Customer Case Study

How The Police Credit Union Met Compliance Requirements While Enabling Responsible AI Adoption

The Police Credit Union (TPCU) deployed Aurascape in two phases, visibility first and protection second, to govern AI usage, protect member data, and align its security program with NCUA AI guidance and the NIST AI Risk Management Framework. Staff use approved AI tools to work faster, and the credit union keeps examiner-ready evidence that AI is being used responsibly.

AI Audit Ready

Controls mapped to NCUA AI guidance and the NIST AI RMF, with conversation records an examiner can review.

27%

Projected productivity gains

TPCU projects a 27% productivity gain from approved AI use across lending, member support, marketing, collections, and reporting.

83%

Projected risk reduction

By uncovering and coaching users away from unsanctioned and risky AI use, TPCU projects an 83% reduction in AI-based risk.

AURASCAPE

Customer Journey

01

Challenges

NCUA audits and GLBA/FFIEC guidelines demand proof of AI controls, while shadow AI and unmonitored prompts put member NPI/PII at risk.

02

Solution

Deploy Aurascape in two phases: visibility to build the AI inventory and risk picture, then protection through user coaching, enterprise accounts, and credit-union data classifiers.

03

Results

An AI security program aligned to NCUA AI guidance and the NIST AI RMF, with a projected 27% productivity gain and a projected 83% reduction in AI-based risk.

CUSTOMER CONTEXT

The Police Credit Union

The Police Credit Union set out to stay audit-ready and compliant while improving productivity. Employees wanted AI for summarizing procedures, drafting member communications, and assisting with underwriting. All of it had to happen without exposing member nonpublic personal information (NPI) or personally identifiable information (PII), and with evidence ready for National Credit Union Administration (NCUA) examiners.

About the Customer

Headquarters
San Bruno, CA
Assets Under Management
$1.05B
Members
39,000
Employees
150

CHALLENGES

What the Credit Union Needed to Solve

Regulatory Expectations

Gramm-Leach-Bliley Act (GLBA) guidelines, FFIEC procedures, and NCUA audits require demonstrable controls and evidence. TPCU needed to extend its security program, including Reg P safeguards, to cover AI usage.

Shadow AI

Unvetted AI tools and personal accounts introduce data leakage and compliance risk. Neither carries the vendor diligence the security program requires.

Data Leakage

Unmonitored prompts and responses could expose sensitive data: member NPI/PII, account details, or internal procedures. Risk sits on both sides of the exchange, in what employees send and in what comes back.

Limited Visibility

Traditional security tools miss brand-new AI tools and embedded AI inside SaaS apps and websites. Without conversation context, policy cannot be precise.

OBJECTIVES

  • Provide audit-ready reporting and interaction logs mapped to GLBA, FFIEC, and NCUA expectations, so examiners review evidence rather than policy statements.
  • Surface and prevent risky AI interactions, and uncover and remediate shadow AI before it reaches member data.
  • Enforce policies that prevent NPI/PII exposure in prompts and responses without blocking the legitimate work employees rely on.
  • Gain full, contextual visibility into AI apps, users, and shared data, including the embedded AI that destination-based tools miss.
  • Map AI controls to the NIST AI RMF (Govern/Map/Measure/Manage) and NCUA AI guidance, demonstrating alignment with how regulators articulate AI risk.

OUTCOMES

TPCU is AI audit ready, with a projected 27% productivity gain and a projected 83% reduction in AI-based risk.

The credit union extended GLBA mandates, FFIEC procedures, Reg P safeguards, and its NCUA security program to cover AI usage, with a complete AI inventory, risk scoring, and continuous monitoring. Employees use approved AI tools across loan origination, member support, marketing, collections, compliance reporting, and executive reporting, while Aurascape keeps identifiers such as SSNs, account numbers, and card PANs out of unapproved AI systems.

By mapping AI controls to the NIST AI RMF (Govern/Map/Measure/Manage) and NCUA AI guidance, The Police Credit Union security program demonstrates alignment with how regulators articulate AI risk.

Ensuring Compliance

TPCU Regulatory Compliance Assurance with Aurascape

Extend the security program to AI (NCUA AI Compliance Plan)

Align with the NCUA’s AI Compliance Plan outlining the strategies and measures in place to oversee responsible AI implementation, provide a strong AI governance framework, and ensure transparency and accountability.

Continuous monitoring & controls (NCUA Compliance Plan/Part 748; NIST Measure/Manage)

Always-on AI app inventory, user/app visibility, and new-feature discovery with auditor-ready logs and metrics. Conversation-aware guardrails protect member information across prompts and responses.

Service-provider & embedded-AI oversight (NCUA AI Compliance Plan/ Part 748; NIST Supply-Chain Risk)

Enforce enterprise accounts, block unsanctioned apps, and govern functions within AI apps.

Privacy-by-default for PII/NPI (NCUA AI Compliance Plan/Part 748; NIST Map/Measure)

Prevent SSNs, account numbers, and other identifiers from leaking via inputs and outputs, without slowing work.

Executive accountability & board reporting (NIST Govern)

Role-based reporting and natural-language investigation give leaders line-of-sight into AI use, risk, and outcomes.


“We’re prepared for the NCUA AI Compliance Plan and have a implemented a clear framework to guide staff in adopting AI responsibly.
Without Aurascape, we had seriously considered blocking all AI usage. That would have held us back while others moved forward.”

Victor To, CISSP
Senior Security Architect

PRODUCTIVITY

How The Police Credit Union Embraced AI, Safely

TPCU projects a 27% boost in productivity by allowing employees to safely leverage AI for their work.

Loan Origination & Underwriting

Staff can securely leverage AI to accelerate document review and decision support throughout the origination and underwriting process. Aurascape keeps SSNs, member info, DL images, and account/routing info from leaking out of the LOS/CRM via unapproved AI usage.

Member Support & Contact Center

Frontline employees use approved AI tools to quickly draft accurate responses to member inquiries such as balance, payoff, and dispute questions, while also summarizing account history and documenting interactions efficiently. Aurascape automatically prevents sensitive data such as SSNs, PANs, and account numbers from being exposed to unapproved AI systems, ensuring regulatory compliance.

Marketing & Member Outreach

Marketing and sales teams use approved AI tools to draft campaigns and member communications quickly and consistently, staying within defined guardrails. Aurascape ensures no sensitive or member information is exposed to public AI models during this process.

Collections & Delinquency Management

Employees can use approved AI tools to review delinquent accounts, analyze repayment options, and summarize member payment histories. These tools help staff identify trends, prioritize outreach, and prepare accurate communications for follow-up while ensuring sensitive financial and member data remain secure.

Compliance & Risk Reporting

Compliance staff may only use approved AI tools with proper access to summarize SARs, BSA/AML alerts, and filings. Aurascape will flag any sensitive member information, and users must review and verify the message before sending to ensure compliance.

Executive & Board Reporting

Leaders use approved AI tools to review and analyze operational and financial information, while Aurascape safeguards against the exposure of highly sensitive data privileged to the C-suite and upper management.

Mitigating Risks

TPCU projects an 83% reduction in AI-based risk.

Discover & Monitor AI Use

Automatically discover AI applications and shadow AI within existing tools, providing contextual visibility into risks, usage, and data exposure for a real-time AI inventory.

Terminate Risky AI Usage

Access controls combined with intent-aware policies block unapproved or high-risk tools and behaviors in real time, while guiding users and generating audit-ready logs.

Enable Approved Apps with Enterprise Accounts

Ensure staff use enterprise accounts for approved AI tools and guide them away from personal accounts, enabling policy-aligned AI adoption.

Secure Use of Embedded AI in SaaS & Chatbots

Govern interactions with AI features inside apps and websites, traffic traditional security tools often miss.

Protected Member Data Detected & Governed

• Member number / account number; ABA routing & MICR line elements
• SSN; driver’s license / state ID; passport
• Card PAN (debit/credit), CVV, expiration
• Loan/application IDs; income docs (W-2, paystubs); wire/ACH instructions

WHY AURASCAPE

Inline protection with the evidence built in.

Compliance required more than an acceptable use policy. TPCU needed controls that run in the interaction path, understand conversation context, and produce records that stand up in an exam. Aurascape’s architecture matched the requirement.

Architecture & Ease

Inline, real-time prevention with no PAC files or local routing changes. Aurascape steers only AI traffic, so the rest of the network stack stays untouched.

Conversation Context

Evaluates prompts and responses to catch risks on both sides of the exchange. Policy decisions draw on what the conversation actually contains.

Intent-Aware Controls

Granular control over specific functions within AI apps. An approved application stays available while a risky action inside it gets blocked.

Credit Union-Specific Classifiers

Out-of-the-box detectors for member information: account numbers, driver’s license and state ID, SSN, card PANs, and other identifiers. Detection and prevention run in real time, before data reaches an AI model or third-party vendor.

Role-Based Governance

Distributed oversight for Security, Compliance, HR, and leaders through Auri™. Reporting and natural-language investigation give each role line of sight into AI use, risk, and outcomes.

Audit-Ready Evidence

Conversation records show who used AI, what data was involved, what policy applied, and what happened next. Aurascape preserves them for investigations and NCUA exams.

Risk Assessment Checklist

Do a Quick Risk Assessment Yourself

  • Can prove enterprise-only AI accounts are enforced.
  • Prevents NPI leakage in AI prompts and responses, with audit-ready logs.
  • Governs embedded AI in SaaS and websites (not just standalone AI tools).
  • Maintains an AI app and agent inventory with continuously updated risk scoring.
  • Can export reports and answer queries related to AI usage control on-demand.
  • Maps AI security program controls to NIST AI RMF (Govern/Map/Measure/Manage).

Adopt AI With the Evidence to Prove It

See how Aurascape governs AI usage, protects member data inline, and keeps the records your examiners will ask for.