AEGISAI

SR 11-7 AI model risk checklist

SR 11-7 Model Risk Management Compliance 2026

Use the SR 11-7 AI Model Risk Checklist to turn model inventory, validation, monitoring, documentation, and effective-challenge expectations into a practical evidence file.

Free resource

Download the SR 11-7 AI Model Risk Checklist

Enter your email and get the free checklist for model inventory, validation evidence, monitoring, vendor model documentation, and SR 26-2 continuity mapping.

We'll email the requested resource and may send governance updates. Unsubscribe any time. See our privacy policy and terms.

Use it as a continuity bridge between legacy SR 11-7 model risk programs and current SR 26-2 AI governance expectations.

Why SR 11-7 still matters for AI

SR 11-7 gave banks a practical model risk foundation: keep a complete model inventory, validate models before use, monitor performance, document assumptions and limitations, maintain effective challenge, and report material model risk to governance bodies.

AI has changed the operating environment, but not the need for evidence. A bank using AI-enabled fraud tools, underwriting support, AML alerting, marketing models, customer-service automation, analytics, or vendor-embedded models still needs to show what the model does, who owns it, whether it is appropriate for use, and how it is monitored.

The highest-value first step is a reviewable checklist. It turns model risk language into fields, evidence requests, owners, and due dates that compliance, model risk, vendor management, audit, and leadership can act on.

What the free SR 11-7 AI checklist covers

The checklist is designed for teams that need a fast, practical way to translate SR 11-7 model risk expectations into AI governance evidence. It is especially useful when model risk policies, validation workpapers, audit programs, and board materials still use SR 11-7 language.

Use it to identify missing inventory fields, stale validation evidence, weak monitoring, unclear ownership, vendor documentation gaps, and reporting needs before an audit, exam, committee meeting, or model-risk review.

  • Model and AI system inventory fields
  • Ownership, intended use, and limitations
  • Risk tiering and customer-impact flags
  • Validation, review, and effective-challenge evidence
  • Monitoring metrics, thresholds, and change history
  • SR 11-7 continuity mapping to current SR 26-2 expectations

How to use the checklist

Start by listing internal models, vendor-provided models, embedded AI features, employee-use AI tools, pilots, and production workflows where outputs influence decisions, controls, reports, or customer outcomes.

Then classify each item by risk and materiality. Credit, fraud, AML, compliance monitoring, regulatory reporting, cybersecurity, customer-impacting, and critical-operations use cases should receive deeper review than low-risk productivity uses.

Finally, convert missing answers into remediation items. A blank owner, stale validation date, missing vendor evidence, undefined monitoring metric, or unreported board issue should become a tracked action with an accountable owner and due date.

SR 11-7 AI checklist preview

Use these questions to screen model risk documentation before a formal validation, audit, exam request, or board-risk update.

  1. 1Is every AI-enabled model or model-driven process captured in a centralized inventory?
  2. 2Does each model have a named business owner and model risk owner?
  3. 3Is the intended use documented, including limitations and prohibited uses?
  4. 4Has the model been risk-tiered by materiality, customer impact, complexity, and data sensitivity?
  5. 5Is independent validation or proportionate review evidence available before production use?
  6. 6Are performance, drift, override, exception, and issue metrics monitored on a defined cadence?
  7. 7Are vendor-provided models supported by documentation, testing evidence, and change notifications?
  8. 8Are material model changes, retraining events, vendor releases, and threshold changes logged?
  9. 9Can audit trace a high-risk model from approval through validation and ongoing monitoring evidence?
  10. 10Are legacy SR 11-7 references mapped to current SR 26-2 model risk governance language?

Free SR 11-7 AI model risk checklist

The checklist helps model risk, compliance, vendor management, and audit teams identify which AI systems need inventory updates, validation evidence, monitoring thresholds, vendor documentation, or SR 26-2 remapping.

FAQ

What is SR 11-7?

SR 11-7 is the Federal Reserve and OCC supervisory guidance on model risk management. It established durable expectations for model inventory, validation, governance, effective challenge, documentation, monitoring, and board or senior management oversight.

Does SR 11-7 cover AI and machine learning?

SR 11-7 was written before today's AI adoption curve, but its model risk principles still matter when AI or machine learning systems materially support decisions, controls, reporting, fraud detection, compliance monitoring, or customer-impacting workflows.

What is the difference between SR 11-7 and SR 26-2?

SR 11-7 remains an important continuity reference for legacy model risk programs, while SR 26-2 and related 2026 model risk language provide current terminology for AI-enabled, vendor-provided, and rapidly changing model environments. Many institutions should map older SR 11-7 artifacts to current SR 26-2 expectations.

Turn SR 11-7 model risk language into AI governance evidence.

Start with the checklist, then use the readiness assessment and Starter Kit to prioritize ownership, documentation, validation, monitoring, and board reporting gaps.

Related AI governance resources

Important limitation

SR 11-7 Model Risk Management Compliance 2026 is for informational and educational purposes only. It does not constitute legal, regulatory, audit, supervisory, model validation, privacy, security, or compliance advice. Institutions should consult qualified counsel and risk, compliance, audit, privacy, security, and model risk professionals regarding their specific obligations.

  • Keep SR 11-7 continuity where legacy files rely on it.
  • Map AI models and vendor models to current SR 26-2 expectations.
  • Track validation, monitoring, and change evidence.
  • Prepare a clear model risk update for audit, exam, or board review.

Cookies and analytics

We use cookies and similar technologies for site analytics, session quality review, purchase measurement, and future ad measurement. You can accept or decline optional tracking.