
How to Validate AI Outputs in Regulated Banking Environments
What Validation Is Supposed to Demonstrate
Validation should demonstrate that the model performs as designed; the model is appropriate for its intended use; limitations are documented and understood; performance is monitored over time; changes are managed and re-validated as needed. These are the core expectations of SR 11-7, its OCC counterpart OCC Bulletin 2011-12, and the FDIC's adoption of the same framework in FIL-22-2017. In April 2026 the agencies issued revised, principles-based interagency model risk management guidance (SR 26-2, OCC Bulletin 2026-13) that carries these same disciplines forward for AI and other modern model types.
The complexity of the model does not change these expectations. It changes the techniques used to meet them.
Step 1. Define the Model and the Use Case
Before any validation activity, document the model's purpose and scope; document the decision the model supports and the decision it does not; document the inputs, outputs, and logic at a level appropriate for the audience; document the limitations explicitly.
This documentation is the foundation. Validation tests against the documented expectation, not against an undocumented one. A model without a documented expectation cannot fail validation, which means it also cannot pass it.
Step 2. Reproducibility Testing
For deterministic AI, reproducibility testing is straightforward: run the same case through the model multiple times; confirm identical outputs; document any deviations.
For systems with probabilistic components, document the expected variance, test against it, and document the controls that manage it.
Reproducibility is the foundation of validation. If outputs are not reproducible, the validation conclusions are not stable.
Step 3. Sample-Based Output Review
Internal audit or model validation samples outputs and reviews the output's reconciliation to the source evidence, the citation completeness, the logic applied versus the documented expectation, and the classification of any flags or recommendations.
The sample size depends on the volume and risk of the model. Document the sampling methodology. The OCC Comptroller's Handbook on Model Risk Management gives examiners a detailed view of what sound validation work looks like, and it is a useful benchmark for calibrating your own program.
Step 4. Override-Rate Monitoring
Track the rate at which reviewers override the model's recommendations, the direction of overrides, and the reasons documented for overrides.
Override patterns are signals. Frequent overrides in one direction may indicate the model is miscalibrated, the policy has changed, or the reviewer is making decisions outside the policy. All three possibilities warrant investigation, and only one of them is a model problem.
Step 5. Outcome Testing Where Applicable
For models that recommend ratings, classifications, or escalations, compare model outputs to subsequent outcomes: Did the credit risk rating correlate with actual performance? Did the EDD flag surface real risk? Did the discrepancy detection identify items that mattered in workout?
Outcome testing connects validation to reality. It is also where the model earns or loses institutional trust over time.
Step 6. Stress and Edge-Case Testing
Validation should include intentional stress and edge cases: unusual document combinations, borderline policy thresholds, high-complexity ownership structures, adversarial inputs.
The point is to confirm the model behaves predictably in conditions it does not see often. The NIST AI Risk Management Framework offers a useful vocabulary for structuring this kind of testing, particularly its emphasis on validity and reliability under varied operating conditions.
Step 7. Document and Report
Validation findings are documented with the methodology used, the sample composition, the findings, the recommendations, and the remediation tracking. The validation report is reviewed by the model owner, the model risk function, and senior management at the appropriate cadence.
For AI used in BSA/AML workflows specifically, SR 21-8 confirms that these model risk principles apply to BSA/AML systems, with flexibility for the risk-based nature of those programs.
What Validation Is Not
Validation is not acceptance testing during procurement; not a one-time activity before deployment; not a purely vendor-provided artifact; not internal audit's only check on the model.
Validation is an ongoing discipline. It sits inside the broader model risk framework, and it depends on the vendor transparency examined in conducting vendor due diligence for AI identity and verification providers.
How StandardC AI Approaches This
StandardC AI supports validation by producing reproducible, evidence-grounded, citation-backed outputs. Configurations are version controlled, which lets validation testing reproduce specific outputs against the configuration that was in effect at the time. The platform provides the kind of structured documentation that aligns with SR 11-7 expectations for model documentation.
Frequently Asked Questions
Who should perform validation?
An independent function appropriate to the institution's size. The function must be independent of the model owner.
How often should validation occur?
Initial validation before deployment. Ongoing validation at the cadence the model risk policy requires, with triggered re-validation on material changes.
Does vendor-provided validation documentation suffice?
It is an input. The institution remains accountable for validating the model in its specific use environment.
Authoritative Sources
- SR 11-7: Supervisory Guidance on Model Risk Management (Federal Reserve)
- OCC Bulletin 2011-12: Sound Practices for Model Risk Management
- FDIC FIL-22-2017: Adoption of Supervisory Guidance on Model Risk Management
- SR 26-2: Revised Interagency Guidance on Model Risk Management (April 2026)
- OCC Bulletin 2026-13: Model Risk Management, Revised Guidance
- OCC Comptroller's Handbook: Model Risk Management
- SR 21-8: Interagency Statement on Model Risk Management for BSA/AML Systems
- NIST AI Risk Management Framework
.webp)

