The GSEs Just Made AI Governance Non-Negotiable.

Frank Barilone Jr., MBA

Barinhall Consulting  •  AI Governance, Regulatory Intelligence & Workflow Automation

June 2026

Freddie Mac’s Bulletin 2025-16 took effect March 3, 2026. Fannie Mae’s Lender Letter LL-2026-04 lands August 6, 2026. For every seller/servicer operating in the GSE market, AI governance just moved from a best practice to a binding contractual obligation.

And yet most of the industry is still having the wrong conversation.

Executives are asking how fast they can deploy chatbots and voice agents. Product teams are running RFPs for servicing automation tools. Boards are being shown demos of AI copilots that promise to slash cost-to-serve by 30 percent. Meanwhile the foundational work that makes any of that viable, defensible, and auditable is still sitting undone.

I have spent 20+ years on the servicer side of this business, running product, execution, and vendor strategy across a multi-billion-dollar home lending servicing portfolio. What I have seen consistently across the industry is not a lack of ambition or urgency around AI. It is the opposite. The enthusiasm is real, the investment appetite is real, and the pressure to move fast is real. The gap is almost never intent. It is sequencing. Organizations reach for the channel layer before the foundational knowledge, orchestration, and model work is done. Not because leadership is wrong to want results, but because the infrastructure question is harder to see from the outside and easier to defer than it should be.

Here is what the mandates actually require and what most firms are going to get wrong.

What Freddie and Fannie Are Actually Asking For

Freddie’s requirements are the more operationally prescriptive of the two. They mandate documented AI and ML policies approved by a named C-suite executive, specifically CIO, CTO, CISO, or CRO. They require regular internal and external audits measured against NIST 800-53 and ISO 27001. They require ongoing monitoring for bias, performance degradation, and security threats including data poisoning, model inversion, and prompt injection. They require segregation of duties. And the whole framework carries a broad indemnification clause holding Freddie harmless from losses arising from a seller/servicer’s AI use.

Fannie’s letter is somewhat less prescriptive but still requires a documented governance program with a named owner, annual policy reviews, vendor oversight that is no less protective than your own internal standards, and the ability to disclose on demand what AI you use, why you use it, and what safeguards are in place.

The part most firms are underestimating: both GSEs hold you accountable for the outcome regardless of who built the model. You cannot delegate accountability to your vendor. As Mirza Hodzic of BlackWolf Advisory Group put it plainly, you cannot just say the vendor is the AI tool and walk away. You own the result.

The Real Problem Is Not the Rulebook

The deeper issue is not whether servicers can produce governance documentation. It is whether they have the underlying infrastructure to support AI that is actually auditable, explainable, and reliable in a regulated workflow.

Here is the distinction that is not being made clearly enough.

Most of the investment right now is going into what I would call the channel layer: chatbots, voice agents, RPA bots, copilots, borrower communication automation. These are the visible outputs. The things you can demo in a board meeting and put in a press release.

Beneath them are the foundational layers that make those tools safe to operate in a regulated environment:

The data ontology and semantic layer: a shared, governed definition of what your data actually means, so every agent and every human sees the same customer, the same context, the same truth.

The orchestration and inference layer: the production runtime that routes tasks, validates outputs, logs decisions, and creates the audit trail that regulators and examiners will ask for.

The model and ML infrastructure: versioning, monitoring, bias testing, RAG pipelines, and governed data stores that can prove a decision was made the way you said it was made.

Most servicers are buying the channel layer on top of a foundation that does not exist yet. The result is not going to be cost savings. It will be a second exception queue running parallel to the first one, more manual overrides than the process it was supposed to replace, and a fair lending exposure hiding inside a black box that cannot explain a single adverse action.

Here is how this typically unfolds. A servicing AI tool enters the evaluation process with a strong ROI story around call deflection and FTE efficiency. The demo is compelling; an exec wants to hear more and dive into the use cases. What is harder to see in that moment is that the demo was built on clean, well-structured data that often bears little or no resemblance to the production environment it is being sold into. The questions around procedure indexing, workflow execution logic, data architecture, and legacy system integration are real prerequisites, but they rarely surface during a vendor-led evaluation. The gap between the demo and the deployment is where the value case quietly falls apart.

The opportunity here is real and the urgency is legitimate. But speed without sequencing is not a strategy. The firms that build durable AI capability will be the ones that asked the infrastructure question first, even when the market pressure was pushing in the other direction. That discipline is what separates a one-time deployment from a compounding operational advantage.

What the Firms Getting This Right Are Doing Differently

The firms building genuine competitive advantage through AI governance are doing three things differently.

First, they are sequencing the investment correctly. They are building the data ontology and semantic layer before they scale the channel layer. Cotality is building knowledge graphs that allow AI to understand how data elements relate to each other across the servicing lifecycle. Ocrolus has built a dedicated inference layer for regulated lending workflows rather than running production decisions directly on general-purpose models. ICE Mortgage Technology’s Aurora framework embeds AI directly into system-of-record workflows with human-authorization requirements on sensitive actions. These are not companies that started with the chatbot.

Second, they are treating governance as a sales asset, not a compliance cost. Friday Harbor recently became the first mortgage technology provider to complete a formal AI Governance Attestation from Brody Gapp LLP, evaluated across fair lending, model governance, data governance, and examination readiness. They did it before any regulator required it. In a market where 94 percent of lenders depend on vendor-provided AI, the ability to hand a prospective enterprise client a defensible governance file is becoming a material differentiator.

Third, they are building audit trails proactively. The time to produce documentation of your AI governance program is not when an examiner asks for it. The servicers who will handle the post-August 6 Fannie examination environment well are the ones who can walk in with an AI system inventory, named business owners for each use case, vendor attestations, and evidence of ongoing monitoring. Not because they scrambled to produce it but because they built the infrastructure to generate it continuously.

Where to Start

If you are a servicer or a technology vendor reading the Freddie and Fannie mandates for the first time, here is the operational sequence that actually matters.

Build your AI system inventory first. Document every AI-enabled system in your environment, including AI that is embedded inside your existing LOS, servicing platform, QC tools, and communication systems. Many servicers are unknowingly running AI they did not deliberately choose because it shipped inside a platform update.

Assign a named business owner to every use case. Governance cannot live in a generic risk or technology department. Each AI application needs a human accountable for it by name.

Audit your data foundations before your next AI RFP. If your data is siloed, inconsistently defined, or lacks governance, that is where the investment needs to go first. Deploying an agent on top of fragmented data does not compress costs. It accelerates errors at scale.

Build your vendor governance posture. Your agreements with third-party AI providers need to reflect the same standards you are being held to by the GSEs. If your vendor cannot tell you where your borrower data goes, what model trained on it, and how decisions are logged, that is a contractual gap, not just a compliance question.

The firms that get this right will not just survive the GSE examination environment. They will use governance maturity to win business, protect their secondary market relationships, and separate themselves from the competitors still doing demos on borrowed data.

None of these steps require a massive capital program. They require discipline and the right sequencing before the next vendor conversation starts. The firms that rush the channel layer without fixing the foundation are going to spend the next two years paying for the shortcut.


About the Author

Frank Barilone Jr. is a governance, compliance, and data analytics professional with 20+ years of financial services experience, including 15 years leading product and vendor strategy across a multi-billion-dollar home lending servicing portfolio. He operates Barinhall Consulting, an advisory practice focused on AI governance, regulatory intelligence, and workflow automation for financial services firms.

Disclaimer

The views, opinions, and analysis expressed in this article are solely those of Frank Barilone Jr. and are provided for informational purposes only. They do not represent, reflect, or constitute the views, positions, or opinions of any current or former employer, its subsidiaries, or affiliates. Nothing in this article should be construed as legal, regulatory, compliance, or financial advice. Readers should consult qualified legal and compliance counsel before making decisions based on the information presented.

The Lending Loop

The Lending Loop

Keeping mortgage pros in the loop and always steps ahead.

Keep Reading