Your Regulator Isn’t the SEC. Your Risk Is Bigger Than You Think.

Trust organizations are deploying AI tools at every level of their operations, including investment analysis, beneficiary communications, trust accounting, and trust analysis as examples. The tools are capable and the efficiency gains are real. What most trust companies have not yet built is the governance infrastructure to match.

That gap matters more for trust organizations than for any other segment of financial services, because the standard you are held to is the prudent investor rule, not a regulatory checklist. When something goes wrong, the question is not whether a regulator issued a rule about AI. It is whether the trustee exercised prudent judgment. An AI tool that influenced a consequential decision and left no documentation trail is a very difficult answer to that question.

Who Actually Regulates AI at Your Trust Company

If your trust company holds a federal charter or operates with national bank trust powers, your primary regulator is the Office of the Comptroller of the Currency. OCC model risk management guidance, Bulletin 2011-12 as updated in 2021, applies to AI models used in trust operations today without any new rulemaking required. AI tools used in investment management, distribution analysis, client communication, or trust accounting qualify as models under existing OCC guidance. Your model risk management program is expected to address them. Examiners are already asking about it.

State-chartered trust companies answer to their state banking regulator. Technology risk management expectations are accelerating across every major trust jurisdiction. The New York Department of Financial Services issued AI risk management guidance in 2026.¹ California, Massachusetts, and other states with significant trust company populations are following. Your state regulator does not have to publish a proposed rule before examining you for model risk management deficiencies. It has to show up with a prepared examination team, and those teams are increasingly prepared.

The Prudent Investor Rule Does Not Have an AI Exception

Every AI tool used in trust investment management, distribution analysis, or beneficiary communication is a decision-support tool operating under the trustee’s full fiduciary obligation. The fact that an algorithm contributed to the decision does not reduce the trustee’s liability for the outcome.

AI-assisted investment recommendations for trust portfolios. The prudent investor standard attaches to the tool selection, the model validation, the ongoing performance review, and the documentation of each. Selecting an AI tool without a documented due diligence process is itself a potential prudence failure, independent of whether the recommendations turned out to be sound. If the tool was not reviewed, the selection was not prudent regardless of the results.

AI-generated beneficiary communications. The trustee is responsible for the content of communications sent to beneficiaries, even if an AI tool produced the draft. A beneficiary who receives inaccurate, incomplete, or misleading information from an AI-generated communication has a claim against the trustee. The software vendor’s terms of service do not transfer that liability.

AI used in trust accounting. Accuracy obligations attach to the output, not the system that generated it. AI-assisted trust accounting introduces model error risk that the trustee bears. The prudent approach is periodic validation of AI accounting outputs against independent verification, with documentation of the validation process.

The trust document does not define AI. The court interpreting it will ask one question: did the trustee exercise prudent judgment in selecting, deploying, and overseeing the tools used to administer this trust? An undocumented AI tool with no validation record and no oversight documentation is a very difficult answer to that question.

What a Trust-Specific AI Governance Program Must Include

1. AI tool inventory. Every tool in use across trust administration, investment management, distribution processing, and beneficiary communication. Capture the vendor, the specific use case, the categories of trust data involved, and the date the tool entered operations. This is the baseline without which the rest of the program cannot be built.
   
   
2. AI Acceptable Use Policy. A written policy that defines what AI tools are approved for use across trust administration, investment management, distribution, and beneficiary communication. The policy should classify tools into approved, limited use, and prohibited categories, specify what categories of client and beneficiary data may and may not be processed by AI systems, and define what requires a supervisory review before use. For trust organizations, the policy must also address where human judgment is non-delegable under the fiduciary standard, so that staff understand which decisions AI can support and which decisions the trustee alone must make. The policy should be reviewed at a minimum annually and updated whenever new tools enter the firm’s operations.
   
   
3. Decision documentation. An audit trail for any AI-supported consequential decision: investment recommendations, distribution approvals, and material beneficiary communications. Document what the AI contributed, what the trustee reviewed, and what human judgment was ultimately exercised. The record demonstrates that the AI was a tool in the service of prudent judgment, not a substitute for it.
   
   
4. Vendor oversight. Third-party AI providers used in trust operations require due diligence documentation equivalent to any other significant service provider. Data handling, security protocols, retention policies, accuracy representations, and the vendor’s own governance framework are all appropriate subjects of documented review. The service provider relationship does not transfer fiduciary liability. The documentation demonstrates that the selection and oversight of the provider was itself prudent.
   
   
5. Trustee training. Human trustees must understand what the AI tools they deploy actually do, what those tools cannot do, and where human judgment is non-delegable under the fiduciary standard. Training records documenting this understanding are evidence of prudent process. A trustee who cannot describe the basis for a recommendation supported by an AI tool, in terms that demonstrate human judgment was engaged, has a defensibility problem that the training record alone cannot fix, but its absence makes the problem worse.

The trust industry has been largely absent from the AI governance conversation, treated as an afterthought in frameworks designed for RIAs and broker-dealers. That absence is dangerous. Trust organizations carry the strictest fiduciary obligations in financial services, answer to regulators who are already examining AI governance under existing authority, and face liability that no insurance policy fully covers. The firms that treat this moment as an opportunity to build governance programs on their own terms will be the ones that emerge from the next decade with their fiduciary reputation intact.

Subscribe to the Peaks Perspective Newsletter.

Join our newsletter to get topics like this delivered straight to your inbox every month!
Subscribe Now

Endnotes

¹ New York State Department of Financial Services. “Guidance on Managing Artificial Intelligence-Related Risks.” DFS.ny.gov, 2026, www.dfs.ny.gov/industry_guidance/industry_letters/il20260101_ai_risk. Accessed 23 Mar. 2026.

² Office of the Comptroller of the Currency. “Supervisory Guidance on Model Risk Management.” OCC Bulletin 2011-12, updated 2021, www.occ.gov/news-issuances/bulletins/2011/bulletin-2011-12.html. Accessed 23 Mar. 2026.