🌊Making a List, Auditing It Twice...and Letting AI Check It

The OCC just announced a new Request for Information (RFI) asking community banks to weigh in on their biggest challenges with core service providers and other essential third-party vendors. 

What changed: The OCC wants direct input on pain points like contract terms, fees, data access, system interoperability, and how hard it can be to oversee major third-party providers. They’re also asking what regulatory or supervisory changes could make oversight more efficient and less burdensome. 

What didn’t change: This RFI doesn’t create new rules or obligations. Banks still need to follow existing third-party risk expectations, this is simply the OCC gathering intel before potentially updating guidance. 

What it means for business: Regulators are signaling that community banks need more clarity and support when dealing with mission-critical vendors. This could lead to more tailored guidance, streamlined oversight expectations, and clearer examiner focus areas, especially around contracts, monitoring, and system modernization. 

Translation: The OCC wants to understand what’s broken before they fix it. If you’re a community bank, this is a chance to influence the next wave of TPRM guidance. If you serve them, it’s your cue to get ahead of whatever comes next.

A new generation of artificial intelligence, so-called “agentic AI”, is changing how cybersecurity and operational risk intersect. These systems don’t just respond to prompts; they can decide what to do next, act on behalf of an organization, and even initiate tasks without human instruction. 

What’s changed: Agentic AI isn’t just analyzing logs or flagging suspicious behavior. It can autonomously investigate alerts, run tests, prioritize vulnerabilities, and execute actions that traditionally required an analyst. In some cases, it’s acting not only within your environment, but also through third-party platforms that leverage AI on your behalf. That means software, not people, may now be making decisions using your data. 

What didn’t change: Autonomy doesn’t eliminate risk; it can actually multiply it if you’re not watching closely. Organizations often don’t know what information is being fed to an agentic AI system, what instructions it’s acting on, or how that data is being stored, transmitted, or reused. If a third party deploys agentic AI for your operations without your awareness, you inherit potential exposure you may not have wanted, including data leakage, unauthorized access, prompt-based manipulation, and logic that can be steered, corrupted, or outright jailbroken by attackers. 

What it means for business: Companies must now evaluate not only their own AI, but how vendors are using agentic AI on their behalf. Knowing what data these systems access, how they act, and who controls them is the new baseline for risk. Done right, agentic AI boosts detection and reduces workloads. Done wrong, it becomes an autonomous liability outside your governance. 

Translation: Agentic AI isn’t science fiction, it’s potentially in your tech stack today, whether you approved it or not. Treat it like the world’s fastest new team member: powerful, tireless, and incredibly useful, but only if you know exactly what it’s doing, what it’s allowed to touch, and who’s ultimately accountable for its decisions.

We’ll be digging deeper in future insights.