new law / guidance / speech / standard / priority / incident
-> triage impact
-> update obligations
-> map controls and evals
-> trigger changes before harm or exam
高级表达:
We do not wait for a regulator, auditor or incident to tell us AI obligations changed. We run horizon scanning as an obligation intelligence architecture that turns external signals into internal controls, evals, release gates, evidence and management decisions.
NIST AI RMF、ISO/IEC 42001、internal control library、audit evidence
AI obligations change by jurisdiction, product, use case, customer segment, AI role, automation level, data category, vendor dependency and release state. A single global answer is usually wrong.
每个 material signal 必须 resolve 成 no-impact rationale、watch item、obligation、control update、eval update、change request、risk acceptance 或 management escalation。
2.2 SR 26-2 nuance
SR 26-2 superseded SR 11-7 and SR 21-8, but GenAI and agentic AI should be treated through broader AI governance rather than blindly forced into legacy model-risk framing.
Better stance:
Predictive models and statistical decision models still need model risk management.
GenAI, RAG and agentic AI combine model behavior with prompts, knowledge sources, tool permissions, workflow, human oversight, monitoring, vendor dependency and change risk.
Some components route to Model Risk; the whole AI system also routes to product governance, data governance, third-party risk, security, EvalOps, release governance and evidence architecture.
Obligation intelligence should classify the obligation and route it to the right governance domain.
3. Source Taxonomy
3.1 Source categories
Source category
Example
Why it matters
Default owner
Binding law / regulation
EU AI Act, national AI law
creates explicit legal obligations and deadlines
Legal / Compliance
Supervisory guidance
SR letters, interagency guidance
shapes examiner expectations and risk management
Compliance / Risk
Regulatory circular / bulletin
CFPB circulars, policy statements
interprets consumer finance expectations
Compliance / Product Risk
Regulatory speech / testimony
public remarks, hearings
early signal of supervisory direction
Compliance Intelligence
Supervisory priorities
exam priorities, risk alerts
shows what reviews may emphasize
Risk / Internal Audit
Standards
NIST AI RMF, ISO/IEC 42001
converts principles into management system practice
Architecture / AI Governance
Enforcement / litigation
consent orders, court decisions
reveals concrete failure modes
Legal / Compliance
Industry incidents
peer AI failure, vendor outage
triggers scenario evals and control challenge
Operational Risk / PM
Vendor notices
model, SLA, data terms, region
can change behavior or data boundary
Vendor Owner / TPRM
Internal findings
audit issue, validation issue, complaint trend
converts internal evidence into control updates
Control Owner
3.2 Source authority levels
Level
Meaning
Action
Level 1: Binding
law, regulation, court order, formal rule
mandatory triage and action plan if applicable
Level 2: Supervisory
guidance, circular, exam priority, SR letter
impact assessment for relevant business lines
Level 3: Standard
NIST, ISO, industry control standard
map to management system and control library
Level 4: Signal
speech, consultation, peer incident, vendor note
watch item or scenario trigger
Level 5: Context
commentary, conference summary
research input unless confirmed by stronger source
Source -> Signal -> Obligation -> Applicability decision -> AI asset
-> Control objective -> Control activity -> Eval requirement
-> Change request -> Evidence artifact -> Management report
No obligation without a source.
No applicable obligation without an owner.
No control objective without test or evidence expectation.
No material obligation update without change impact screening.
No closed obligation without implementation status and evidence link.
5. Applicability Triage
5.1 Triage principles
Applicability triage is not a legal conclusion. It is a structured fact-finding and routing process that lets Legal/Compliance make the final interpretation efficiently.
Good triage separates external source language, internal interpretation hypothesis, business facts, technical facts, open legal questions, control implications and evidence implications.
5.2 Applicability dimensions
Dimension
Questions
Jurisdiction
Where are customers, users, employees, entity, data, model provider and service delivered?
depends on role, jurisdiction, data, product or design
record conditions and legal questions
Not applicable with rationale
reviewed and does not apply to current scope
record rationale, review trigger and approver
Watch item
not binding or not clear, but potentially material
set review date and scenario trigger
Control enhancement
no direct legal duty, but useful risk reduction
add to control backlog or standard
Management issue
requires funding, risk appetite or enterprise decision
escalate to governance forum
5.4 Triage workflow
Signal received
-> source owner confirms authenticity and version
-> compliance analyst classifies signal type
-> BA gathers product/process facts
-> architect gathers system/data/vendor facts
-> Legal/Compliance confirms applicability status
-> PM and control owner map impact and action
-> governance forum reviews high-impact items
-> obligation graph updated
NIST/ISO framework changes, control library refresh, AIMS review
quarterly obligation dashboard and management review
Event-driven
new regulation, exam letter, major vendor change, serious AI incident
war-room style impact assessment
6.2 Weekly scan agenda
Step
Activity
Output
1
validate official source updates
source registry update
2
classify each signal
signal type and authority level
3
identify likely impacted domains
product and use-case tags
4
assign triage owner
owner and due date
5
close no-impact items with rationale
no-impact decision record
6
escalate high-impact signals
governance agenda item
6.3 Monthly review decisions
Agenda item
Decision
New high-materiality sources
accept for action, watch, or close
Open applicability questions
escalate, request legal opinion, or time-box research
Overdue obligation owners
extend with rationale or escalate
Tier 1 / Tier 2 exposure
update control and eval backlog
Control library changes
approve new or revised controls
Eval library changes
add, retire or recalibrate eval scenarios
Release governance triggers
create change tickets or hold releases
Management reporting
approve dashboard narrative and risk decisions
6.4 Quarterly and event-driven triggers
Quarterly review covers AI portfolio scope, regulatory horizon trends, high-impact obligation status, open applicability decisions, overdue remediation, incidents, complaints, vendor changes, audit findings and management-system effectiveness.
Immediate triage is required when a binding law changes, guidance affects current assets, a circular touches consumer harm, a vendor changes model/data/SLA, an incident reveals a new failure mode, or a use case expands to a new jurisdiction, product, customer segment or automation level.
7. Obligation-to-Control/Eval/Change Graph
7.1 Why a graph
Spreadsheets help intake, but graph thinking answers multi-hop questions:
Which obligations affect all credit AI use cases in the EU.
Which controls support both EU AI Act logging and internal model risk evidence.
Which eval suites must run after a vendor model change.
Which open obligations block a release.
Which obligations have evidence but no production monitoring.
7.2 Node types
Node
Example
Source
EU AI Act, SR 26-2, CFPB circular index, NIST AI RMF, ISO/IEC 42001
Signal
new obligation, revised guidance, standard update, speech, vendor notice
Obligation
transparency disclosure, logging, human oversight, data governance
AI asset
AI-CREDIT-EXPLAIN-001, AI-AML-NARRATIVE-002
Business capability
consumer credit, AML investigation, customer servicing
Product
credit card, deposit account, payment dispute
Control objective
ensure human oversight is effective
Control activity
underwriter must approve and record override reason
Eval requirement
reason-code consistency eval, groundedness eval, prompt injection test
Change request
prompt update, RAG corpus update, tool permission change
Escalate when a signal may affect Tier 1 assets, block a release, create consumer harm, require new funding/tooling, change vendor terms, miss owner SLA, or require management risk acceptance.
8.4 Quality gate
Check
Pass standard
Source traceability
official source, access date and section reference recorded
Applicability clarity
applicable, conditional, not applicable or watch state documented
Control linkage
control objective and activity linked or no-control rationale approved
Evidence linkage
evidence artifact, dashboard or retention plan linked
Owner accountability
accountable owner and review cadence recorded
9. Dashboards and KRIs
9.1 Executive dashboard
Metric
Definition
Why it matters
Open material signals
high or critical signals not dispositioned
shows horizon load
Open applicability decisions
items waiting for interpretation or facts
shows bottleneck
Obligations by authority level
binding, supervisory, standard, signal
shows backlog risk profile
Tier 1 assets impacted
high-impact assets linked to open obligations
shows customer/regulatory exposure
Overdue obligation actions
owner actions past due
shows execution risk
Evidence coverage
obligations with linked evidence over applicable obligations
shows audit readiness
Eval linkage coverage
applicable obligations with eval or test links
shows release gate maturity
Control gap count
applicable obligations without implemented controls
shows remediation need
Change linkage count
obligations that triggered change requests
shows operational follow-through
Accepted residual risk
obligations closed through risk acceptance
shows management decisions
9.2 Product and control dashboards
View / KRI
Trigger or use
Obligations by product line
identify products with largest regulatory horizon load
Obligations by journey
locate onboarding, servicing, complaint, credit or payment hot spots
Obligations by release
block or condition releases with unresolved obligations
Obligations by AI capability
see RAG, agent, scoring, generation or tool-use concentration
Obligations by jurisdiction
prevent one-size-fits-all rollout
Applicable obligation without control
any Tier 1 obligation lacks control within 10 business days
Control without evidence
control marked implemented but no evidence link
Eval gap
obligation requires test but no eval exists
Change gap
obligation implies system/process change but no change ticket exists
Evidence stale
evidence older than review cadence or prior to material release
9.3 Board narrative
Good management reporting answers what changed externally, which changes matter, which assets are exposed, which obligations need decisions, which gaps are overdue, which residual risks were accepted, and which investments are required.
Bad reporting only shows article counts, meeting counts, monitored-regulation counts, or green status without traceable evidence.
10. RACI
10.1 Operating RACI
Activity
Legal
Compliance
AI PM
BA
Architect
Model Risk
Privacy/Security
Data
Vendor
Governance
Source authenticity
C
A/R
C
C
C
C
C
C
C
R
Signal classification
C
A/R
C
C
C
C
C
C
C
R
Applicability interpretation
A/R
A/R
C
C
C
C
C
C
C
C
Product impact
C
C
A/R
R
C
C
C
C
C
C
Process impact
C
C
C
A/R
C
C
C
C
C
C
System/data/vendor facts
C
C
C
C
A/R
C
C
R
R
C
Obligation extraction
C
A/R
C
R
C
C
C
C
C
R
Control mapping
C
A/R
C
R
A/R
C
C
C
C
C
Eval linkage
C
C
C
C
C
A/R
C
C
C
C
Change ticket creation
C
C
A/R
R
A/R
C
C
C
C
C
Evidence design
C
C
C
R
A/R
C
C
C
C
A/R
Dashboard reporting
C
C
C
C
C
C
C
C
C
A/R
Risk acceptance
C
C
C
C
C
C
C
C
C
A with executive owner
Legend: A = accountable, R = responsible, C = consulted.
10.2 Role expectations
Role
Must be able to explain
AI PM
how horizon changes affect roadmap, scope, release gates, customer value and risk
BA / CBAP+
how obligations become requirements, process rules, exception paths, evidence and decision rights
Architect
how obligations map to boundaries, data flows, logs, evals, controls, change and evidence
Compliance / Legal
which sources matter, what interpretation is confirmed, what remains conditional
Model Risk
which components require model risk governance and how that interacts with broader AI governance
Governance Lead
backlog health, owner accountability, dashboard narrative and management decisions
11. Financial Retail Examples
11.1 Credit explanation assistant
Use case: AI assists underwriters and agents by summarizing credit policy, explaining factors and drafting customer communication. Final decision and formal adverse action reason remain controlled by approved workflow and human accountability.
Horizon signal
Impact
EU AI Act high-risk and transparency screening
assess role, risk tier, documentation, logging and human oversight for EU scope
CFPB circulars affecting adverse action or credit reporting
update reason-code eval and notice quality controls
SR 26-2
route predictive scoring to model risk and RAG/LLM workflow to broader AI governance
NIST AI RMF
connect Govern/Map/Measure/Manage evidence to release and monitoring
ISO/IEC 42001
include in AIMS management review and improvement cycle
Obligation area
Control
---
---
Explanation accuracy
reason-code consistency eval and policy-grounded review
Human oversight
underwriter approves final reason and can override AI draft
Logging
trace model version, prompt, policy source, draft and final reason
Use case: AI summarizes transactions, KYC profile, watchlist hits and case notes, then drafts investigation narrative without deciding SAR filing or case closure.
Signal
Control response
supervisory focus on AML model and case quality
add case quality and evidence-citation eval
SR 26-2
classify transaction monitoring model separately from LLM narrative support
vendor model update
trigger regression on narrative completeness, citation support and sensitive data handling
peer incident
add red-team scenario for missing adverse evidence
Core controls: AI cannot close case; narrative cites case evidence IDs; investigator confirms final narrative; SAR decision boundary is explicit; prompt and model version are logged; case sampling tests completeness and overstatement.
11.3 Customer service RAG assistant
Use case: AI answers customer questions about fees, disputes, account servicing and product policy. High-risk paths route to human agent or supervisor.
Signal
Control response
CFPB circulars index update
screen for dispute, fee, complaint, credit reporting or deceptive practice implications
EU AI Act transparency
review AI interaction disclosure for EU users
ISO/IEC 42001 management review
include chatbot risk trend and corrective actions
vendor model safety policy change
update refusal, escalation and disclosure tests
Core controls: approved knowledge source allowlist; citation and effective-date display; complaint detection; prohibited statements list; approved disclosure; monitoring for complaint spike and deflection side effects.
11.4 Payment exception agent
Use case: AI triages failed payments, suggests next action and drafts internal notes. Write-enabled actions require human confirmation and policy-issued authorization token.
Signal
Control response
operational resilience guidance
add fallback, manual queue and recovery evidence
security guidance
strengthen tool authority, idempotency and rate limiting
consumer protection signal
monitor wrongful payment block or delayed dispute resolution
vendor outage
review concentration risk and exit plan
Core controls: separate read/draft/write/submit/approve permissions; idempotency key for writes; maker-checker for high-value or customer-adverse actions; policy decision ID in logs; tested rollback and compensation plan.
11.5 Wealth advisor copilot
Use case: AI summarizes client profile, approved product materials and meeting notes for advisor preparation. It does not send personalized recommendation directly to client.
Signal
Control response
suitability / best interest supervisory theme
update advisor approval and suitability checklist
AI transparency guidance
review client communication boundary
vendor data-use notice
check client data processing, retention and training exclusions
standards update
update recordkeeping and evidence mapping
Core controls: approved product library only; suitability checklist remains human-owned; client communication archived; generated drafts marked as drafts; advisor edit and approval recorded.
12. Templates
12.1 Source Registry Template
Field
Example-filled entry
source_id
SRC-FED-SR26-2
title
Federal Reserve SR 26-2: Model Risk Management Guidance
conditional pending Legal confirmation for EU high-risk path; model risk applies to predictive component
Control implication
high-risk screen, reason-code eval, trace logging, human oversight, model validation, broader AI governance controls
Decision owner
Credit Risk Executive with Legal, Compliance and AI Governance
12.4 Obligation Object Template
Field
Example-filled entry
obligation_id
OBL-EUAI-HR-HUMAN-OVERSIGHT-001
source_id
SRC-EUAI-2024-1689
authority_level
binding law
obligation_type
human oversight
action_verb
design, implement, document and monitor
applicability_condition
AI system is assessed as high-risk or high-impact decision support for EU credit use case
impacted_artifact
underwriter workflow, UI, training, logs, QA process
control_objective_id
CTRL-OBJ-HO-001
eval_requirement_id
EVAL-HO-EFFECTIVENESS-001
evidence_requirement_id
EV-HO-REVIEW-LOG-001
owner_role
Credit Operations Owner
legal_status
conditional pending Legal confirmation
implementation_status
mapped to controls
review_cadence
monthly operational sample and quarterly governance review
12.5 Obligation-Control-Eval-Change Map
Obligation
Control objective
Control activity
Eval / test
Change trigger
Evidence
Customer-facing AI disclosure
user understands AI interaction and escalation path
approved UI copy and channel-specific disclosure
UX comprehension review and compliance approval
new channel, new geography, major UX redesign
screenshot, copy approval, release record
Logging and traceability
AI output can be reconstructed and audited
log model, prompt, index, policy source, tool call, human review
trace completeness sample
model/prompt/index/tool change
trace sample, retention proof
Human oversight
human can intervene with context and authority
reviewer sees evidence, edits, overrides and escalates
oversight effectiveness test
automation level increases or queue changes
review log, override analytics
Consumer harm prevention
AI does not mislead customers on fees, disputes or credit
prohibited claim rules and escalation paths
scenario eval and complaint trend review
CFPB circular or policy update
eval report, complaint dashboard
Vendor model change
third-party AI change does not break controls
vendor notice review and regression gate
domain regression and security review
vendor model, region, data term or SLA change
vendor notice, eval run, approval
12.6 Management Report Template
# AI Regulatory Horizon Management Update
Reporting period: 2026 Q3 first month
Prepared for: AI Governance Council and Risk Committee
External changes reviewed:
- 2 binding-law sources reviewed.
- 3 supervisory guidance items reviewed.
- 4 consumer finance circular or bulletin items screened.
- 5 standard or framework changes monitored.
- 2 vendor notices assessed.
Material decisions:
- EU AI Act high-risk screening remains mandatory for EU credit and employment-related AI assets.
- SR 26-2 alignment review opened for predictive model components inside GenAI-enabled workflows.
- CFPB circular monitoring added to customer service, dispute, credit reporting and fee journeys.
Portfolio impact:
- 7 Tier 1 AI assets linked to open obligations.
- 3 releases require updated eval gates before production expansion.
- 2 vendor contracts require AI update-notice review.
Top risks:
- Open Legal interpretation on EU deployer role for one cross-border customer service assistant.
- Evidence coverage below target for human oversight logs in one credit workflow.
- Vendor model update cadence not contractually aligned with release governance.
Decisions requested:
- Approve funding for obligation graph integration with AI inventory and release system.
- Assign executive owner for cross-jurisdiction AI applicability policy.
- Accept temporary residual risk for one Tier 2 chatbot pilot with limited traffic and enhanced monitoring.
12.7 Evidence Binder Template
Folder
Required evidence
01-source
official source PDF/link, access record, source registry row
02-signal
signal intake, classification, materiality rationale
five official anchors recorded with URL, owner, access date
Day 2
Source taxonomy
authority type, jurisdiction and review cadence defined
Day 3
Signal intake template
captures type, materiality, affected domain, owner and due date
Day 4
Ten sample signals
includes law, guidance, standard, circular, vendor and incident categories
Day 5
Weekly triage agenda
includes classify, assign, close, escalate and dashboard update
Week 2: Ontology and triage
Day
Output
Acceptance standard
Day 6
Obligation object model
includes source, applicability, action verb, owner, control, eval, change and evidence
Day 7
Applicability dimensions
jurisdiction, product, use case, role, AI capability, automation, data, vendor and customer impact
Day 8
Triage worksheet
one example for customer service RAG and one for credit explanation
Day 9
Decision categories
applicable, conditional, no-impact, watch, control enhancement and management issue
Day 10
Legal questions pack
precise Legal/Compliance questions, not vague requests
Week 3: Graph and controls
Day
Output
Acceptance standard
Day 11
Obligation-to-control map
at least 12 obligation objects linked to controls
Day 12
Eval linkage map
each high-impact obligation has an eval or test
Day 13
Change linkage map
material obligations trigger release/change tickets
Day 14
Evidence binder map
each control has named evidence and retention rule
Day 15
Graph query list
at least eight management queries documented
Week 4: Reporting and operating model
Day
Output
Acceptance standard
Day 16
RACI
roles for Legal, Compliance, PM, BA, Architect, Model Risk, Privacy/Security, Data, Vendor and Governance
Day 17
Dashboard spec
executive, product and control dashboards with KRIs
Day 18
Governance workflow
stages from source intake to management review
Day 19
Financial retail case pack
credit, AML, customer service, payment and wealth examples
Day 20
Management memo
one-page report with external changes, impact, top risks and decisions
Days 21-30: Portfolio simulation
Day
Output
Acceptance standard
Day 21
Scenario chosen
credit explanation, AML narrative, customer service RAG, payment agent or wealth copilot
Day 22
Source registry populated
all anchors have official links and access dates
Day 23
12 obligation objects
each has owner, control, eval, change and evidence links
Day 24
Impact graph
source, obligation, asset, control, eval, change and evidence connected
Day 25
Mock triage forum
decisions recorded for applicable, conditional, watch and no-impact items
Day 26
Release gate updated
at least three obligations alter eval or release criteria
Day 27
Dashboard built
overdue, coverage, Tier 1 impact, evidence and residual risk views
Day 28
Board memo written
top three horizon signals and decisions requested
Day 29
Self-review completed
no orphan obligation, no ownerless item, no evidence-free closure
Day 30
Interview rehearsal
30-second and 2-minute explanations with one financial retail example
14. Interview Answers
14.1 30-second answer
AI regulatory horizon scanning should not be a legal newsletter. I would build an obligation intelligence architecture. It monitors official laws, guidance, circulars, speeches, supervisory priorities, standards and vendor notices; triages applicability by jurisdiction, product, use case, role, AI capability, automation and customer impact; extracts structured obligation objects; and maps each obligation to controls, evals, change tickets, evidence and owners. That gives management a real view of regulatory exposure before an exam, incident or release failure.
14.2 2-minute answer
In a regulated financial institution, AI obligations change by jurisdiction, product, use case, customer segment, automation level, data and vendor dependency. My approach starts with a source taxonomy and source registry. EU AI Act, NIST AI RMF, ISO/IEC 42001, SR letters and CFPB circulars are official source anchors with version, access date, authority level and owner.
When a signal appears, I do applicability triage. The BA gathers process and customer impact facts, the architect gathers system, data, model, RAG, tool and vendor facts, and Legal/Compliance confirms interpretation. If material, the signal becomes an obligation object with action verb, applicability condition, owner, control objective, eval requirement, change trigger and evidence requirement.
The important architecture is the graph: source to signal to obligation to AI asset to control to eval to change to evidence. That lets us answer which Tier 1 assets are impacted, which releases are blocked, which controls lack evidence and which obligations are overdue.
For SR 26-2, I would not blindly treat every GenAI or agentic system as a legacy model risk item. Predictive model components still route to model risk, but RAG, prompts, tool authority, workflow, human oversight, vendor change, EvalOps, incident and evidence controls require broader AI governance.
14.3 English version
I would run AI regulatory horizon scanning as an obligation intelligence system, not as a passive monitoring newsletter. The system captures official sources, classifies signals, triages applicability by jurisdiction, product, use case, role, AI capability, automation level, data and customer impact, then extracts structured obligation objects. Each obligation is mapped to an AI asset, control objective, control activity, eval requirement, change trigger, evidence artifact and accountable owner. The architecture is a graph, because management needs to know which high-impact AI assets are exposed, which releases are blocked, which controls lack evidence and which residual risks require acceptance.
14.4 Deep-dive Q&A
Question
Strong answer
How is this different from regulatory response?
Regulatory response is event-driven, triggered by exam, incident or audit. Obligation intelligence turns external changes into controls, evals, releases and evidence before a failure.
How do you avoid over-governance?
Use authority level, materiality, risk tier and applicability conditions. Low-risk signals can become watch or no-impact records; Tier 1 assets get enhanced controls.
How do you handle conflicting jurisdictions?
Segment by jurisdiction, entity, product, customer location, data location and AI role. The graph can represent different applicability states for the same asset.
What makes a good obligation object?
It has source, action verb, applicability condition, owner, control objective, eval link, change trigger, evidence requirement, status and review cadence.
How does NIST AI RMF fit?
NIST provides Govern/Map/Measure/Manage language for risk management, but does not replace legal applicability analysis.
How does ISO/IEC 42001 fit?
ISO/IEC 42001 gives the AI management system structure. Obligation intelligence feeds that management system.
What is the SR 26-2 nuance?
It supersedes SR 11-7 and SR 21-8, so model risk programs need updating. GenAI and agentic systems also need broader AI governance.
What artifact would you show?
A source registry, applicability matrix, obligation ontology, graph diagram, control/eval/change map, dashboard, RACI and management memo.
15. Pitfalls and Self-Assessment
Pitfall
Better practice
Treating horizon scanning as news monitoring
require disposition for every material signal
One global applicability answer
segment applicability by jurisdiction, product and use case
Copying legal text into PRD
extract action verb, condition, control and evidence
No distinction between obligation and control
define control activity and evidence
No eval linkage
map obligations to eval and regression suites
No change linkage
trigger release/change ticket when behavior must change
No owner
assign accountable role and SLA
No evidence retention
design evidence binder and retention rule
Overusing model risk for GenAI
route components to model risk and broader AI governance
Dashboard vanity metrics
report Tier 1 impact, overdue actions, control gaps and evidence coverage
Self-assessment checklist:
Source registry includes official URLs, access dates, authority levels and owners.