How to Align AI-Supported Workflows With Model Risk Management Guidelines

Model risk management guidance (SR 11-7, OCC Bulletin 2011-12, FDIC FIL-22-2017) applies to AI just as it applies to other models. Examiners are not waiting for AI-specific guidance. They are applying existing guidance directly.
Artificial Intelligence (AI)

What MRM Guidance Actually Requires

The supervisory expectations under SR 11-7, OCC Bulletin 2011-12, and FDIC FIL-22-2017 reduce to a recognizable set of disciplines: document the model; validate the model before deployment; monitor the model in operation; manage changes formally; maintain independent challenge.

In April 2026 the federal banking agencies issued revised, principles-based interagency model risk management guidance (SR 26-2, OCC Bulletin 2026-13). The revision modernizes the framework for AI and machine learning models while preserving the same core disciplines, which is why programs built on SR 11-7 translate directly.

AI does not need a new framework. It needs to be brought into the framework that already exists.

Step 1. Bring AI Into the Model Inventory

Every AI-supported workflow should appear in the institution's model inventory with the model name and version, the owner, the intended use and limitations, the risk tier, the validation status and next validation date, and the change history.

If an AI workflow is not in the inventory, the institution has a control gap regardless of how well the workflow performs.

Step 2. Document the Model Under Existing Standards

The MRM policy specifies what model documentation looks like. Apply the same standard to AI: purpose and scope; inputs and outputs; methodology at a level appropriate for the audience; limitations; validation evidence; performance monitoring approach.

Vendor-provided documentation is an input. The institution's documentation is the artifact. The OCC Comptroller's Handbook on Model Risk Management describes the documentation depth examiners look for.

Step 3. Apply Existing Risk Tiering

The existing MRM policy probably tiers models by risk. Apply the same tiering to AI: the decisions the model supports; the financial or compliance impact; the dependence on the model; the complexity. AI used to support credit decisions or compliance escalation is typically moderate or higher risk.

Step 4. Apply Existing Validation Expectations

The validation cadence and depth should match the tier. Initial validation before deployment, ongoing validation at the cadence the policy requires, and triggered re-validation on material changes.

Step 5. Apply Existing Change Management

The MRM policy specifies how model changes are managed. Apply the same to AI: material changes require formal evaluation; pre-change validation tests the proposed change; approvals follow the documented authority; documentation is updated; re-validation occurs as required.

For vendor-provided AI, the contract should provide material-change notification rights.

Step 6. Apply Existing Monitoring Discipline

Ongoing monitoring includes performance against expected behavior, override rates and patterns, exception trends, and operational issues. Monitoring findings feed back into validation and change management.

For AI used in BSA/AML workflows, SR 21-8 confirms these same model risk principles apply to BSA/AML systems.

Step 7. Maintain Independent Challenge

Effective challenge requires independence from the model owner. The model risk function (or internal audit at smaller institutions) reviews the validation work. The audit committee or appropriate governance body reviews material findings.

Where AI Specifically Changes the MRM Conversation

Data lineage. AI models depend on data more heavily than traditional models in some respects. Document the data lineage from source to inference layer.

Explainability. The MRM standard for explainability applies. AI that cannot be explained may not be appropriate for high-risk use cases. The NIST AI Risk Management Framework treats explainability and interpretability as core trustworthiness characteristics, and it is a useful complement to supervisory guidance here.

Vendor dependency. Vendor-provided AI introduces third-party model risk. The Interagency Guidance on Third-Party Relationships (SR 23-4) governs the relationship side, and contractual rights and ongoing oversight matter more.

Change velocity. Vendor models can change frequently. Material-change notification and formal evaluation discipline matter.

How StandardC AI Approaches This

StandardC AI is designed to be brought under existing model risk management frameworks rather than to require a parallel framework. Configurations are version controlled. Outputs are reproducible. Documentation aligned to SR 11-7 expectations is provided as part of the vendor due-diligence package.

Frequently Asked Questions

Does AI require a new MRM policy?

Usually not. Existing MRM policies typically cover AI with minor language updates.

How does this work for smaller institutions without dedicated model validation teams?

Internal audit or qualified third-party validators perform validation. The independence requirement matters more than the organizational chart.

What is the relationship between MRM and third-party risk management for vendor AI?

Both apply. MRM addresses the model itself. TPRM addresses the vendor relationship.

Authoritative Sources