AI model risk governance
Last reviewed: June 18, 2026 by Grant Holloway.
AI Model Risk Governance
AI and model-related use cases need governance that covers ownership, inventory, validation, performance monitoring, change control, and documentation. Current model-risk work should position SR 26-2 / OCC Bulletin 2026-13 as the current reference point while retaining SR 11-7 mapping where older policies, workpapers, or committee materials still rely on it.
Current model risk expectations
Current model risk language should reflect updated supervisory expectations, including SR 26-2 / OCC Bulletin 2026-13, while retaining SR 11-7 mapping where legacy documentation still uses it. The practical focus is whether material AI and model-driven tools are inventoried, risk-tiered, validated or reviewed, monitored, documented, and reported.
- Identify whether each AI use case meets the institution's model definition.
- Risk-tier models based on materiality, complexity, use, data, and customer impact.
- Define validation, monitoring, and review depth based on risk tier.
- Report material model-risk gaps to the right management or board forum.
Evidence to maintain
Useful evidence includes model inventories, validation records, assumptions and limitations, monitoring results, change logs, vendor documentation, committee approvals, exception records, and issue remediation status. The evidence should be traceable from initial approval through ongoing monitoring and decommissioning.
Vendor and embedded models
Many AI models are embedded in third-party systems. The institution may not control training or architecture, but it still needs enough evidence to decide whether the tool is appropriate for its intended use. Vendor model governance should connect third-party risk and model risk instead of leaving each team with half the picture.
Find My Top Governance Gaps
Take the free assessment to turn this topic into a readiness score, domain-level results, and prioritized gap summary.
Get My Free AI Governance ScoreImportant limitation
AI Model Risk Governance is an informational planning resource for regulated financial institutions. It does not determine legal compliance, regulatory sufficiency, audit conclusions, supervisory outcomes, model validation status, privacy compliance, security adequacy, or control effectiveness. Institutions should adapt the guidance to their use cases, vendors, data, governance structure, and risk profile with qualified legal, compliance, audit, security, privacy, and model risk advisors.
Last reviewed: June 18, 2026 by Grant Holloway. Review scope: regulatory currency, practical applicability for financial institutions, and alignment with the AegisAI governance methodology.