AEGISAI

AI model risk governance

Last reviewed: June 18, 2026 by Grant Holloway.

AI Model Risk Governance

AI and model-related use cases need governance that covers ownership, inventory, validation, performance monitoring, change control, and documentation. Current model-risk work should position SR 26-2 / OCC Bulletin 2026-13 as the current reference point while retaining SR 11-7 mapping where older policies, workpapers, or committee materials still rely on it.

Current model risk expectations

Current model risk language should reflect updated supervisory expectations, including SR 26-2 / OCC Bulletin 2026-13, while retaining SR 11-7 mapping where legacy documentation still uses it. The practical focus is whether material AI and model-driven tools are inventoried, risk-tiered, validated or reviewed, monitored, documented, and reported.

  • Identify whether each AI use case meets the institution's model definition.
  • Risk-tier models based on materiality, complexity, use, data, and customer impact.
  • Define validation, monitoring, and review depth based on risk tier.
  • Report material model-risk gaps to the right management or board forum.

Evidence to maintain

Useful evidence includes model inventories, validation records, assumptions and limitations, monitoring results, change logs, vendor documentation, committee approvals, exception records, and issue remediation status. The evidence should be traceable from initial approval through ongoing monitoring and decommissioning.

Vendor and embedded models

Many AI models are embedded in third-party systems. The institution may not control training or architecture, but it still needs enough evidence to decide whether the tool is appropriate for its intended use. Vendor model governance should connect third-party risk and model risk instead of leaving each team with half the picture.

Find My Top Governance Gaps

Take the free assessment to turn this topic into a readiness score, domain-level results, and prioritized gap summary.

Get My Free AI Governance Score

Important limitation

AI Model Risk Governance is an informational planning resource for regulated financial institutions. It does not determine legal compliance, regulatory sufficiency, audit conclusions, supervisory outcomes, model validation status, privacy compliance, security adequacy, or control effectiveness. Institutions should adapt the guidance to their use cases, vendors, data, governance structure, and risk profile with qualified legal, compliance, audit, security, privacy, and model risk advisors.

Last reviewed: June 18, 2026 by Grant Holloway. Review scope: regulatory currency, practical applicability for financial institutions, and alignment with the AegisAI governance methodology.

Cookies and analytics

We use cookies and similar technologies for site analytics, session quality review, purchase measurement, and future ad measurement. You can accept or decline optional tracking.