AI risk is increasingly a contract issue. Vendors are adding AI features to core systems, digital banking tools, fraud platforms, loan workflows, marketing software, and service applications. If credit unions wait until a tool is already live, they may discover that contract language does not answer basic questions about data use, oversight, liability, or change management.
The first question is whether AI is optional, default, or embedded. A vendor may describe a feature as an enhancement, but the credit union needs to know whether it can be disabled, limited to certain users, or separated from existing workflows. Optional AI and unavoidable AI create very different risk profiles.
The second question is what data the AI feature uses. Does it process prompts, documents, transcripts, transaction data, loan information, complaints, or member nonpublic personal information? Does the vendor use that data to train models, improve services, or support other customers? The contract should not leave those answers to a sales presentation.
The third question is where the data goes. Credit unions should ask about subcontractors, cloud providers, model providers, retention periods, cross-border processing, logs, and deletion rights. If AI adds another processing layer, vendor-management files should reflect that layer clearly.
The fourth question is how outputs are controlled. Does the vendor require human review for certain workflows? Can the credit union configure approvals? Are explanations, confidence indicators, audit trails, or override records available? AI outputs that affect member communications, fraud actions, or lending support need evidence, not just convenience.
The fifth question is how changes are announced. AI models and features can change more frequently than traditional software. Credit unions should require notice for material model changes, new AI features, expanded data use, or changed subcontractors. “Continuous improvement” should not become silent risk expansion.
The sixth question is what happens when AI fails. Contracts should clarify incident notification, investigation support, liability allocation, service credits, remediation responsibilities, and access to logs. The credit union needs to know what evidence it can obtain if an AI-enabled workflow harms a member or creates compliance exposure.
The seventh question is whether the vendor can support examiner-ready documentation. If the vendor cannot provide model purpose, testing summaries, oversight controls, data handling terms, and change-management evidence, the credit union may be buying a feature it cannot govern. Renewal season is the right time to make these questions standard.