See also (wiki): model-risk-management, agentic-ai-governance
Executive Summary
- SR 11-7 is the 2011 Federal Reserve/OCC Supervisory Guidance on Model Risk Management. It was written for logistic regressions and scorecards. It is now the primary framework regulators are applying to AI, machine learning, and generative AI — without formal AI-specific rules in place as of April 2026.
- The OCC Comptroller’s Handbook (Aug 2021) closes the most common loophole banks ask about: even when an AI system does not meet the formal “model” definition, “the associated risk management should be commensurate with the level of risk of the function that the AI supports.”
- OCC Bulletin 2025-26 (Oct 6, 2025) gave community banks explicit relief on validation frequency. It does not mention AI. It does not reduce expectations for AI risk management — it reduces the presumption that every model needs annual validation at a small bank.
- The GAO’s May 2025 report flagged NCUA as the regulatory outlier — its model risk guidance covers “only interest rate risk modeling” while banks, thrifts, and their service providers face comprehensive frameworks. Credit unions deploying AI under NCUA supervision operate in a guidance vacuum.
- Generative AI breaks SR 11-7’s original assumptions in five places: opacity, drift speed, emergent behavior, data dependency, and bias. The framework accommodates AI, but only if validation, monitoring, and governance are re-engineered for AI’s failure modes — not copy-pasted from credit-scoring MRM playbooks.
What SR 11-7 Actually Requires
SR 11-7 defines a model as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” Model risk is “the potential for adverse consequences from decisions based on incorrect or misused model outputs and reports.”
Three pillars:
- Model development, implementation, and use. Sound theory, tested methodology, rigorous data quality assessment, thorough documentation.
- Model validation. Three components — conceptual soundness, ongoing monitoring and benchmarking, outcomes analysis including back-testing. Independent of the development team. Periodic review, conventionally annual.
- Governance. Board oversight, senior management ownership, internal audit, written policies, model inventory.
SR 11-7 contains no quantitative thresholds. Everything scales to the institution’s “size, nature, and complexity.” That flexibility is why the framework has survived 14 years of modeling innovation — and why examiners now reach for it when they see AI on your roadmap.
How AI Is Handled in the Existing Framework
The OCC Comptroller’s Handbook, Version 1.0 (August 2021), is the single most important document banks deploying AI need to read. It names AI directly — fraud detection, marketing, chatbots, credit underwriting, fair lending, robo-advising, trading algorithms, BSA/AML suspicious activity monitoring, robotic process automation, internal audit — and closes the “is this a model?” debate:
“Regardless of how AI is classified (i.e., as a model or not a model), the associated risk management should be commensurate with the level of risk of the function that the AI supports.”
Practical translation: the chatbot, the vendor-embedded fraud engine, and the internal LLM-based policy Q&A tool are all subject to proportional controls even if your model risk committee never inventories them. Examiners are not going to accept “it’s not technically a model” as a reason for the absence of validation, monitoring, or documentation.
What Changed in 2025: OCC Bulletin 2025-26
On October 6, 2025, the OCC issued Bulletin 2025-26 clarifying that community banks have discretion to tailor MRM practices. The bulletin eliminates the assumption that every model requires annual validation: “the OCC will not provide negative supervisory feedback to a bank solely for the frequency or scope of the model validation that the bank reasonably determined to perform based on the bank’s risk exposures.”
Two things this bulletin is not:
- It is not AI guidance. It does not mention AI.
- It is not a reduction in expected rigor. It is a clarification that rigor must be proportional — which is what SR 11-7 already said. The OCC’s broader MRM guidance review was announced the same month. Expect updated expectations before the framework gets formally revised.
Where Generative AI Breaks the Framework
SR 11-7’s validation model assumes a deterministic model: same input, same output, trajectory of drift you can catch with quarterly back-testing. Generative AI breaks five of those assumptions at once.
| SR 11-7 Assumption | Generative AI Reality |
|---|---|
| Outputs are reproducible | Non-deterministic by design; same prompt can produce different responses |
| Conceptual soundness is documentable | Billions of parameters resist straightforward explanation |
| Drift is detectable at quarterly cadence | Usage pattern and data distribution shifts can invalidate outputs in weeks |
| Validation is a point-in-time activity | Continuous monitoring is the only defensible approach |
| Bias tests against known protected classes suffice | Training data bias can emerge through second-order interactions invisible to standard fairness audits |
Supervisory expectations for 2026 converge on the same answers the practitioner community has been writing about since 2023:
- Complete AI inventory that includes vendor-embedded systems and fintech-partner models, not just internally developed models.
- Risk tiering that accounts for opacity, data volume, drift potential, and consumer impact — not just materiality of the output.
- Continuous monitoring with automated performance and fairness metric tracking, replacing quarterly validation for consumer-facing and credit-relevant AI.
- Contractual oversight of third-party AI with independent validation rights.
- Board reporting that distinguishes traditional model risk from AI-specific failure modes.
The Bank Policy Institute’s October 2025 response to the OSTP AI RFI made this explicit: supervisors “must acknowledge the fundamental non-deterministic nature of GenAI models when evaluating banks’ use of AI, which necessitates the use of risk management frameworks and outcome analysis rather than an over-reliance on controls.”
The Community and Regional Bank Problem
Bank size is the single biggest predictor of AI readiness. The Temenos/Hanover 2025 survey (n=400+ banks) found:
| Bank Size | GenAI Live or in Pipeline |
|---|---|
| >$250B assets | 79% |
| $50B–$250B assets | 75% |
| <$10B assets | ~40% |
Community banks face a structural problem the large banks do not: three core service providers serve more than 70% of U.S. depository institutions (Community Banking Research Conference, 2025). AI lands in community banks through core provider product releases — fraud monitoring, underwriting, alert triage — often with limited disclosure on model logic, training data, or governance. The community bank then carries regulatory exposure for a model it cannot validate.
The GAO’s May 2025 report identifies NCUA as the acute gap. NCUA’s model risk guidance covers “only interest rate risk modeling,” and NCUA lacks statutory authority to examine third-party service providers. Credit unions deploying AI — directly or through their core provider — operate in a supervisory space where guidance is thin and examination authority over the actual AI producer is absent.
What Examiners Are Actually Enforcing in 2025–2026
Based on practitioner reports from ModelOp, Equinox Compliance, Treliant, and the Bank Policy Institute:
- Inventory completeness. The first question is always: can you produce a complete inventory of AI systems in use, including those embedded in third-party products?
- Independent validation with AI-specific scope. Conceptual soundness for AI means training data documentation, feature selection rationale, explainability approach, and fairness testing — not a recomputation of a regression.
- Monitoring frequency. Quarterly is not enough for consumer-facing or credit-relevant generative AI. Automated performance and fairness monitoring is the emerging standard.
- Third-party model governance. “We bought it from a vendor” is not a defense. Examiners expect contractual rights to validate and evidence of effective oversight.
- Board and senior management ownership. Reporting must distinguish AI risk from traditional model risk. A single aggregate model risk number buried in a quarterly risk report is not sufficient.
Key Data Points
| Data Point | Source | Date |
|---|---|---|
| Community bank GenAI adoption (live or pipeline) | Temenos/Hanover, n=400+ | 2025 |
| Large bank (>$250B) GenAI adoption | Temenos/Hanover | 2025 |
| Banks actively launched or soft-launched GenAI | EY-Parthenon GenAI in Banking, n=undisclosed | 2025 |
| Credit union AI-driven approval lift for women and people of color | GAO-25-107197 | May 2025 |
| Core service provider concentration (% of depositories served by top 3) | Community Banking Research Conference | 2025 |
| OCC AI language in Comptroller’s Handbook | OCC Handbook MRM v1.0, pp. 3–4 | Aug 2021 |
| OCC community bank MRM validation relief | OCC Bulletin 2025-26 | Oct 6, 2025 |
| NCUA MRM guidance scope | GAO-25-107197 | May 2025 |
All figures are practitioner or regulator reported. The OCC Handbook is authoritative; the Temenos and EY-Parthenon surveys are vendor-sponsored and should be treated as directional rather than definitive.
What This Means for Your Organization
If you are a regional bank, credit union, or insurer asking “what does our regulator expect before we deploy this?” — the answer is less about AI-specific rules and more about how SR 11-7’s existing pillars apply to a model type they were not originally written for. Three things matter most:
First, the definition fight is over. The OCC Handbook explicitly applies risk management to AI whether or not it meets the formal model definition. Institutions that are still debating whether their chatbot or vendor-embedded fraud engine is “a model” are spending time on the wrong question. The right question is: what are the consequences if this AI is wrong, and what controls are proportional to those consequences?
Second, validation has to be redesigned, not just renamed. The standard quarterly independent review is an artifact of a model world where drift was slow and outputs were reproducible. Generative AI and modern ML demand continuous monitoring, automated fairness tracking, and documentation of training data provenance. Institutions that port their consumer credit scoring MRM playbook directly onto an LLM-based product will be found wanting.
Third, vendor-embedded AI is your problem. The community bank that receives AI through a core service provider still carries the fair lending and safety-and-soundness exposure. Contracting rights to validate, audit, and restrict model use are where the work is. This is where mid-market banks have the least leverage and the most risk.
If this raised questions specific to your institution’s AI deployment posture or model risk framework, I’d welcome the conversation — brandon@brandonsneider.com.
Sources
- SR 11-7: Supervisory Guidance on Model Risk Management (Federal Reserve, April 4, 2011). https://www.federalreserve.gov/supervisionreg/srletters/sr1107.htm — Foundational regulator guidance. HIGH credibility.
- OCC Comptroller’s Handbook, Model Risk Management, Version 1.0 (August 2021; partial redactions July 2025). https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/files/model-risk-management/pub-ch-model-risk.pdf — Primary source for AI-specific expectations. HIGH credibility. Predates current GenAI generation; read alongside 2025 clarifying bulletins.
- OCC Bulletin 2025-26: Model Risk Management — Clarification for Community Banks (October 6, 2025). https://www.occ.gov/news-issuances/bulletins/2025/bulletin-2025-26.html — Authoritative regulator guidance. HIGH credibility.
- GAO-25-107197, Artificial Intelligence: Use and Oversight in Financial Services (May 19, 2025). https://files.gao.gov/reports/GAO-25-107197/index.html — Independent oversight body. HIGH credibility.
- SR 21-8: Interagency Statement on Model Risk Management for Bank Systems Supporting BSA/AML Compliance (2021). https://www.federalreserve.gov/supervisionreg/srletters/SR2108.htm — HIGH credibility.
- Bank Policy Institute, Navigating Artificial Intelligence in Banking (April 2024). https://bpi.com/wp-content/uploads/2024/04/Navigating-Artificial-Intelligence-in-Banking.pdf — Industry association; MEDIUM credibility (advocacy positioning).
- Bank Policy Institute, OSTP AI RFI Response (October 27, 2025). https://bpi.com/wp-content/uploads/2025/10/BPI-OSTP-AI-RFI-Response-10.27.25.pdf — MEDIUM credibility.
- Temenos / Hanover Research, AI Adoption Survey (2025), n=400+ banks. Reported in ABA Banking Journal, May 2025. https://bankingjournal.aba.com/2025/05/survey-majority-of-financial-institutions-deploying-generative-ai/ — Vendor-sponsored; MEDIUM credibility.
- EY-Parthenon GenAI in Banking Survey (2025). https://www.ey.com/en_us/insights/banking-capital-markets/ai-in-banking-ey-parthenon-genai-survey-insights — Consulting-firm survey; MEDIUM credibility.
- Community Banking Research Conference, “U.S. Banks’ Artificial Intelligence and Small Business Lending” (2025). https://www.communitybanking.org/-/media/files/communitybanking/2025-papers/rs3p1jeffery-piaous-banks-artificial-intelligence-and-small-business-lending.pdf — Academic, HIGH credibility.
- ModelOp, “SR 11-7 Model Risk Management” (2026). https://www.modelop.com/ai-governance/ai-regulations-standards/sr-11-7 — Vendor perspective; LOW-MEDIUM credibility (marketing).
- Equinox Compliance, “How SR 11-7 Applies to AI/ML Models” (2026). https://equinoxcompliance.com/sr-11-7-compliance-ai-model-governance/ — Consulting firm; MEDIUM credibility.
Brandon Sneider | brandon@brandonsneider.com April 2026