← Back to Blog
Banking Regulation · Model Risk · Compliance

SR 11-7 Was Written for AI Governance — Banks Just Don’t Know It Yet

EVE Research · April 14, 2026 · 9 min read
SR 11-7 Was Written for AI Governance — Banks Just Don’t Know It Yet

SR 11-7, the Federal Reserve’s Supervisory Guidance on Model Risk Management issued in 2011, was written for statistical models used in credit underwriting, market risk, and operational risk management. The word “artificial intelligence” does not appear in it. But read SR 11-7 as a governance framework for AI systems deployed in regulated banking workflows, and it establishes requirements more demanding and specific than anything currently being written for AI. Banks that understand SR 11-7 in the context of AI governance will recognize that they already have a compliance obligation that covers their AI deployments — and that most current AI governance approaches do not satisfy it.

What SR 11-7 Actually Requires

SR 11-7 defines a model as “a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates.” AI systems that make quantitative determinations — credit scoring, fraud detection, loan approval, transaction monitoring — fall within this definition.

The guidance establishes three main areas of model risk management practice:

Model development, implementation, and use: The model must be conceptually sound, implemented correctly, and used only for appropriate purposes. Documentation must include “a description of the model’s intended use, theory and logic underlying the model, processing components, mathematical calculations and quantitative techniques, key assumptions, data inputs, and reports.”

Model validation: Models must be subject to “robust model validation.” Validation must be performed by qualified personnel independent of the model development team. Validation must include “evaluation of conceptual soundness, ongoing monitoring, outcomes analysis, and benchmarking.”

Governance, policies, and controls: Banks must maintain comprehensive model inventories, have board or committee oversight of model risk, and ensure that model risk management policies define acceptable model risk and specify roles and responsibilities.

Reading SR 11-7 as AI Governance

Apply these three areas to an AI system deployed in a loan origination workflow:

Conceptual soundness: SR 11-7 requires documentation of the model’s theory and logic, key assumptions, and mathematical techniques. For an AI system whose decision boundary is learned from training data through a process that is not fully interpretable, “documenting the theory and logic” is a substantive challenge. The guidance’s intent is that the model’s behavior must be understandable and explainable — a requirement that maps directly to the AI governance requirement for deterministic, rule-based enforcement that produces interpretable decision records.

An AI governance layer that applies deterministic rules to a model’s outputs satisfies the conceptual soundness requirement at the governance layer: the rules are explicit, their logic is documented, and their application to any input is reproducible and explainable.

Ongoing monitoring: SR 11-7 requires that “model performance be monitored on an ongoing basis” and that “monitoring should include tracking of model performance metrics and identification of conditions that might indicate that model performance has deteriorated.” For an AI system in production, ongoing monitoring requires real-time visibility into governance metrics — how often is each rule triggering? Are trigger patterns consistent with expectations? Are there anomalous patterns that suggest distribution shift or adversarial probing?

A governance infrastructure with real-time monitoring endpoints and anomaly detection satisfies the ongoing monitoring requirement. A static rulebook with periodic manual review does not.

Outcomes analysis: SR 11-7 requires that model performance be evaluated against actual outcomes. For AI governance, this means tracking whether governance decisions aligned with the intended governance framework — did the actions that were permitted turn out to be appropriate? Did the actions that were blocked represent genuine policy violations? This feedback loop requires that each governance decision be tagged with sufficient context to enable outcome linking — which requires durable, structured decision records, not transient log entries.

Independent validation: SR 11-7 requires validation by personnel independent of model development. For AI governance, this means the governance audit record must be verifiable by an independent party — one who did not build the system and who does not have access to the live system. This is precisely the requirement satisfied by offline replay verification: an independent auditor receives the signed decision record, the archived rule set, and the canonical input, and verifies the verdict on their own infrastructure without trusting the original system.

The Governance Lineage Problem

SR 11-7 requires a “model inventory” — a comprehensive registry of all models in use, including documentation of each model’s status, purpose, and validation history. For AI systems, the governance lineage question is: what is the complete chain of documentation linking the approved governance framework to the specific rules applied to a specific decision?

This chain must include:

  • The approved governance policy
  • The rule set version implementing that policy
  • Evidence that the rule set has not been modified since approval
  • The governance decision record for the specific decision, linked to the rule set version
  • The outcome analysis linking the decision to its actual consequence

An AI governance infrastructure that maintains rule set versioning with cryptographic integrity, links each decision record to its rule set version hash, and supports outcome tracking satisfies the SR 11-7 governance lineage requirement. An infrastructure without these properties cannot demonstrate the lineage.

The Validation Problem

SR 11-7 validation is the requirement that creates the most difficulty for current AI governance approaches. Independent validation requires that a qualified, independent reviewer can evaluate whether the model is conceptually sound, whether it is performing as intended, and whether it would continue to perform correctly under stress conditions.

For an AI system with a deterministic governance layer, independent validation is tractable. The reviewer can:

  • Inspect the rule set and evaluate its conceptual soundness against the governance policy
  • Run the independent replay verification on a sample of historical decisions to confirm determinism
  • Apply adversarial test cases to evaluate robustness under stress conditions
  • Review the monitoring outputs to evaluate ongoing performance visibility

For an AI system with probabilistic middleware governance, independent validation is very difficult. The reviewer cannot verify conceptual soundness of a black-box classifier. The reviewer cannot replay historical decisions without access to the live system. The reviewer cannot independently confirm that the governance applied to historical decisions reflects the approved governance policy.

What Bank Examiners Are Beginning to Ask

Bank examiners reviewing AI deployments have been applying SR 11-7 with increasing specificity. The questions that are appearing in examination letters and model risk management reviews:

  • Can you show the complete governance lineage from the approved policy to the specific decision?
  • What evidence do you have that the governance configuration applied at the time of this decision was the currently approved configuration?
  • What is your independent validation methodology for the governance layer?
  • How do you monitor governance performance on an ongoing basis?
  • What is the process for incorporating new failure modes into the governance framework, and how do you document that this process has been followed?

These questions have clear answers for a bank that has implemented deterministic governance infrastructure. They do not have clear answers for a bank that has implemented prompt engineering and output filtering.

The SR 11-7 Examination Scenario

Consider the examination scenario: an examiner requests a review of the bank’s AI-assisted loan underwriting process. They identify a loan application that was approved by the AI system and subsequently defaulted within six months. They ask the bank to demonstrate that the governance framework applied to this decision was appropriate.

A bank with deterministic governance infrastructure can respond with:

  • The signed decision record for the specific application, showing the governance verdict, the rule set version hash, and the triggered rules
  • The rule set archive for the rule set version referenced in the decision record, showing the exact rules that were in effect
  • The chain continuity proof showing no records were modified in the relevant period
  • The independent validation report showing the rule set was reviewed and approved at the relevant version
  • The monitoring data from the relevant period showing no anomalous patterns

A bank with probabilistic middleware can respond with log entries showing the application was processed and approved, documentation of the governance policy that was intended to be in effect, and attestation from system administrators that the governance configuration was as documented. SR 11-7 examination practice has consistently found the second posture inadequate. Attestation from model developers is not independent validation. Policy documentation is not enforcement evidence.

The Infrastructure Investment Argument

The compliance case for deterministic governance infrastructure in banking is not primarily a risk avoidance argument — it is an examination efficiency argument. Banks that have implemented the governance lineage, monitoring, replay verification, and independent validation capabilities that SR 11-7 requires will spend significantly less time and money on model risk management examinations than banks that have not.

An examination that can be answered with a signed decision record, a rule set archive, and an offline replay demonstration is a matter of hours. An examination that requires reconstructing governance state from documentation, administrator attestation, and log interpretation is a matter of weeks — and may not produce a result that satisfies the examiner.

The infrastructure investment required to satisfy SR 11-7 for AI governance is front-loaded. The examination efficiency benefit compounds over every subsequent examination. For banks with significant AI deployments in regulated workflows, the economics of the investment are favorable before the regulatory risk premium is even considered.

SR 11-7 Model Risk Management Banking Regulation Federal Reserve Independent Validation Governance Lineage Outcome Analysis