
How to Align AI-Supported Workflows With Model Risk Management Guidelines
What MRM Guidance Actually Requires
The supervisory expectations under SR 11-7, OCC Bulletin 2011-12, and FDIC FIL-22-2017 reduce to a recognizable set of disciplines: document the model; validate the model before deployment; monitor the model in operation; manage changes formally; maintain independent challenge.
In April 2026 the federal banking agencies issued revised, principles-based interagency model risk management guidance (SR 26-2, OCC Bulletin 2026-13). The revision modernizes the framework for AI and machine learning models while preserving the same core disciplines, which is why programs built on SR 11-7 translate directly.
AI does not need a new framework. It needs to be brought into the framework that already exists.
Step 1. Bring AI Into the Model Inventory
Every AI-supported workflow should appear in the institution's model inventory with the model name and version, the owner, the intended use and limitations, the risk tier, the validation status and next validation date, and the change history.
If an AI workflow is not in the inventory, the institution has a control gap regardless of how well the workflow performs.
Step 2. Document the Model Under Existing Standards
The MRM policy specifies what model documentation looks like. Apply the same standard to AI: purpose and scope; inputs and outputs; methodology at a level appropriate for the audience; limitations; validation evidence; performance monitoring approach.
Vendor-provided documentation is an input. The institution's documentation is the artifact. The OCC Comptroller's Handbook on Model Risk Management describes the documentation depth examiners look for.
Step 3. Apply Existing Risk Tiering
The existing MRM policy probably tiers models by risk. Apply the same tiering to AI: the decisions the model supports; the financial or compliance impact; the dependence on the model; the complexity. AI used to support credit decisions or compliance escalation is typically moderate or higher risk.
Step 4. Apply Existing Validation Expectations
The validation cadence and depth should match the tier. Initial validation before deployment, ongoing validation at the cadence the policy requires, and triggered re-validation on material changes.
Step 5. Apply Existing Change Management
The MRM policy specifies how model changes are managed. Apply the same to AI: material changes require formal evaluation; pre-change validation tests the proposed change; approvals follow the documented authority; documentation is updated; re-validation occurs as required.
For vendor-provided AI, the contract should provide material-change notification rights.
Step 6. Apply Existing Monitoring Discipline
Ongoing monitoring includes performance against expected behavior, override rates and patterns, exception trends, and operational issues. Monitoring findings feed back into validation and change management.
For AI used in BSA/AML workflows, SR 21-8 confirms these same model risk principles apply to BSA/AML systems.
Step 7. Maintain Independent Challenge
Effective challenge requires independence from the model owner. The model risk function (or internal audit at smaller institutions) reviews the validation work. The audit committee or appropriate governance body reviews material findings.
Where AI Specifically Changes the MRM Conversation
Data lineage. AI models depend on data more heavily than traditional models in some respects. Document the data lineage from source to inference layer.
Explainability. The MRM standard for explainability applies. AI that cannot be explained may not be appropriate for high-risk use cases. The NIST AI Risk Management Framework treats explainability and interpretability as core trustworthiness characteristics, and it is a useful complement to supervisory guidance here.
Vendor dependency. Vendor-provided AI introduces third-party model risk. The Interagency Guidance on Third-Party Relationships (SR 23-4) governs the relationship side, and contractual rights and ongoing oversight matter more.
Change velocity. Vendor models can change frequently. Material-change notification and formal evaluation discipline matter.
How StandardC AI Approaches This
StandardC AI is designed to be brought under existing model risk management frameworks rather than to require a parallel framework. Configurations are version controlled. Outputs are reproducible. Documentation aligned to SR 11-7 expectations is provided as part of the vendor due-diligence package.
Frequently Asked Questions
Does AI require a new MRM policy?
Usually not. Existing MRM policies typically cover AI with minor language updates.
How does this work for smaller institutions without dedicated model validation teams?
Internal audit or qualified third-party validators perform validation. The independence requirement matters more than the organizational chart.
What is the relationship between MRM and third-party risk management for vendor AI?
Both apply. MRM addresses the model itself. TPRM addresses the vendor relationship.
Authoritative Sources
- SR 11-7: Supervisory Guidance on Model Risk Management (Federal Reserve)
- OCC Bulletin 2011-12: Sound Practices for Model Risk Management
- FDIC FIL-22-2017: Adoption of Supervisory Guidance on Model Risk Management
- SR 26-2: Revised Interagency Guidance on Model Risk Management (April 2026)
- OCC Bulletin 2026-13: Model Risk Management, Revised Guidance
- OCC Comptroller's Handbook: Model Risk Management
- SR 21-8: Interagency Statement on Model Risk Management for BSA/AML Systems
- SR 23-4: Interagency Guidance on Third-Party Relationships, Risk Management
- NIST AI Risk Management Framework
.webp)

