EP 12Jul 15, 2026Financial Services AISR 11-7Model Risk ManagementBank AI Governance

The SR 11-7 Blind Spot: What Banks Discover When AI Hits Model Risk Management

Banks are deploying AI in credit scoring, fraud detection, compliance monitoring, and customer operations — but SR 11-7, the model risk framework regulators use, was written in 2011 for statistical models, not LLM APIs. This episode dissects the validation gap every bank running third-party frontier AI in production is carrying, what happens when the model version changes without a governance event, and the examination question your team should be able to answer before the next OCC or Fed visit.

The Deployment Debrief · Host: Elise · AI Insight Lab

Read the memo →View slide deck →All episodes →

Key takeaways

1
SR 11-7 was written for internal statistical models. Using a third-party frontier API in a credit scoring workflow is a model risk event your MRM team has not validated.
2
When OpenAI or Anthropic updates their model version, your production deployment changes without a governance event — and your existing model inventory entry goes stale.
3
The examiner question that will surface in every OCC and Fed review in the next 18 months: 'What is your validation protocol for third-party AI models used in credit decisions?'
4
The fastest path to examiner readiness is a model inventory update that explicitly classifies each third-party AI API by risk tier and documents its validation status.

Episode sections

Hook & Context

Why the model risk framework every bank uses — SR 11-7 — was written for static internal statistical models, not third-party LLM APIs that update without notice.

The SR 11-7 Design Assumption

What SR 11-7 was built to govern, the assumptions it makes about model stability and internal ownership, and where LLM APIs break each assumption.

Third-Party LLM as Model Risk Event

Why using a third-party frontier API in a credit scoring or fraud detection workflow is a model risk event — and what validation your MRM team has not run.

The Version Change Governance Gap

What happens when OpenAI or Anthropic updates a model version in production — and why your model inventory entry goes stale without triggering a governance event.

Three Validation Postures

Vendor-reliant validation, internal shadow validation, and full independent assessment — what each provides and what OCC and Fed examiners are likely to accept.

The Examiner Readiness Sprint

The model inventory update, validation protocol, and examiner Q&A prep that positions your MRM team before the next examination cycle.

Four Material Risks

Examiner findings on LLM validation gaps, model inventory staleness, credit decision liability from unvalidated models, and the vendor indemnification gap in standard API terms.

Closing Question

The examination question your MRM team should be able to answer today: for each third-party AI API in production, what is the validation status and who owns it?

← Previous episode Next episode →

The SR 11-7 Blind Spot: What Banks Discover When AI Hits Model Risk Management

The Deployment Debrief · Host: Elise · AI Insight Lab

Key takeaways

SR 11-7 was written for internal statistical models. Using a third-party frontier API in a credit scoring workflow is a model risk event your MRM team has not validated.

When OpenAI or Anthropic updates their model version, your production deployment changes without a governance event — and your existing model inventory entry goes stale.

The examiner question that will surface in every OCC and Fed review in the next 18 months: 'What is your validation protocol for third-party AI models used in credit decisions?'

The fastest path to examiner readiness is a model inventory update that explicitly classifies each third-party AI API by risk tier and documents its validation status.

Episode sections

Hook & Context

Why the model risk framework every bank uses — SR 11-7 — was written for static internal statistical models, not third-party LLM APIs that update without notice.

The SR 11-7 Design Assumption

What SR 11-7 was built to govern, the assumptions it makes about model stability and internal ownership, and where LLM APIs break each assumption.

Third-Party LLM as Model Risk Event

Why using a third-party frontier API in a credit scoring or fraud detection workflow is a model risk event — and what validation your MRM team has not run.

The Version Change Governance Gap

What happens when OpenAI or Anthropic updates a model version in production — and why your model inventory entry goes stale without triggering a governance event.

Three Validation Postures

Vendor-reliant validation, internal shadow validation, and full independent assessment — what each provides and what OCC and Fed examiners are likely to accept.

The Examiner Readiness Sprint

The model inventory update, validation protocol, and examiner Q&A prep that positions your MRM team before the next examination cycle.

Four Material Risks

Examiner findings on LLM validation gaps, model inventory staleness, credit decision liability from unvalidated models, and the vendor indemnification gap in standard API terms.

Closing Question

The examination question your MRM team should be able to answer today: for each third-party AI API in production, what is the validation status and who owns it?