AI governance becomes easier when it is treated as a calendar, not a concept. Many credit unions know they need an AI policy, vendor review process, and staff guidance, but the work stalls because it is framed as a large transformation project. A 90-day calendar gives management a practical way to move from concern to documented control.
Days 1 through 15 should focus on discovery. The goal is not to judge every use case yet; it is to find where AI is already present. Ask department leaders which vendors have added AI features, which employees are using public AI tools, where documents or member conversations are being summarized, and whether any AI outputs influence lending, fraud, marketing, or service decisions.
Days 16 through 30 should turn discovery into an AI inventory. Each item should include the owner, vendor or tool, business purpose, data touched, human reviewer, member impact, and current control status. A simple spreadsheet is enough at first. The value comes from making hidden usage visible and giving leadership a shared view of exposure.
Days 31 through 45 should produce interim rules. Credit unions need clear boundaries while a fuller program is built: no member nonpublic personal information in public AI tools, no AI-generated member communications without review, no automated decisions without approval, and no vendor AI feature enabled without risk review. These rules should be short enough for employees to understand and specific enough for managers to enforce.
Days 46 through 60 should focus on vendor evidence. For each AI-enabled vendor, request documentation on model purpose, data retention, subcontractors, security, change management, testing, and human oversight. Vendors that cannot provide clear answers should be treated as unresolved risks, not as harmless software updates.
Days 61 through 75 should identify one or two controlled pilots. The best candidates are internal workflows with measurable time savings and limited member harm if the tool underperforms: policy search, contact summaries, training drafts, procedure cleanup, or fraud triage support. Each pilot should have a business owner, success metric, review process, and stop condition.
Days 76 through 90 should package the work for leadership and the board. The output should include the AI inventory, interim rules, vendor-review findings, pilot results, unresolved issues, and next-quarter priorities. This gives directors a governance rhythm and gives management a clear operating plan instead of scattered AI conversations.