not just the summary page. Cross-document reconciliation between financial statements and tax returns.
Use Case 3: Document Collection & Intelligent Request Generation
The Manual Reality
Before underwriting begins, someone has to figure out what documents are needed and chase them down. Three years of business tax returns, three years of personal returns for each guarantor, interim financials, rent roll, insurance certificates, entity documents. The loan officer sends a checklist. The borrower sends some of it. Follow-up, waiting, more follow-up. The document chase can take longer than the actual underwriting, and it's where the borrower experience tends to break down.
What AI Handles
Based on the loan type, entity structure, and credit policy, AI generates a tailored document request — not a generic checklist but a specific list for this deal. As documents arrive, the system classifies them, matches them against the request, and identifies what's still missing. Follow-up requests get generated with specifics ("We still need the 2024 1065 for [Entity Name] and the K-1s for all partners").
What the Human Still Owns
The loan officer manages the borrower relationship. Decides when to push for missing documents vs. proceed with what's available. Determines whether a substitution is acceptable.
What Examiners See
Complete document inventory with timestamps: when each item was requested, when received, what's outstanding. Evidence of a systematic, policy-driven collection process.
Use Case 4: Risk Flag Generation & Exception Tracking
The Manual Reality
Credit policy says DSCR must be above 1.25x. An analyst spreads the deal and gets 1.18x. Now what? Some analysts write it up as an exception. Some adjust the add-backs until the number works. Some flag it and wait for guidance. Depends on the analyst. An examiner samples two loan files. One analyst flagged a declining revenue trend and documented why it wasn't a concern. The other didn't mention it. Finding.
What AI Handles
Flags potential credit risks based on thresholds you configure to match your credit policy: declining revenue trends, debt service coverage approaching covenant levels, guarantor liquidity below minimums, concentration in a single industry or customer. Same rules applied to every deal, every time.
What the Human Still Owns
Reviews each flag. Dismisses with written justification or escalates. Dismissed flags remain visible in the record with reason, user attribution, and timestamp. No silent deletions.
What Examiners See
Complete flag history across the portfolio: what was raised, who reviewed it, what action was taken, and why. You can also see patterns. If one analyst dismisses a certain flag type 90% of the time, that's a training conversation, not a buried risk.
Use Case 5: Credit Memo Preparation
The Manual Reality
An underwriter spends a day and a half spreading and analyzing a deal. Then another half day writing the credit memo, a document that largely restates what they just analyzed, structured for committee review. Every memo follows roughly the same structure, but each one is written from scratch. The time pressure that compressed the analysis also compresses the memo. Thin memos on complex deals, or thorough memos that delayed the deal by two more days.
What AI Handles
Assembles the data, ratios, flags, trends, and analysis into a structured credit memo framework: financial summary with source-document citations, ratio analysis with formulas visible, cash flow trends, risk flags and their dispositions. To be clear: these are not "AI-generated credit memos." The AI provides the building blocks. The underwriter writes the memo, adds the narrative, and makes the recommendation. There's no path where a memo goes to committee without a human authoring it.
What the Human Still Owns
Authors the credit memo. Adds context the documents can't provide: market conditions, borrower history, strategic fit, the relationship context that only comes from working with someone for years. Makes the recommendation and presents to committee.
What Examiners See
Credit memo authored by a named underwriter, with supporting data traceable to source documents. Clear attribution of who recommended and who approved. Consistent quality on the 50th memo of the month as on the first.
Use Case 6: Covenant Monitoring & Portfolio Surveillance
This extends AI beyond origination into ongoing portfolio management. Core covenant testing is production-ready; more advanced portfolio analytics are still maturing.
The Manual Reality
The deal closes. The file goes into the system. Then quarterly financial covenants need testing, annual renewals require updated financials, borrower conditions need tracking. For a lender with hundreds of commercial loans, each with its own covenant structure and reporting requirements, this is where things fall through cracks. A missed financial delivery, an untested covenant, a borrower in technical default for six months that nobody caught until the annual review. The typical workflow: an analyst maintains a spreadsheet tracking covenant compliance dates. When financials arrive (if someone remembers to follow up), they manually test each covenant, update the tracker, and flag breaches. The spreadsheet lives on one person's desktop. When that person leaves, the institutional knowledge goes with them.
What AI Handles
Tracks covenant compliance, financial reporting deadlines, and borrower condition requirements. When updated financials come in, the system extracts the relevant metrics and tests them against covenant thresholds. It also flags when borrowers are approaching covenant levels, not just when they've already breached. Trend analysis across reporting periods can surface deterioration before it becomes a problem. For example: a borrower's fixed charge coverage ratio has declined from 1.45x to 1.32x to 1.28x over three quarters, against a 1.25x covenant. The system flags the trajectory before the breach, giving the relationship manager time to have a conversation rather than deliver bad news.
What the Human Still Owns
Determines the appropriate response to a covenant breach or deterioration signal. Decides whether to waive, restructure, or escalate. Manages the borrower conversation. The system shows you what's happening; the human decides what to do about it.
What Examiners See
Systematic portfolio surveillance with documented evidence of monitoring. Covenant testing tied to source documents instead of an unaudited spreadsheet. Trend analysis showing the lender is catching deterioration early, not discovering problems during annual reviews.
Understanding the Time Cost
It's worth doing the math on how much analyst time goes into data extraction today, because it's usually more than people think.
If spreading takes 12 hours per deal on average (8 to 16 for complex multi-entity deals) and your team processes 20 deals per month, that's 240 analyst hours per month on data extraction before any credit analysis begins.
Most of that is keying numbers from one format into another, tracing K-1 distributions, reconciling figures across documents. Whether it makes sense to automate depends on your deal volume, complexity mix, and staffing. But knowing the actual time cost is useful regardless of what you decide to do about it.
Want the formatted PDF?
Download the complete playbook as a printable PDF — including the examiner readiness checklist and decision authority matrix.
Download the PlaybookSection 04
What Regulators Actually Expect
The Bar Is Clear, Not Ambiguous
There's a perception that AI in lending sits in a regulatory gray area. It really doesn't.
SR 11-7 (Fed/OCC Model Risk Management) applies to any AI model touching credit decisions: documentation, validation, ongoing monitoring. But the guidance explicitly allows proportionality. A community bank using a vendor's AI spreading tool has different obligations than a G-SIB running proprietary credit decisioning models.
OCC Bulletin 2025-26 clarified this for community banks: institutions up to $30B in assets have flexibility to tailor model risk management practices proportionate to their risk exposure and the complexity of their model use. There is no requirement for annual model validation. The frequency should be commensurate with risk.
The bar is real but reasonable. Smaller institutions aren't expected to build enterprise-grade MRM programs. They need to know what AI tools they're using, how those tools work, and how they're governed.
What Examiners Actually Ask
Five questions come up consistently:
- "Show me the model inventory." What's running, what does each model do, what's its decision authority? This is a document request, not a conversation. If the document doesn't exist as an actual artifact, you're already behind.
- "Walk me through what happens when the AI is wrong." Show me the override flow. Show me a real example of an underwriter correcting the AI. Show me that the original value is preserved.
- "If I pick a random loan file, can you reconstruct the full decision lifecycle right now?" Every action, by whom, and when. In real time.
- "Are the same thresholds applied to every application?" This is both a governance question and a fair lending question.
- "When did you last update the model version? What was the validation process?" Examiners want change management, not just that the system works, but that updates are controlled, validated, and documented.
What Examiners Don't Expect
Perfection. They expect continuous improvement and honest acknowledgment of limitations.
Cutting-edge technology. Well-governed simple tools outperform poorly governed sophisticated ones in exams.
Enterprise-grade MRM at every institution. Your governance should match your risk, not JPMorgan's.
Fair Lending Implications
AI in credit is a fair lending topic whether you want it to be or not. AI tools that process only business financials, without collecting demographic data or using geographic proxies, do reduce one category of risk. There's no demographic data for the AI to discriminate on because it was never in the system. And consistent automated treatment is more reliable than depending on multiple analysts to apply the same standards.
That said, credit decisions based on AI outputs can still produce disparate impact. You still need to monitor outcomes across protected classes, maintain adverse action procedures, and conduct periodic fair lending analysis. Ask any vendor: "What data elements does your AI use? Show me the complete list." Then check whether anything is a proxy for a protected class.
Data Security and Borrower Privacy
The ungoverned AI problem from Section 1 raises an obvious question: where does borrower data actually go? When an analyst pastes tax return data into ChatGPT, that data may be used for model training, stored on servers outside the institution's control, and retained indefinitely. No audit trail, no encryption guarantees, no contractual obligations around data handling.
Sanctioned AI tools built for regulated lending should meet a clear bar:
- Data residency: Borrower data stays within the US, in infrastructure the institution can audit.
- Encryption: Data encrypted in transit and at rest, with the institution maintaining control over access.
- No model training on borrower data: The AI vendor does not use customer loan data to train or improve their models. Your borrowers' financials are not someone else's training set.
- Data retention policies: Clear, documented rules on how long data is retained and how it's disposed of.
- SOC 2 Type II or equivalent: Independent verification that security controls are operational, not just documented.
When evaluating any vendor, ask for the data processing agreement. Ask specifically: "Does borrower data leave the US? Is it used for model training? Who has access, and how is access logged?" If the answers aren't clear and contractual, that's your signal.
The Vendor Doesn't Own Your Risk
Using a third-party vendor doesn't transfer your model risk, compliance obligations, or regulatory accountability. A good vendor makes compliance easier. They provide the model inventory, the validation documentation, the audit trail. But you own the governance framework and the oversight. Examiners will hold you to that.
Section 05
Model Validation and Ongoing Monitoring
Model validation is how you go from "we think the AI is accurate" to "here's the evidence." It should be proportionate to your institution's size, but it's not optional. This is the section your model risk officer should own.
Pre-Deployment Validation
Before any live loans go through the system, validate against known outcomes. Pull 10 to 20 recently completed loans, a mix of clean deals and complex ones. Run them through the AI tool. Have your best underwriter compare every extracted value against the manual spread. Document accuracy, discrepancies, and edge case handling by document type (1040s vs. 1065s vs. 1120s).
This becomes your golden dataset, the baseline for every future comparison and the artifact examiners will eventually ask for. If you can't show parallel-run data, you can't demonstrate that the system works.
Ongoing Monitoring
Validation doesn't end at go-live. Tax form revisions, state-specific schedules, and unusual entity structures. The AI's performance on them needs continuous tracking. What to monitor:
- Extraction accuracy by document type. Are 1065s holding at the same accuracy as 1040s? Are scanned documents degrading performance?
- Override frequency and patterns. How often are underwriters correcting the AI? On which fields? If overrides spike after a model update, that's a signal.
- Flag generation coverage. Are risk flags firing consistently, or are certain policy thresholds being missed?
- Consistency across analysts. Are different underwriters getting the same outputs from the same documents?
This should produce a periodic report that the model risk owner actually looks at. Not a dashboard nobody checks. A regular review of how the system is performing and where it's struggling.
Change Management
When the vendor updates the model (and they will), the institution needs a documented process:
- Notification of what changed and why
- Re-validation against the golden dataset before the update goes live
- Documented sign-off from the model risk owner
- Version history maintained in the model inventory
When an examiner asks "when did you last update the model version, and what was the validation process?" you should be able to answer in under a minute with an actual document, not a verbal explanation.
In Practice: Before any model update reaches a production environment, it should be validated against a maintained golden dataset of complex, real-world loan packages. The results should be documented: accuracy by form type, any regressions, sign-off from the model risk owner. The institution should receive the validation report before the update deploys.
Section 06
What AI Can't Do in Underwriting Today
Knowing what AI can't do is at least as important as knowing what it can. Examiners trust institutions that can articulate the line clearly.
Five Limitations
- AI has no credit judgment. It extracts, calculates, and flags. It can tell you the DSCR is 1.18x. It cannot tell you whether that deal is a good risk for your institution given your market, your portfolio concentration, and your strategic priorities.
- AI has no relationship context. It doesn't know this borrower has been a reliable client for 15 years or that the guarantor's handshake matters. Community and relationship lending runs on knowledge that lives in the heads of experienced bankers. No model replaces that.
- AI doesn't interpret regulatory nuance. It can flag that a ratio is below policy. It cannot determine whether an exception is warranted given the full picture. The underwriter who knows this is a strong deal despite a thin coverage ratio is making a judgment AI is not equipped to make.
- AI amplifies what's in the documents. If the financial statements are misstated, the AI will faithfully extract misstated numbers with high confidence. The human's job is to notice when the inputs aren't right, and that requires reviewing the documents, not just the outputs.
- AI can't manage the borrower relationship through a credit decision. The conversation where you explain why you're structuring the deal differently, or why you're declining. That's relationship management, and it's entirely human.
The institutions that will do this best aren't the ones that automate the most. They're the ones that can explain clearly what the AI does and what it doesn't.
Section 07
Where AI Underwriting Initiatives Fail
Most AI initiatives that fail in lending fail for predictable reasons.
Six Failure Patterns
- Governance theater. Documentation exists but doesn't reflect how things actually work. The model inventory was written for the vendor evaluation and never updated. Examiners spot this fast. They ask follow-up questions that require operational knowledge, and the gaps become obvious.
- Black-box vendor dependency. The lender can't explain how the AI reaches its outputs. If your vendor can't show you exactly how their system arrived at a given number, with source-document traceability, you're accepting risk you can't manage or explain to an examiner.
- Solving for speed without accuracy. The initiative gets justified by time savings alone. "We'll spread loans 10x faster." But fast wrong answers are worse than slow right ones. The metrics that matter are not just throughput but override rates (how often does the underwriter change the output?) and what the examiner actually sees in the file.
- Skipping the parallel run. No comparison data, no golden dataset. When accuracy questions surface during an exam, there's no baseline to reference. The parallel run is the single most important artifact in AI underwriting governance.
- Underwriter resistance from poor rollout. The tool is introduced as a mandate, not a collaboration. The senior analyst who's been spreading loans for 20 years sees it as a threat. The fix: involve underwriters in pilot design. Start with their most painful deals: the 1065 with 30 K-1s, not the clean 1040. Let them break it. Underwriters who find the AI's mistakes trust it more, not less, because they've calibrated where it's reliable and where it needs oversight. The pitch isn't "we're automating your job." It's "what would you catch if you had time to actually think?"
- Deploying technology before governance. The tool is purchased, configured, and launched. Then someone asks about the model risk management framework. Building governance in parallel with deployment is straightforward. Retrofitting it after is expensive, incomplete, and obvious to an examiner.
Section 08
From Pilot to Production — A 30/60/90-Day Timeline
Here's what a disciplined rollout looks like over 90 days.
Days 1–30
Foundation
- Appoint model risk owner
- Draft decision authority matrix
- Brief examiners early
- Build vendor shortlist
- Identify golden dataset (10–20 loans)
Days 31–60
Parallel Run
- Validate against golden dataset
- Run live deals in parallel
- Track accuracy & overrides
- Refine governance docs
- Involve underwriters actively
Days 61–90
Go-Live & Monitor
- Production on spreading
- Weekly override reviews
- Monthly accuracy reports
- Complete model inventory
- Document change management
By day 90: every question on the examiner readiness checklist below should be answerable with documentation. Each phase builds on the previous. Don't skip the parallel run — it's the single most important artifact in AI underwriting governance.
Days 1–30: Foundation
Governance and stakeholder alignment.
- Appoint a model risk owner. Proportionate to your size. This might be your CCO, a committee, or a designated senior manager. Not your vendor. You.
- Draft the decision authority matrix. Use the table from Section 2 as a starting point. Get committee sign-off. This document will be referenced at every stage.
- Brief your examiners. Lenders that show vendor documentation at the evaluation stage face less friction during exams. A 15-minute conversation now saves hours during an exam.
- Build a vendor shortlist. Evaluate against the three non-negotiables. Can the vendor demonstrate explainability, human decision authority, and a real audit trail? Ask for the model inventory document. If it doesn't exist, move on.
- Identify your golden dataset. Pull 10–20 recently completed loans across a range of complexity: clean 1040s, complex 1065s with tiered K-1s, multi-entity deals. These will be your validation baseline.
Days 31–60: Parallel Run
Prove it works on your deals.
- Run the golden dataset through the selected tool. Have your best underwriter compare every extracted value against the manual spread. Document accuracy by form type, discrepancies, and edge case handling.
- Expand to live deals in parallel. New deals run through both the AI tool and the manual process simultaneously. Underwriters compare outputs and document differences.
- Track metrics from day one. Extraction accuracy by document type. Override frequency and patterns. Time per deal (AI-assisted vs. manual). Where the AI gets it right, where it struggles, and what kinds of documents cause problems.
- Refine governance documentation. Update the model risk framework based on what you're seeing in parallel runs. Document the validation results. This is the artifact examiners will ask for.
- Involve underwriters actively. Give them the hardest deals. Let them find the mistakes. Build calibration and trust.
Days 61–90: Go-Live and Monitor
Production on spreading, with monitoring active.
- Go live on spreading for new originations. The parallel run proved accuracy. Underwriters are calibrated. Governance is documented. Start processing new deals through the AI tool as the primary workflow.
- Establish ongoing monitoring cadence. Weekly review of override patterns during the first month. Monthly extraction accuracy reports. Quarterly model performance review with the model risk owner.
- Complete the model inventory. Every AI component, its purpose, its decision authority, its version, and the validation history, documented as an actual artifact.
- Document change management procedures. When the vendor updates the model, what happens? Notification, re-validation against the golden dataset, sign-off. Write it down before you need it.
- Plan the next phase. With spreading proven, evaluate expanding to analysis and risk flags, then document collection, then credit memo support. Each expansion gets its own validation cycle.
By day 90, you should be able to answer every question on the examiner readiness checklist below with documentation, not just a verbal explanation.
Section 09
Examiner Readiness Checklist
If an examiner showed up tomorrow and asked you to reconstruct why a credit decision was made (source documents, extracted data, human review, analysis, recommendation, approval) could you do it in minutes?
Detach and share with your model risk officer or bring to your next vendor evaluation.
Nine Questions to Assess Your AI Underwriting Readiness
Your Organization
1. Does someone in your institution own model risk oversight for AI tools in lending?
Not "does your vendor have a model risk officer." Do you have a defined owner, whether that's a model risk function, a committee, or a designated senior manager?
2. Have you briefed your examiners or regulatory contacts about your AI evaluation?
Looping in early is cheaper than discovering governance gaps during an exam.
3. Have your underwriters seen the tool and validated its output on real deals?
Have they run their hardest deals through it? Have they found its mistakes? Underwriters who participate in the evaluation trust the tool more than underwriters who have it mandated.
Your Vendor
4. Can you trace any number in a credit memo back to the source document, page, and line, in under 60 seconds?
Not "we could reconstruct it." Can you do it right now, while an examiner watches?
5. When an underwriter overrides the AI, is the original value preserved with attribution and timestamp?
Both values should be in the record. The override itself is evidence of good governance, not a sign of AI failure.
6. Is there a documented decision authority matrix, enforced in code, not just policy?
Is there literally no code path where a loan moves forward without human authorization?
7. Are risk flag dismissals logged with written reasons, visible to audit, and never silently deleted?
A flag that was raised and appropriately dismissed is better than a flag that was never raised.
8. Does your vendor maintain a formal model inventory with version control, and validate before every model change?
Ask for the document. If it doesn't exist as an actual artifact, it's aspirational, not operational.
Your Process
9. If an examiner pulled a random loan file tomorrow, could you reconstruct the full decision lifecycle (every action, by whom, and when) in real time?
Not "we log everything." Show me, right now.
If the answer to any of these is "not yet" or "we'd need to check," that's the gap to close before expanding AI adoption, or before your next exam.
Decision Authority Matrix — Reference
| Function | AI Role | Decision Authority |
|---|---|---|
| Document collection | Generates requests, tracks status | Human manages relationship |
| Document extraction | Extracts and classifies data | Human reviews and corrects |
| Financial analysis | Computes ratios and trends | Human validates and interprets |
| Risk flag generation | Identifies potential issues | Human reviews and dispositions |
| Credit memo | Provides data and context | Human authors the memo |
| Credit decision | None | Human decides, committee approves |
| Covenant monitoring | Tests covenants, flags breaches | Human determines response |
