BLOG
FAQ - Freddie Mac - AI Governance Requirements
January 22, 2026 BY MQMR Blogger
Question: With the use of Artificial Intelligence (AI) becoming more common in the mortgage industry, have the agencies provided any guidance on responsible use and oversight requirements for AI?
Answer:
Yes. In December 2025, Freddie Mac published Bulletin 2025-16, which announced that it would be updating its Single-Family Seller/Servicer Guide (Section 1302.2 and Section 1302.8) to require approved sellers/servicers to establish a comprehensive governance framework for the responsible development, deployment, and oversight of AI and machine learning (ML) systems. The updates become effective on March 3, 2026 and include, among other requirements, that approved sellers/servicers must:
-
- Include AI-powered tactics (i.e. deepfakes, targeted phishing content) and threats to AI systems (i.e. model inversion, data poisoning, prompt injection) as part of a seller’s/servicer’s annual information security awareness training content.
- Establish clear policies and codes of conduct to ensure the following:
-
- The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures and practices;
- Processes, procedures and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance; and
- The risk management process and its outcomes are established through transparent policies, procedures and other controls based on organizational risk priorities.
-
- Include AI-powered tactics (i.e. deepfakes, targeted phishing content) and threats to AI systems (i.e. model inversion, data poisoning, prompt injection) as part of a seller’s/servicer’s annual information security awareness training content.
-
- Conduct regular internal and external audits to identify any potential vulnerabilities or deviations from established policies. Ongoing monitoring and periodic review of the risk management process and its outcomes must be planned and organizational roles and responsibilities clearly defined, including determining the frequency of periodic review.
-
- Conduct audits to ensure compliance with standards like National Institutes of Standards (NIST) and Technology 800-53 and International Organization for Standardization 27001.
- Regularly monitor AI systems for performance, security breaches and biases.
- Apply segregation of duties to prevent conflicts of interest.
- Conduct audits to ensure compliance with standards like National Institutes of Standards (NIST) and Technology 800-53 and International Organization for Standardization 27001.