SR 11-7 for AI Models: Regulatory Expectations

SR 11-7, issued by the Federal Reserve and other federal banking agencies, establishes supervisory expectations for model risk management in financial institutions. Though originally crafted for traditional quantitative models, its principles apply increasingly to AI and machine learning (ML) models. Financial services organizations deploying AI systems must align with SR 11-7 to satisfy regulatory scrutiny and control model-related risks.

1. Scope of SR 11-7 as applied to AI models

SR 11-7 defines a 'model' broadly as a quantitative method to inform business decisions. AI models, including supervised ML classifiers or generative language models used in credit risk scoring, fraud detection, or customer service, fall under this scope. The guidance mandates a comprehensive model risk management (MRM) framework covering development, implementation, use, and validation phases.

SR 11-7's approach to model risk focuses on two dimensions: model development and implementation risk, and model use risk. AI models introduce specific challenges due to complexity, non-deterministic outcomes, and potential data biases, which heighten model risk. Institutions must adapt existing MRM programs to incorporate AI-specific controls.

2. Model risk management elements under SR 11-7 for AI

SR 11-7 outlines several core elements that risk teams should tailor for AI models.

• Strong governance and oversight including clear model ownership roles and responsibilities.
• Robust model development practices ensuring transparency, documented assumptions, and rigorous testing.
• Independent model validation focusing on performance, accuracy, and compliance with intended use.
• Ongoing monitoring to detect model degradation, data drift, or changing business conditions.
• Risk identification specific to AI, such as assessing data quality, algorithmic bias, and explainability.

Risk teams should partner with data science, compliance, and operations groups to implement these controls and meet SR 11-7 expectations.

3. Validation considerations unique to AI models

Model validation under SR 11-7 requires an independent review of AI models that addresses their unique features. Validators must assess training data representativeness, model complexity, feature engineering, and performance stability.

Explainability and interpretability are critical validation areas for AI, particularly for neural networks or ensemble methods. Institutions should employ explainability tools, such as SHAP or LIME, to support transparency.

Stress testing AI models through scenario analysis and backtesting provides additional confidence in model robustness and regulatory compliance.

4. Governance and documentation expectations

SR 11-7 emphasizes comprehensive documentation to demonstrate model soundness and facilitate audits. For AI, documentation must include data lineage, model architecture, training processes, hyperparameters, and validation reports.

Governance frameworks should integrate AI ethics policies addressing fairness, bias mitigation, and privacy concerns, reflecting regulatory scrutiny on these issues.

Periodic internal and external audits help ensure adherence to the evolving regulatory landscape around AI model risk.

5. Ongoing monitoring and controls for AI model risk

AI models can exhibit performance drift as data distributions shift or business environments change. SR 11-7 requires continuous post-implementation monitoring to detect such deviations.

Monitoring frameworks should include automated data quality checks, model output analytics, and alerting mechanisms. Risk teams must define thresholds for acceptable model performance and trigger revalidation or model retraining when breached.

AI-specific operational controls such as version control, access restrictions, and incident response procedures reduce model misuse and operational risk.

6. Meeting supervisory expectations and next steps

In 2023, Federal Reserve examiners have increased scrutiny on AI models under SR 11-7, especially in credit underwriting and anti-money laundering use cases. Institutions that lack defined AI MRM frameworks face elevated examination risk.

Risk leaders should benchmark current AI governance and validation practices against SR 11-7 elements and develop remediation roadmaps where gaps exist. Early engagement with regulators regarding AI model risk management plans supports proactive compliance.

Institutions deploying AI are advised to invest in cross-functional AI risk governance teams, enhance validation tooling around explainability and bias, and establish continuous monitoring processes aligned to SR 11-7.