Generative AI Governance Policy Template for Banks

This page provides a complete Generative AI Governance Policy Template for banks — nine sections, structured as a practical policy artifact ready to adapt for your institution. Subscribe to The Risk Dispatch to download the full template.

Why Banks Need a Dedicated GenAI Governance Policy

Existing AI governance policies at most banks were written for predictive models under the SR 11-7 framework. Generative AI introduces different risk vectors: hallucination, prompt injection, data leakage, and model drift that cannot be detected through traditional backtesting. Regulators are signalling that GenAI-specific governance is expected now. A bank without a GenAI policy is operating with a governance gap that will be identified in the next examination cycle.

Template Overview: Nine Policy Sections

Section 1: Purpose and Scope

Defines what the policy covers (all use of generative AI tools by bank employees, contractors, and third parties acting on behalf of the institution), what it does not cover (predictive AI models governed under the MRM framework), and its relationship to existing policies (Acceptable Use, Data Classification, Model Risk Management).

Section 2: Definitions

Clear definitions for: Generative AI, Large Language Model (LLM), Prompt, Output, Third-Party GenAI Service, Approved Tool, Sensitive Data, and Material Decision. Precise definitions prevent scope disputes during audits and examinations.

Section 3: Acceptable Use Policy

Approved use cases (drafting internal communications, summarising non-confidential documents, code assistance for non-production systems), prohibited uses (customer-facing advice without human review, use with PII in unapproved tools, automated material decisions), and use cases requiring case-by-case approval.

Section 4: Data Handling Requirements

Prohibits input of non-public customer information, confidential bank data, or regulated data into unapproved GenAI tools. Requires data classification review before any GenAI use involving bank data. Addresses data residency and EU AI Act considerations for institutions with EU operations.

Section 5: Model Approval Workflow

Approval pathway: business owner nomination → Technology review → Legal/Compliance review → Model Risk (if qualifying as a model under SR 26-2) → CISO sign-off → approval register entry. Maximum review timelines to prevent bottlenecks that push users toward shadow AI.

Section 6: Human Oversight Requirements

Mandatory human review for all GenAI-generated content shared externally, used in customer communications, or informing a material decision. Defines "material decision" for this purpose. Specifies documentation required when a GenAI-assisted output is used in a regulated context.

Section 7: Audit Trail and Logging

Requires approved GenAI tools to log: prompt submitted, output received, user identity, timestamp, and disposition (used/modified/discarded). Minimum log retention periods consistent with the institution's records management policy.

Section 8: Incident Response

Reportable GenAI incidents: hallucinated output used in a customer communication, data leakage via prompt, model behaviour inconsistent with approved use case, third-party GenAI service breach. Escalation paths, notification timelines, and remediation documentation requirements.

Section 9: Third-Party GenAI Vendor Requirements

Minimum contract requirements: data processing agreements, prohibition on training on customer data, security standards attestation, incident notification timelines, right to audit. For vendors in scope under DORA (EU-operating institutions), additional DORA third-party provisions apply.

This template is a starting point. Your institution's legal, compliance, and risk teams must review and adapt it to your regulatory environment. For the broader AI governance framework, see our AI governance for banks guide and the MRM framework compliance guide.