# When the Regulator Starts Using the Tool It Is Regulating
I’ve seen the moment in any technology cycle when the institution designed to oversee a thing starts becoming the thing. We’re at that moment with AI in banking. The OCC isn’t watching from a distance anymore. It’s inside the machine, learning how it works, trying to understand what it’s being asked to supervise.
That should make every bank executive stop and think. Not because it’s threatening. Because it tells you something about where this is going—and how fast.
I want to be clear about what I’m not saying. This isn’t a regulatory alarm piece. I’ve written enough of those, and so has everyone else. This is something more specific: an observation about a signal that’s easy to misread if you’re only skimming supervisory documents.
—
## The Document That Stopped Me
Last quarter I was working through the OCC’s supervisory posture on agentic AI in banking operations. Not a summary, not a briefing note someone handed me—the actual document. I do this the slow way because the slow way is the only way to catch what the fast way misses.
Two things stopped me cold.
First, the OCC’s explicit support for agentic AI in automated, compliant banking operations. Not a cautious conditional endorsement wrapped in seventeen qualifications. A directional signal. A federal banking regulator saying: this is the direction, and we’re behind it. In the language regulators actually use, that’s a significant statement. Regulators don’t use words like “support” casually. They have lawyers for that.
Second, the same document named both sides of the AI-and-cybersecurity equation in the same breath: AI strengthens cyber defenses and AI sharpens the attacks against the very institutions deploying it. They said both things, explicitly, without softening either one. That kind of candor in regulatory language isn’t standard. Regulatory documents are usually careful to the point of saying nothing. This one said something.
Then I found the part about the OCC’s Solutions Lab. GenAI, being used internally, to help the OCC supervise AI-driven tools inside the banks it oversees.
I sat with that for a while. The regulator isn’t waiting to understand what it’s regulating. It’s building the capability now, from inside, before the gap becomes uncrossable.
I’ll be honest: my first reaction was mild surprise, which immediately became embarrassment at my own surprise. Why would I assume regulators would be passive while the entire sector restructured itself around a technology they barely had working definitions for? Of course they’re building capability. The question is whether they’re building it fast enough—and whether the banks are asking themselves the same question with anything like the same urgency.
—
## What the OCC Is Actually Telling You
Agentic AI is no longer experimental in the regulatory view. The OCC’s endorsement of agentic AI for automated, compliant operations is a turning point. It moves AI in banking from the category of innovation-to-be-watched into the category of infrastructure-to-be-governed. That distinction matters enormously. When something is experimental, you can manage it at arm’s length. When something is infrastructure, it has to be understood at depth, by the people responsible for it, not delegated to a team and reviewed quarterly. The OCC has made a judgment that agentic AI is infrastructure. Every board should be making the same judgment about their own posture.
The dual-use candor isn’t an accident. Naming both the defensive and offensive implications of AI in a single supervisory document is a deliberate framing choice. It tells banks: we won’t accept the selective narrative. You can’t present AI as a cyber enhancement story while quietly ignoring that the same capabilities are being turned against your systems. The OCC is signaling that it expects integrated thinking—the kind that holds two uncomfortable truths at once without retreating to whichever one is more convenient for the quarterly presentation.
The gap that kills institutions is never the technology. I’ve sat in enough post-incident reviews, enough enforcement discussions, enough conversations with executives who genuinely couldn’t explain what their own systems were doing, to know what the real failure mode looks like. It isn’t the AI making a bad decision. It’s the distance between what the tool does and what the leadership team understands about what the tool does. The OCC closing that gap for itself—building internal capability, running its own GenAI in a supervised environment—is the right instinct. It’s the instinct that every bank should be acting on. Not because the regulator said so. Because it’s the only way to govern something you don’t understand yourself.
—
## What This Means for Your Institution
A version of AI governance looks correct from a distance. The policies exist. The AI committee meets. The risk register has a section. The vendor attestations are on file. That version of AI governance won’t survive a competent supervisory examination from a regulator that’s now building internal capability to look underneath the surface.
The question worth asking—in the next leadership discussion, not the next strategy cycle—is whether your institution’s understanding of its own AI keeps pace with what that AI is actually doing. Not the vendor’s answer to that question. Yours.
The OCC is building the capability to ask that question properly. The banks that are ready for it are the ones that asked it first.
Understanding your own AI isn’t a governance checkbox. It’s the one audit you can’t outsource.