EVE AI Core
EVE AI Core
Model risk management (MRM) is the discipline of controlling the risk that a model is wrong or used wrongly. SR 11-7 is the U.S. supervisory guidance that defines it — and it applies to AI/ML models, not just statistical ones.
“AI model risk management is the discipline of identifying, controlling, and documenting the risk that an AI or machine-learning model produces wrong or non-compliant decisions.”
SR 11-7 is the 2011 U.S. Federal Reserve / OCC supervisory guidance that defines model risk management. Three ideas from it do the heavy lifting:
SR 11-7 defines a model as any quantitative method turning inputs into outputs. Machine-learning and AI systems are squarely in scope — the guidance never required the model to be a regression.
Models must face independent validation — critical review by parties who did not build them, with the standing to change or stop the model. Governance is treated as part of managing model risk, not paperwork around it.
Risk is managed across development, implementation, and use — including ongoing monitoring as data and conditions shift. A model that was validated once is not a model that is governed.
AI and machine-learning models complicate every part of SR 11-7: they can be hard to interpret, they can change behavior as input distributions drift, and they often sit inside automated pipelines that act on their output immediately. That combination makes decision-level, reproducible evidence more valuable than ever — being able to point to a specific decision and show what controls applied and that the same inputs reproduce the same outcome.
Validation tells you a model behaves acceptably in aggregate. It does not, by itself, prove that a specific production decision was governed. A deterministic control plane closes that gap: each model-driven decision passes through policy enforcement before it executes, and emits a signed, replayable record. That gives a model-risk team a per-decision audit trail to put in front of an examiner.
Model risk is one regime that demands evidence. The audit-trail and control-plane explainers show what that evidence looks like.
U.S. Federal Reserve / OCC supervisory guidance (2011) on model risk management: it defines a model method-agnostically, requires independent validation (“effective challenge”), and treats governance as core to managing model risk.
Yes — its definition of a model is method-agnostic, so AI and machine-learning systems that drive decisions are in scope.
Increasingly, decision-level proof: what the model was asked, which controls applied, and that the same inputs reproduce the same outcome.
See how a deterministic control plane produces a signed, replayable record for each model-driven decision — the kind of evidence SR 11-7 examinations increasingly expect.