Stay up to date on the latest vendor risk management news happening this month. Check out the articles below.
AI governance in mortgage banking has moved from theory to regulatory expectation. AI is no longer experimental in mortgage banking — it's embedded in pricing, fraud detection, document analysis, appraisal review, and servicing. The question now is whether they can defend it to examiners, investors, and GSEs. As regulatory scrutiny increases, lenders must demonstrate that each AI system was identified, risk-rated, tested, governed with clear ownership, monitored for drift, and controlled through enforceable vendor contracts. Lenders need a complete list of AI tools and must extend AI governance to their third-party vendors.
Federal Reserve to update third-party risk guidance, signals shift on AI oversight. Vice Chair for Supervision Michelle Bowman addressed the FSOC AI roundtable on cybersecurity and risk management, signaling two significant supervisory shifts. First, the Fed, along with the OCC and FDIC, amended model risk management guidance to clarify it doesn’t apply to generative or agentic AI, acknowledging that prior guidance had been stretched beyond its original scope. Second, the Fed is actively working to update and simplify its third-party risk management guidance, which Bowman described as too vague in scope and application. She also noted that banks of all sizes have raised concerns about access to the Anthropic Mythos model and its cybersecurity implications, and that regulators will continue communicating emerging risks as the technology evolves.
Banks tighten defenses as AI model raises systemic concerns. Anthropic's security-focused model Mythos demonstrated the ability in testing to identify previously unseen software vulnerabilities and turn them into working exploits — including one bug that had gone undetected for 27 years. Anthropic hasn’t released the model publicly, granting access only to select partners. However, banks are already responding, including limiting Anthropic access and establishing task forces. Industry observers note the immediate pressure points are attack-surface scanning cadence, incident response playbooks, and vendor contract security clauses.
Third-party breaches are defining the AI-era threat landscape. A cybersecurity outlook report found that third-party and supply chain breaches have quadrupled over five years. The report identifies supply chain and third-party software as one of three primary vulnerability categories, noting that a survey ranked limited insight into upstream suppliers as a top cyber risk. Contracts are the primary protection for organizations, including mandatory breach notification timelines, visibility into subcontractors and fourth parties, clarity on data storage and AI training use, and requirements for independent audits over self-reported questionnaires.