AI model risk management in banking is no longer a back-office concern. Regulators at the Federal Reserve, OCC, and SEC have made clear that financial institutions using AI-driven models—for credit decisioning, portfolio management, fraud detection, or client recommendations—must apply the same disciplined oversight they apply to any other material risk. The gap between deploying a model and governing it properly is where examinations get painful. The compliance requirements your program needs to satisfy span regulatory baselines, validation frameworks, governance artifacts, third-party oversight, and the tooling that makes it operationally sustainable. For the broader regulatory context, see the SEC AI Examination Priorities for Investment Advisers.
What Regulators Actually Require from AI Model Risk Management Programs
The foundational document for model risk management in U.S. banking is SR 11-7, the Federal Reserve and OCC’s 2011 supervisory guidance on model risk management. Despite being issued before modern machine learning was mainstream, SR 11-7 remains the compliance baseline examiners apply to AI systems today. Its core demand: banks must have a sound model risk management framework covering model development, implementation, and use—with independent validation and strong governance at every stage.
For AI systems specifically, regulators have layered additional expectations on top of SR 11-7:
- The 2021 interagency Request for Information on financial institutions’ use of AI/ML (OCC, Federal Reserve, FDIC, NCUA, and CFPB; 86 FR 16837) signaled the regulators’ intent to apply existing model risk management frameworks — including SR 11-7 / OCC Bulletin 2011-12 — to machine learning and AI use cases. A final joint policy statement has not yet been issued.
- The Federal Reserve’s Supervision and Regulation Letter framework treats any quantitative method that produces an output used to make business decisions as a "model," which captures most AI and ML systems used in financial services.
- The SEC, through its Division of Examinations, has signaled that investment advisers using AI for portfolio construction, trade execution, or client communication face scrutiny over whether their model risk controls are commensurate with the materiality of those models.
What does "compliance" concretely mean under this framework? At minimum, your AI risk assessment banking program must:
- Maintain a complete inventory of all models in production, including AI/ML systems
- Classify each model by materiality and risk tier
- Conduct documented validation before deployment and on a recurring basis
- Establish independent review—meaning the team validating a model cannot be the team that built it
- Report model risk findings to senior management and the board
The AI risk assessment financial services standard is not aspirational—examiners will ask for evidence that each of these elements exists and functions. Gaps in any one area become findings.
Building an AI Model Validation Framework That Satisfies Examiners
An AI model validation framework for financial services has three required components under SR 11-7: conceptual soundness, ongoing monitoring, and outcomes analysis. Each takes on additional complexity when the model is an AI system rather than a traditional statistical model.
Conceptual soundness means validators must assess whether the model’s design is appropriate for its intended use. For an AI credit-scoring model, that means evaluating the training data, feature selection logic, and whether the model’s behavior generalizes appropriately to the population it will score. Examiners expect written documentation of this assessment—not just a sign-off that the model "works."
Ongoing monitoring is where many institutions fall short on AI model performance monitoring. Traditional models might be monitored quarterly. AI models, particularly those that learn from new data or operate in dynamic environments, may require continuous or near-real-time monitoring. Examiners will ask: What metrics are you tracking? What thresholds trigger a review? Who receives alerts when performance degrades?
Outcomes analysis (also called back-testing or benchmarking) requires comparing model predictions against actual outcomes over time. For AI models, this is complicated by the fact that outcomes may take months to materialize (e.g., loan defaults) and by the difficulty of isolating model performance from other variables.
AI model testing requirements under SEC examination standards add a fairness and bias dimension that traditional bank model validation frameworks often underweight. The SEC has indicated that AI models used in client-facing contexts—recommendations, portfolio construction, communications—must be tested for disparate impact and bias, not just predictive accuracy. This connects directly to the work on algorithmic fairness and bias testing requirements for financial services , which outlines the specific testing methodologies examiners expect.
For investment advisers specifically, the AI model validation compliance standard also requires that validation results be documented in a form that can be produced during an examination—not reconstructed after the fact.
Governance Controls and Documentation Your Audit Trail Must Include
Validation without governance is incomplete. Examiners reviewing AI model governance compliance are looking for a paper trail that demonstrates ongoing, active oversight—not a one-time review that was filed and forgotten. Six categories of documentation consistently surface in examiner requests.
Model inventory and classification records form the starting point. Every AI model in production must appear in a maintained inventory with its risk tier, intended use, owner, and validation status—and that inventory must be current, not a snapshot from last year’s audit.
Policies and procedures must define what constitutes a model, how models are approved for production, what triggers re-validation, and how exceptions are handled. Policies that exist but are not followed are a finding in themselves; examiners will test whether practice matches documentation.
Validation reports must document methodology, findings, limitations, and any conditions attached to approval. For AI models, these reports should address data quality, model explainability, and performance metrics specific to the model’s use case.
Challenge process documentation satisfies SR 11-7’s requirement that model assumptions and outputs be subject to challenge. For AI systems, this means recording who challenged the model’s logic, what questions were raised, and how they were resolved. An AI governance risk assessment tools infrastructure that captures this challenge process automatically is far more defensible than manual logs.
Board and senior management reporting must demonstrate that model risk reached the governance chain. Examiners will ask for evidence that the board or a designated committee received model risk reports and that material findings were escalated appropriately.
Change management logs cover any modification to a model in production—retraining on new data, adjusting thresholds, changing input features. This is a common gap: institutions validate models at deployment but fail to re-validate after material changes.
For a detailed breakdown of what SEC examiners specifically request during AI-related reviews, see the guidance on what SEC examiners ask about AI controls and audit trail documentation .
Managing Third-Party and Vendor AI Model Risk
A significant portion of AI model risk in financial services originates outside the institution. Vendor-provided credit scoring models, third-party robo-advisory platforms, and embedded AI features in core banking systems all create third-party AI risk management obligations that regulators treat as the institution’s own responsibility.
SR 11-7 is explicit: reliance on a third-party model does not transfer the institution’s model risk obligations. If you use a vendor’s AI model to make credit decisions, you are responsible for validating that model—or ensuring that validation has been conducted to a standard you can defend to examiners.
Four due-diligence requirements follow from that principle. Before deploying a third-party AI model, institutions should obtain the vendor’s model documentation, validation reports, and performance data; vendors who cannot or will not provide this information present an immediate governance problem. Contracts with AI model vendors should include rights to audit, access to model documentation, notification requirements for material model changes, and representations about validation practices. Third-party AI models must be included in the institution’s model inventory and subject to ongoing performance monitoring, because a model that performs well at deployment can degrade over time—and the institution, not the vendor, will answer for that degradation in an examination. Finally, institutions should assess their exposure to vendor concentration: regulators have begun flagging situations where multiple institutions rely on the same third-party AI model, creating systemic risk, and that analysis should be documented.
The AI model governance platform question becomes acute in the third-party context: institutions need a system that can track vendor models alongside internally developed models, log validation status, and surface monitoring alerts regardless of who built the model.
For the multi-regulator dimension of third-party AI oversight—including OCC, NYDFS, CFPB, and Federal Reserve expectations—see the overview of multi-regulator AI compliance for financial institutions .
Operationalizing Compliance with an AI Model Governance Platform
Policy requirements and operational reality diverge quickly without the right infrastructure. A manual approach to AI model monitoring and governance—spreadsheet inventories, email-based validation workflows, PDF reports stored in shared drives—creates audit risk even when the underlying compliance work is sound. Examiners cannot easily verify what they cannot easily see.
Purpose-built AI model governance platforms address this by centralizing the compliance workflow. A platform maintains a living inventory of all models, with metadata on risk tier, validation status, owner, and use case—so when an examiner asks "show me all AI models in production," the answer is a report, not a scavenger hunt. Automated monitoring tracks model performance metrics continuously and surfaces alerts when thresholds are breached, giving compliance teams the visibility they need without requiring manual review of every model every day. Validation workflows, challenge processes, and approval chains managed within the platform create an automatic audit trail: every action, every sign-off, every exception is logged with a timestamp and user attribution. Modern AI governance risk assessment tools also incorporate explainability analysis and fairness testing directly into the validation workflow, making it easier to document that these requirements were addressed. Platforms that accommodate vendor model records—including documentation received from vendors, validation findings, and monitoring results—close the gap that manual systems leave open.
For investment advisers and broker-dealers evaluating these platforms, the buyer’s guide to AI governance platforms for investment advisers and broker-dealers provides a structured comparison of capabilities and what to prioritize given SEC examination expectations.
The governance framework that underpins platform selection maps platform capabilities to specific regulatory requirements in the AI Governance Framework for Investment Advisers: Meeting SEC Examination Standards .
Assess Your Model Risk Posture Now
SR 11-7 obligations apply to AI systems. SEC examination priorities include AI model controls. Third-party AI risk is your risk. And the documentation standard examiners apply is one of contemporaneous, auditable evidence—not reconstructed explanations after the fact. Each of those realities has been true for years, and enforcement attention is increasing, not stabilizing.
If you are not certain your current program covers validation, governance, monitoring, and third-party oversight to the standard regulators expect, the time to find out is before an examination, not during one.
Download our AI Model Validation Checklist to assess where your program stands against examiner expectations—or request a platform demo to see how purpose-built AI model governance tooling can close the gaps between your policy requirements and day-to-day operations.
For the full regulatory context, including SEC examination priorities specific to investment advisers, return to the SEC AI Examination Priorities for Investment Advisers.