Recent Developments Highlight Increasing Urgency for Effective AI Risk Management

As the adoption of AI continues to increase across the industry, financial services companies should take heed of the increasing urgency of implementing a strong AI risk management framework even in the absence of legal and regulatory requirements to do so. We recently highlighted the a ruling from the United States District Court for the Southern District of New York that documents that a criminal defendant generated using Claude, and potentially all the information that the defendant inputting into that AI platform, are not protected by attorney-client privilege or the work product doctrine. Soon after, news broke of a bank who suffered a data breach from an employee’s misuse of AI tools that was sufficiently severe to warrant disclosure in its 8-K filings. State attorneys general have also been actively investigating companies for AI-related issues under laws prohibiting discrimination and unfair or deceptive acts or practices, as well as antitrust laws. As the inherent risks of using AI continue to be uncovered, the need for effective, AI-specific oversight and governance to mitigate those risks is only becoming clearer and more critical.

Recent Developments in AI Use With Customer Data

On May 11, 2026, CB Financial Institutions, Inc., a publicly traded bank holding company, filed an 8-K report with the Securities and Exchange Commission, detailing an internal cybersecurity incident deemed to be material due to the volume of sensitive information handled using unauthorized artificial intelligence-based software. This report, seemingly the first of its kind stemming from internal AI usage, could carry significant business and legal implications in the future.

The filing reports that the Bank became aware of an “internal incident” on May 5, 2026, involving the handling of non-public customer information, such as customer names, social security numbers, and dates of birth. Though the Bank reports that while this incident has not created a material impact on the company’s consolidated financial condition or results of operations, due to the volume and sensitive nature of the data involved, the incident was deemed material on May 7, 2026. On May 11, the Bank made its public filing.

“Shadow” AI usage by employees is a growing trend; organizations are learning that their employees are using AI tools that have not otherwise been vetted or approved by the organization. Shadow AI often utilizes the access permissions of the employee who set it up, meaning that the AI could possibly access all internal databases that the employee could access. In some circumstances, it can accumulate information operating across the internal network, including accessing trade secrets, sensitive financial information, or in the case of the Bank, sensitive personal information of consumers. Without information on what and where AI is being deployed within an organization, effective governance is not possible.

For certain financial services companies, state and federal reporting requirements may require notification to regulators within 36 hours of determining materiality. In addition, publicly traded companies have four days to file a report with the SEC after determining an incident is material.

Recent Observations in Back-Office Use of AI

Financial services companies that restrict AI usage to non-public, back-office functions may feel that they have sufficiently mitigated AI-associated risks, but our recent observations across a large number of clients demonstrates that unrestricted and unmonitored AI use even in tasks that do not relate to customer data can present substantial risk.

For example, we have seen the advent of AI note-takers and AI meeting transcription in a variety of board, committee, and managerial contexts. These electronic records have begun to arise in litigation discovery and regulatory enforcement document requests; they generally contain much more detailed and less precise descriptions of company business practices than financial services institutions would traditionally memorialize in human-generated materials. In addition, such transcripts and meeting notes often are not consistently reviewed for accuracy, potentially resulting in the memorialization of incorrect or mischaracterized information that is hard to later disclaim to opposing counsel or a skeptical regulator.

Others who use such tools only to facilitate human-prepared memoranda and minutes are not always applying appropriate retention and destruction policies resulting in prolonged or permanent retention of AI-generated content. And transcripts from some AI tools are failing to properly identify the participation of counsel during privileged communications, which may result in the loss of privilege during future litigation.

What Now? Practical Takeaways

In light of these developments, companies should consider the following steps:

  1. Establish or review company-wide AI acceptable use policy, require AI specific training as part of information security training, and classify what data is prohibited from use with external or unauthorized AI tools. Policies should take specific aim to address human review of AI-generated documents for accuracy, document retention policies, and preservation of privilege, when applicable.

  2. Employ technical controls to prevent loss prevention and block the transmission of sensitive data to unauthorized AI platforms, restrict or monitor employee access to AI platforms on entity networks. Entities should understand what access employees have to unauthorized AI throughout its work platforms, and to the extent possible, what data that AI has access to.

  3. Update incident response plans to address unauthorized AI use, including how to assess materiality, how to escalate, and what notifications must be sent following an incident.

  4. Ensure that vendor and third-party contracts confirm data protection, and restrict the use of submitted data for AI training or improvement.

The central lesson from recent months is that a robust AI governance and risk framework is not only essential to reducing a company’s risk—it can also serve as an opportunity to rethink how AI tools are deployed within an organization to more fully realize their value in a compliant manner. Visibility and comprehensive understanding of where and how AI programs are operated, and what information those AI programs have access to, will be essential to getting the most from AI while preventing and responding to its evolving risks.

Download a PDF copy HERE.

About the Authors

Chris Napier is a Partner at Mitchell Sandler. His practice focuses on providing regulatory counseling, strategic advice and representation during government enforcement matters, including matters involving commercial, consumer and alternative credit products; money transmission and payments; deposit issues; and partnerships between fintech companies, depository institutions, and lenders.

Shelby Schwartz is Counsel at Mitchell Sandler. Her practice focuses on financial regulatory and compliance matters, with a concentration on deposit accounts, financial data privacy, and state lending laws. She advises a wide variety of financial services providers, from banks to financial technology companies. Shelby has successfully assisted clients in responding to regulatory inquiries and enforcement matters, including those brought by the Consumer Financial Protection Bureau, the Department of Justice, and various state regulators. She regularly assists clients in assessing their deposit account fee structures and deposit account agreements, analyzing data breach obligations, developing privacy policies, and developing financial products and services within appropriate regulatory models.

SIGN UP FOR UPDATES

Never miss our news, insights or events.

FEATURED NEWS

Next
Next

Oregon 36% APR Cap Under Challenge: Implications for State-Chartered Bank Partnership Programs