SR 11-7 was issued in 2011 by the Federal Reserve. The models it was designed to govern (logistic regressions, scorecards, cash flow projections) look nothing like the AI and machine learning systems financial institutions are deploying today. The guidance applies to all banking organizations supervised by the Federal Reserve and the OCC.
The guidance itself has not been updated, but examiner expectations have. And in February 2026, the Treasury’s Artificial Intelligence Executive Oversight Group (AIEOG) released a suite of AI-specific resources for financial services, including a standardized AI lexicon and a financial services adaptation of the NIST AI Risk Management Framework. These resources do not replace SR 11-7, but they signal where regulatory expectations are heading. The regulatory landscape for AI in banking is evolving, with frameworks like the EU AI Act complementing SR 11-7.
Model risk can lead to adverse consequences such as financial loss, poor business and strategic decision-making, or damage to a banking organization’s reputation. The gap between what SR 11-7 says on paper and what regulators now expect in practice is where compliance teams need to be prepared.
What SR 11-7 actually requires
SR 11-7 (and OCC 2011-12) establishes three pillars for model risk management and applies to all banking organizations supervised by the Federal Reserve and the OCC:
- Model development and implementation. Models must be built on sound theory, tested against data, and documented thoroughly enough that someone outside the development team can understand how they work.
- Model validation. An independent party must evaluate conceptual soundness, data integrity, and performance accuracy. Validation must be ongoing, not a one-time event.
- Governance and controls. Senior management and the board must understand aggregate model risk, set risk appetite, and ensure the organization has policies, procedures, and reporting structures to manage it. Meeting these regulatory requirements is essential for managing model risk, as it ensures compliance with supervisory expectations and helps mitigate potential financial and reputational harm.
Regulators have made clear that these principles are broad enough to apply to AI. The challenge is in the execution.
Where AI creates gaps in traditional SR 11-7 programs
Most model risk management programs were built around traditional statistical models. Those programs typically have documentation templates, validation checklists, and monitoring dashboards that assume a few things about the models they govern:
- Inputs are known and interpretable
- Outputs are deterministic and reproducible
- Model logic can be fully documented
- Performance is relatively stable over time
However, AI and machine learning models introduce potential risks and may be classified as high risk due to their inherent complexity and opacity. Organizations must address risks from model complexity and opacity, which are inherently high in AI/ML. This makes model oversight and sound governance essential to ensure transparency, fairness, and effective risk management. Most organizations should focus on extending their existing MRM framework to address AI-specific challenges, rather than replacing it, by incorporating continuous monitoring, rigorous validation, and specialized governance practices.
AI models break these assumptions.
Opacity
Machine learning models, and especially deep learning and large language models, produce outputs through processes that resist straightforward explanation. A logistic regression has coefficients. A neural network has millions of parameters. The documentation standards that work for one do not work for the other.
For opaque AI models, effective challenge and domain expertise are critical for validation work. Having knowledgeable professionals conduct independent validation work ensures that model limitations and assumptions are properly identified, which is essential for sound model validation in regulated financial environments.
AI Model Drift
Traditional models degrade slowly and predictably. AI models can drift rapidly as data distributions shift, and the drift may not be visible in aggregate performance metrics. By the time a quarterly validation catches the issue, the model may have been producing unreliable outputs for weeks.
To address this, periodic review and continuous monitoring of model performance are essential to ensure ongoing reliability and regulatory compliance. Ongoing monitoring helps detect issues early, ensuring models remain effective and meet regulatory expectations.
Emergent behavior
Large language models and agentic AI systems can produce outputs that were not anticipated during development or testing. Generative AI, as a type of model capable of emergent behavior, can generate novel and unexpected responses that challenge traditional validation frameworks. It is important to recognize that AI and statistical models in banking always carry a degree of uncertainty. Traditional validation frameworks do not account for systems that can generate novel, unexpected responses.
Data dependency
AI models consume vastly more data than traditional models, and their performance is tightly coupled to input data quality, completeness, and representativeness. Ensuring proper documentation of data provenance and feature engineering decisions is essential for achieving reproducibility and supporting robust model risk management. Data governance becomes a model governance issue.
Fairness and bias
AI models can encode and amplify biases present in training data in ways that are difficult to detect through standard testing. The fair lending and consumer protection implications are significant, particularly for credit, pricing, and marketing models. Responsible AI practices—including strong governance, transparency, and ethical considerations—are essential to address fairness and bias in these contexts.
What examiners are actually looking for
Regulatory agencies are enhancing examiner training on AI and model risk, increasing pressure on financial institutions to comply with new standards. These regulatory agencies are also requiring institutions to adhere to model risk management standards, including oversight of third-party AI services, as part of evolving compliance obligations across various jurisdictions. Examiners are not asking whether your model risk framework mentions AI. They are asking whether your framework operationally accounts for AI’s distinct risk characteristics.
Specific areas where we see examiners pressing harder:
Model inventory completeness
Does the inventory include all AI models, including those embedded in vendor platforms, fintech partner systems, and operational tools? Many organizations have AI models in production that have never been added to the model inventory.
Independent validation of AI models
Is validation truly independent, and does it address AI-specific concerns like explainability, data quality, and drift? Examiners are distinguishing between organizations that validate AI models using traditional checklists and those that have adapted their validation methodology.
Documentation depth
Can the organization explain how an AI model was built, what data it was trained on, how features were selected, and what its known limitations are? “Proprietary” is not an acceptable answer during an exam, the right model documentation is.
Ongoing monitoring
Are monitoring programs designed to catch AI-specific failure modes like drift, data quality degradation, and fairness metric shifts? Quarterly reviews are often insufficient for AI models that can change behavior between review cycles.
Board reporting
Does aggregate model risk reporting distinguish between traditional and AI models? Does the board understand the institution’s AI model landscape and its associated risks?
How the Treasury’s new AI guidance connects to SR 11-7
The Treasury’s AIEOG resources are not a replacement for SR 11-7, they are a complement. SR 11-7 remains the supervisory framework for model risk management. The AIEOG materials fill in the AI-specific gaps that SR 11-7 was never designed to address.
This reflects the evolving regulatory landscape, where regulators are increasingly focused on establishing clear rules and guidelines for managing model risk in banking organizations. The regulatory approach to AI governance is also part of a global trend, with various jurisdictions adopting similar frameworks to ensure effective oversight and compliance.
Three connections compliance teams should understand:
A shared artificial intelligence vocabulary
The AIEOG AI Lexicon standardizes terms like “model risk,” “validation,” “explainability,” and “drift” in the context of AI and financial services. If your compliance, risk, and technology teams are using these terms differently, that inconsistency creates documentation and governance risk. Adopting the lexicon as a baseline reduces friction and strengthens your SR 11-7 documentation.
A risk-to-controls bridge
The Financial Services AI Risk Management Framework maps AI risks to 230 control objectives, organized by adoption maturity. For institutions that already have an SR 11-7 program in place, this mapping provides a structured way to extend existing model risk controls to cover AI-specific risks like opacity, data dependency, and emergent behavior. A step-by-step guide can be especially valuable here, offering a practical roadmap for systematically adapting and enhancing controls to address the unique challenges posed by AI and machine learning models.
Examiner expectations are converging
Even though these resources are voluntary, they represent the consensus view of regulators and senior financial institution executives. Examiners will reference them. Institutions that have assessed their programs against the AIEOG framework will be better positioned than those that have not.
For a deeper breakdown of what the Treasury released and what to do about it, see our full analysis.
Building an SR 11-7 program that accounts for AI
Compliance teams do not need to abandon their existing model risk management (MRM) framework. They need to extend it. As financial institutions increasingly integrate AI services and machine learning into their operations, it is essential to focus on managing model risk for these advanced systems. Institutions should expand their definition of ‘model’ to explicitly include AI and machine learning systems to ensure compliance with SR 11-7. Here is where to focus:
Expand the model definition
Model risk management must adapt to include AI and automated decision systems as part of the model inventory. Review your model risk policy’s definition of “model.” If it does not explicitly include machine learning, large language models, and agentic AI systems, update it. Be specific about what qualifies as a model versus a tool, and err on the side of inclusion.
Tier models by risk, including AI-specific factors
Risk tiering should account for AI-specific characteristics: opacity, data volume, drift potential, and consumer impact. A high-volume AI underwriting model requires more intensive governance than a low-risk reporting automation. High risk models require specialized governance, including stress testing and explainability assessments, to ensure effective risk management and compliance with regulatory frameworks.
Adapt model documentation standards
Create documentation templates for AI models that capture training data provenance, feature engineering decisions, hyperparameter choices, interpretability approaches, and known failure modes. Proper documentation is essential for achieving reproducibility, which requires maintaining rigorous records of training data provenance and all feature engineering decisions. Traditional model documentation templates are insufficient for AI.
Redesign validation for AI
Validation of AI models should include explainability testing, bias and fairness assessments, stress testing under distribution shift scenarios, and evaluation of model behavior at edge cases. The validation team needs the technical expertise to challenge AI models, not just review documentation.
Increase monitoring frequency
AI models may require continuous or near-continuous monitoring rather than quarterly reviews. Build automated monitoring that tracks performance metrics, data quality indicators, and fairness metrics with defined thresholds and escalation triggers. Ongoing monitoring of models is necessary to ensure they remain reliable over time and adapt to changing market conditions.
Address third-party AI risk
If your institution uses AI models built by vendors or fintech partners, your SR 11-7 program must include oversight of those models. This means contractual access to documentation, independent validation rights, and ongoing performance data. You cannot outsource model governance to the model builder. The ultimate responsibility for model-driven decisions remains with the board and senior leadership, even for outsourced AI systems.
The bottom line
SR 11-7 is principles-based enough to cover AI. But the programs most organizations built under SR 11-7 were not designed with AI and model development in mind. The compliance teams that will perform best under examination are the ones proactively extending their model risk frameworks now, before the examiner asks the question.
