How The Police Credit Union Adopted AI and Stayed Audit-Ready
Last updated: June 2026.
The Police Credit Union (TPCU), a credit union with $1.05 billion in assets serving 39,000 members, used Aurascape to let its employees adopt AI across the business while protecting member data and staying ready for examination by the National Credit Union Administration (NCUA). Rather than block generative AI and fall behind, the credit union deployed Aurascape in two phases to govern AI use with prevention-focused policies. This led to a projected 27 percent gain in productivity, an 83 percent reduction in AI-based risk, and an audit-ready posture, all without exposing member nonpublic personal information (NPI) or personally identifiable information (PII).
Before deploying Aurascape, the credit union had seriously considered blocking generative AI outright. As Victor To, CISSP, Senior Security Architect at The Police Credit Union, put it:
“Without Aurascape, we had seriously considered blocking all GenAI usage. That would have held us back while others moved forward.”
Victor To, CISSP, Senior Security Architect, The Police Credit Union
That is the choice most regulated institutions now face. AI has become standard equipment in the enterprise, with 88 percent of organizations using it regularly in at least one business function (McKinsey, 2025). This credit union AI compliance case study walks through how The Police Credit Union adopted AI without compromising compliance: the obligations it had to satisfy, the controls it put in place with Aurascape, and the results it projects (Aurascape, 2026).
A forward-thinking credit union that chose to enable AI
The Police Credit Union wanted its people to use AI for real work: summarizing procedures, drafting member communications, assisting with underwriting, and more. The goal was to capture that productivity without exposing member NPI or PII, and to stay audit-ready by proactively aligning with NCUA guidance and the NIST AI Risk Management Framework (AI RMF). This is a credit union getting ahead of AI risk on its own terms, not reacting to a problem (Aurascape, 2026).
| Company profile | Detail |
|---|---|
| Organization | The Police Credit Union (TPCU) |
| Headquarters | San Bruno, California |
| Assets under management | $1.05 billion |
| Members | 39,000 |
| Employees | 150 |
The compliance problem a credit union faces when employees use AI
A credit union does not get to treat AI as an experiment. It is a federally insured institution with standing obligations to protect member information, and AI use intersects every one of them. The challenge was not that anything had gone wrong. It was that the credit union’s existing tools were built for web and SaaS traffic and lacked the visibility into AI interactions needed to govern them with the precision regulators expect.
| What the credit union needed | Why legacy security tools fall short | What Aurascape provides |
|---|---|---|
| Demonstrable controls and evidence for examiners | GLBA and NCUA Part 748 expect a documented, testable information security program; destination-based tools cannot show what was prompted, what returned, or which policy fired. | Audit-ready, conversation-level interaction records mapped to GLBA, FFIEC, and NCUA expectations. |
| Control over shadow AI | Unvetted tools and personal accounts introduce member-data and compliance risk that a static application list never catches. | Automated discovery and risk scoring of new and embedded AI, with enforcement of enterprise accounts over personal ones. |
| Prevention of member-data leakage | Unmonitored prompts and responses could carry NPI, account details, or procedures to tools the credit union had not vetted. | Inline detection that can redact or block member data before it reaches an external AI model, without slowing legitimate work. |
| Contextual visibility into AI use | Traditional tools miss many brand-new and embedded AI features and lack conversation context, which limits policy precision. | Full, contextual visibility into AI applications, users, and the data shared in each interaction. |
Under 12 CFR Part 748, every federally insured credit union must maintain a written information security program with administrative, technical, and physical safeguards for member information, defined as any record containing nonpublic personal information about a member (NCUA Part 748). Regulation P governs the privacy of that information, and FFIEC guidance shapes how examiners evaluate the program. None of these were written for AI, but all of them apply the moment member data moves into an AI prompt. For a wider view of how these obligations sit alongside newer AI frameworks, see Aurascape’s overview of AI compliance frameworks.
Extending the security program to cover AI
The Police Credit Union did not invent a separate AI rulebook. It extended the controls it already runs under GLBA, NCUA Part 748, Regulation P, and FFIEC procedures to cover AI usage, and it mapped those controls to the NIST AI RMF so it could demonstrate alignment with how regulators articulate AI risk. The NIST AI RMF is voluntary, but it is the common methodology US regulators point back to, built around four functions: Govern, Map, Measure, and Manage (NIST AI RMF).
Aurascape gives each of those functions something concrete to stand on, which is what turns a policy on paper into a control an examiner can verify (Aurascape, 2026).
| Anchor | What it expects | How The Police Credit Union meets it with Aurascape |
|---|---|---|
| GLBA and NCUA Part 748 | Safeguard member NPI; maintain a documented, testable information security program. | A complete AI inventory plus inline prevention that keeps member data from leaking through AI prompts and responses. |
| NIST AI RMF: Govern | Accountability, roles, and oversight for AI risk. | Role-based governance and board-level reporting through Auri, so Security, Compliance, HR, and leaders each see AI use, risk, and outcomes. |
| NIST AI RMF: Map | Know which AI systems are in use and the risk each carries. | Automated discovery and risk scoring of AI applications, agents, and embedded AI, including shadow AI inside approved tools. |
| NIST AI RMF: Measure | Track and evidence AI risk over time. | Continuous monitoring with audit-ready, conversation-level records and metrics, governed by role-based access control (RBAC) for privacy. |
| NIST AI RMF: Manage | Act on AI risk and remediate it. | Inline enforcement that can allow, coach, warn, block, or redact based on the full context of an interaction. |
One point matters for any compliance leader reading this. A security platform does not make an organization compliant, and it does not replace legal counsel or a formal examination. What Aurascape does is operationalize the controls and produce the evidence that lets compliance and legal teams show those controls were in place and enforced (Aurascape, 2026).
How The Police Credit Union put AI to work, safely
The productivity case is not about a single chatbot. It is about letting employees across the credit union use approved AI tools for daily work while Aurascape keeps member data inside the boundary. This is governance of sanctioned, licensed tools through entitlement and context, not only the blocking of shadow AI. The credit union projects a 27 percent gain in productivity from safely adopting AI across these functions (Aurascape, 2026).
| Function | How employees use AI | What Aurascape protects |
|---|---|---|
| Loan origination and underwriting | Accelerate document review and decision support across the origination and underwriting process. | Keeps SSNs, member information, driver’s license images, and account and routing details from leaving the loan origination system or CRM through unapproved AI use. |
| Member support and contact center | Draft accurate responses to balance, payoff, and dispute questions, and summarize account history. | Prevents SSNs, payment card numbers, and account numbers from reaching unapproved AI systems. |
| Marketing and member outreach | Draft campaigns and member communications quickly and consistently, within defined guardrails. | Ensures no member information is exposed to public AI models during the process. |
| Collections and delinquency management | Review delinquent accounts, analyze repayment options, and summarize payment histories to prioritize outreach. | Keeps sensitive financial and member data secure while staff prepare follow-up communications. |
| Compliance and risk reporting | Approved staff summarize SARs, BSA and AML alerts, and filings with proper access. | Flags sensitive member information and requires the user to review and verify a message before it is sent. |
| Executive and board reporting | Leaders review and analyze operational and financial information. | Safeguards highly sensitive data privileged to the C-suite and upper management. |
How The Police Credit Union minimized AI risk
On the protection side, Aurascape works in the live path of every AI interaction. It discovers AI applications and shadow AI inside existing tools for a real-time inventory, then uses access controls and context-aware policies to block unapproved or high-risk tools and behaviors as they happen, while guiding users toward approved alternatives and generating audit-ready logs (Aurascape, 2026). It steers staff onto enterprise accounts for approved AI tools and away from personal ones, and it governs embedded AI inside SaaS applications and chatbots, the traffic legacy tools most often miss.
Underneath that sits real-time, multimodal data protection. Aurascape detects and prevents sensitive member data in prompts and responses from reaching external AI models or third-party vendors, using out-of-the-box classifiers built for credit-union data (Aurascape, 2026). The categories it detects and governs include:
- Member and account numbers, ABA routing numbers, and check (MICR) line details.
- Social Security numbers, driver’s licenses and state IDs, and passports.
- Payment card numbers, CVV codes, and expiration dates.
- Loan and application IDs, income documents such as W-2s and pay stubs, and wire and ACH instructions.
By uncovering risky AI use and coaching users away from it, rather than letting member data slip out unseen, The Police Credit Union projects an 83 percent reduction in AI-based risk. The point is not that the credit union had lost data. It is that the risk was minimized and member data stayed protected as AI use expanded (Aurascape, 2026).
A two-phase deployment built for speed and low disruption
Aurascape rolled out in two phases (Aurascape, 2026). Phase one, Visibility, built the AI application inventory through automated discovery of new AI apps and features, application risk assessments, and visibility into user entitlements and data exposure. Phase two, Protection, coached users away from risky AI use, required enterprise accounts for approved AI tools, and mapped data protections to credit-union classifiers to prevent member-data leakage.
The architecture is part of why this moved quickly. Aurascape applies inline, real-time prevention without proxy auto-config (PAC) files or local routing changes, and it routes only AI traffic, so the rest of the credit union’s traffic stays on its existing path through its current firewall. It is an additive layer that complements the security stack already in place rather than replacing it (Aurascape, 2026).
Why The Police Credit Union chose Aurascape
Several capabilities made Aurascape a fit for a regulated credit union rather than a generic AI filter (Aurascape, 2026). It evaluates both the prompt and the response, so it catches risk on either side of a conversation. Its intent-aware controls, called Intentions, give granular control over specific functions inside an AI application, not just whether a user can reach it, which is how the credit union governs AI usage in context. Its credit-union-specific classifiers detect member data such as account numbers, driver’s licenses, and SSNs out of the box. And its role-based governance through Auri gives Security, Compliance, HR, and leaders distributed oversight in plain language, with no security console or query syntax required.
For an examiner, the result is tangible. Aurascape can export audit-ready evidence of AI usage control, including the AI inventory, policy decisions, and decoded interaction records an NCUA examiner can review, in under 24 hours.
The projected results
By extending its security program to AI with Aurascape, The Police Credit Union projects the following (Aurascape, 2026):
| Outcome | Result |
|---|---|
| Examination posture | AI audit-ready |
| Productivity | Projected 27 percent gain |
| AI-based risk | Projected 83 percent reduction |
| Audit-ready evidence | Exportable in under 24 hours |
The throughline is that compliance and adoption moved together. Because the credit union could see and control AI use in context, it could open AI to its employees, protect member data inline, and stand ready for an NCUA examination at the same time, instead of trading one against another.
Frequently asked questions
Can a credit union adopt AI and stay compliant with GLBA and NCUA requirements?
Yes. GLBA and NCUA Part 748 require a credit union to safeguard member nonpublic personal information and maintain a documented information security program. Adopting AI does not change those obligations; it adds a new channel the program has to cover. The Police Credit Union extended its existing controls to AI use and mapped them to the NIST AI RMF, which let it enable AI while keeping member data protected and staying ready for examination.
How does Aurascape help a credit union prepare for an NCUA examination?
Aurascape maintains a complete inventory of AI applications and agents in use, enforces policy on AI interactions in real time, and generates audit-ready, conversation-level records of what was prompted, what was returned, what data was involved, and which policy decision fired. Those records map to GLBA, FFIEC, and NCUA expectations and can be exported in under 24 hours, which is the evidence an examiner asks to see. Aurascape produces that proof; it does not replace legal counsel or the examination itself.
How does Aurascape map to the NIST AI Risk Management Framework?
The NIST AI RMF is built around four functions. Aurascape supports Map through automated discovery and risk scoring of AI use, Measure through continuous monitoring and audit-ready logs, Manage through inline enforcement that can allow, coach, warn, block, or redact, and Govern through role-based reporting and accountability delivered by Auri. Together they let a credit union demonstrate alignment with how regulators articulate AI risk.
How does Aurascape prevent member NPI and PII from leaking into AI tools?
Aurascape inspects prompts and responses in the live path and uses multimodal classifiers built for credit-union data to detect identifiers such as SSNs, account and routing numbers, payment card numbers, and loan documents. When an interaction carries member data, Aurascape can redact it inline or block the action before it reaches an external AI model or third-party vendor, without blocking legitimate work.
How does Aurascape handle shadow AI at a financial institution?
It discovers AI applications and shadow AI inside existing tools, including embedded AI features and personal-account use, and scores the risk of each. It then steers employees onto sanctioned enterprise accounts for approved tools and blocks unapproved or high-risk ones, so the credit union stays in control of a growing long tail of AI tools rather than chasing it after the fact.
Does Aurascape replace a credit union’s existing security stack?
No. Aurascape is additive. It routes only AI traffic and leaves the rest of the credit union’s traffic on its existing path, so it runs alongside the firewall, secure access, and data protection tools already in place. It focuses on the AI interactions those tools were not designed to understand, and it deploys without proxy auto-config files or local routing changes.
Aurascape lets a regulated credit union adopt AI with confidence by discovering every AI tool in use, governing each interaction in context, protecting member data inline, and producing the audit-ready evidence an examiner expects. The Police Credit Union used it to turn a choice between blocking AI and accepting risk into a third option: adopt AI safely, and stay ready for examination.
See how Aurascape keeps AI adoption audit-ready for financial institutions →
Aurascape Solutions
- Discover and monitor AI Get a clear picture of all AI activity.
- Safeguard AI use Secure data and compliancy in AI usage.
- Secure Agentic AI Secure how your teams use AI and build AI agents.
- Copilot readiness Prepare for and monitor AI Copilot use.
- Coding assistant guardrails Accelerate development, safely.
- Frictionless AI security Keep users and admins moving.