Compliance
Model risk management for AI under SR 11-7 and the 2026 Revised Guidance
The interagency Revised Guidance on Model Risk Management supersedes SR 11-7 and SR 21-8. The three-pillar discipline carries forward, scaled to each bank's model risk profile. Prism produces the evidence at every tier.
- Risk-based scaling: validation rigor proportionate to model tier
- Independent model validation evidence
- Ongoing monitoring with alert thresholds
- Effective challenge through red-teaming and evaluation
- Inventory and tiering of every model in production
About this framework
In May 2026, the Federal Reserve Board, OCC, and FDIC jointly issued the Revised Guidance on Model Risk Management. It supersedes and replaces SR letter 11-7 (April 2011) and SR letter 21-8 (April 2021, MRM for BSA / AML compliance). The revision reflects fifteen years of supervisory experience and emphasizes a risk-based approach, tailored to a banking organization's model risk profile and the size and complexity of its operations. The three-pillar architecture carries forward: robust development with conceptual soundness, effective challenge through independent review, and ongoing monitoring with documented thresholds. The same framework is expressly applied to AI and LLM systems used in credit, fraud, AML, capital, and consumer-facing decisions.
Who needs to comply
Industries this applies to
Banks
All BHCs, member banks, and federally-chartered banks; LLMs in credit, fraud, AML, and capital are in scope under the revised interagency guidance.
Asset Management
Bank-affiliated wealth and trust units fall under the MRM framework.
Insurance
Bank-owned insurance subsidiaries inherit the model risk framework.
Regulatory update — May 2026
The Federal Reserve Board, OCC, and FDIC have jointly issued the Revised Guidance on Model Risk Management. It supersedes and replaces SR letter 11-7 (April 2011) and SR letter 21-8 (April 2021). The revision reflects fifteen years of supervisory experience and emphasizes a risk-based approach tailored to each banking organization's model risk profile, size, and complexity. Existing SR 11-7 programs do not start from zero, the three pillars carry forward, but tiering and proportionality become the explicit organizing principle.
Delta
What the 2026 revision changes
- Risk-based proportionality is now the explicit organizing principle, not a footnote
- MRM for BSA / AML use (formerly SR 21-8) is folded into one consolidated framework
- AI and LLM systems are addressed inside the model definition, not as an annex
- Effective challenge expectations are clarified for third-party and vendor-supplied models
- Documentation expectations scale with tier, removing one-size-fits-all overhead for low-risk models
Framework
The three pillars (carry forward from SR 11-7)
- Robust model development with conceptual soundness
- Effective challenge — independent review and validation
- Ongoing monitoring with documented thresholds
Mapping
How Prism evidences each pillar under the revised guidance
| Obligation | Capability | Evidence |
|---|---|---|
| Risk-based tiering of every model in production | Prism Model Inventory | Per-model tier assignment with documented rationale, exposure, and downstream-decision impact |
| Conceptual soundness and pre-deployment validation | Prism Model Audits | Audit runs against benchmarks; calibration, robustness, and accuracy metrics archived per tier |
| Effective challenge (including third-party / vendor models) | Prism Red Teaming | Curated adversarial test catalog with severity-tagged findings and reproducer prompts, applied to in-house and vendor LLMs |
| Ongoing monitoring proportionate to model tier | Prism Evaluations + Traces | Five-dimension quality score on every trace; week-over-week regression view with tier-appropriate alert thresholds |
Obligation
Risk-based tiering of every model in production
Capability
Prism Model Inventory
Evidence
Per-model tier assignment with documented rationale, exposure, and downstream-decision impact
Obligation
Conceptual soundness and pre-deployment validation
Capability
Prism Model Audits
Evidence
Audit runs against benchmarks; calibration, robustness, and accuracy metrics archived per tier
Obligation
Effective challenge (including third-party / vendor models)
Capability
Prism Red Teaming
Evidence
Curated adversarial test catalog with severity-tagged findings and reproducer prompts, applied to in-house and vendor LLMs
Obligation
Ongoing monitoring proportionate to model tier
Capability
Prism Evaluations + Traces
Evidence
Five-dimension quality score on every trace; week-over-week regression view with tier-appropriate alert thresholds
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Revised Guidance on Model Risk Management (supersedes SR 11-7 and SR 21-8)
Federal Reserve Board, OCC, FDIC (interagency, May 2026)
SR 11-7 — Original Guidance on Model Risk Management (superseded May 2026)
Federal Reserve Board (April 2011, archival)
OCC Bulletin 2011-12 (companion guidance)
Office of the Comptroller of the Currency
Built for: MRM teams at banks, BHCs, FBOs, and savings institutions supervised under the revised interagency Model Risk Management guidance
Related
AI Model Audits
Model audits give you a structured review of model behavior, risk profile, and readiness for production, before deployment, not after incidents.
AI Red Teaming
Structured adversarial testing to find prompt injection vulnerabilities, guardrail bypasses, and unsafe behaviors, before they reach production.
LLM Evaluations
Define quality rubrics, score every interaction, and catch regressions before users do, with automated evaluators that run on every trace or on a schedule you control.
NIST AI Risk Management Framework: Prism Compliance Mapping
Each NIST AI RMF function has subcategories that demand evidence. Prism produces it: from MEASURE-2.7 trace logs to MANAGE-2.1 adversarial test results.
NAIC AI Model Governance
The NAIC Model Bulletin sets expectations for insurer use of AI. Prism produces the documentation, monitoring, and audit artifacts each pillar requires.
NY DFS Part 500 AI Compliance
23 NYCRR Part 500 applies to AI used by covered financial entities. Prism produces the evidence each section asks for, and Prism X covers third-party AI tool risk.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI compliance for asset managers
From research copilots to trading-signal models, asset managers face SEC, FINRA, and SR 11-7 expectations on AI. Prism produces the evidence per system.
AI governance for insurance
Insurers face NAIC's Model Bulletin and a patchwork of state-level AI rules. Prism gives carriers one platform to produce the evidence each one demands.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.