AI Model Governance for Compliance: An SR 11-7 Field Guide

The short version

AI is in compliance workflows now, and a sharp examiner's first question is rarely what the model said. They want to know how you govern it. SR 11-7, the supervisory guidance on model risk, has answered that question for years: govern the AI like any model, with sound development, independent validation, and documented oversight. A compliance tool that cannot explain how its AI works, show that it was validated, and prove a qualified human owns the output is a finding waiting to happen. Govern the model and keep a named person accountable for every result, and you can defend it.

For years the objection to AI in compliance was simple: regulators will never accept a machine's word. That gets the risk backwards. Regulators have governed decision-making models for over a decade, and they already have a framework for it. What worries an examiner is not that AI sits in the workflow. It is an AI nobody can explain, validate, or stand behind.

This guide walks through governing AI in a BSA/AML program the way an examiner expects: what SR 11-7 requires, why it reaches AI compliance tools, what validation looks like in practice, why explainability and the audit trail settle the question, and the questions to put to any vendor selling you AI.

The question examiners now ask

Compliance teams have adopted AI to score risk, draft SAR narratives, tune monitoring, and read regulatory change. Examiners have noticed. The question in the room has shifted from whether you use a model to how you control the one you use. An institution that can answer that question calmly is in a far stronger position than one that treats its AI as a vendor black box it would rather not discuss.

What SR 11-7 is

SR 11-7 is the interagency Supervisory Guidance on Model Risk Management, issued by the Federal Reserve and the OCC in 2011 (OCC Bulletin 2011-12). It became the reference standard for how a regulated institution manages the risk of relying on a model. It defines a model broadly: a quantitative method that turns inputs into estimates, scores, or decisions. That definition is wide on purpose, and it lands squarely on modern AI.

The guidance rests on a simple premise. Models are useful and models can be wrong, so the institution that depends on one must manage the risk that it is wrong. The heavier the reliance and the higher the stakes, the more rigor the model demands.

The three elements SR 11-7 expects

Element	What it requires
Development, implementation, and use	A sound design built on appropriate data and method, documented well enough that someone other than the builder can understand it, and used only for the purpose it was built for.
Validation	An effective, independent challenge to the model: is it conceptually sound, does it still perform, and do its outcomes hold up. Performed by people with distance from the developers.
Governance, policies, and controls	Clear ownership, written policies, an inventory of models, defined roles, and board and senior-management oversight of the whole thing.

SR 11-7 is the supervisory backbone, and a newer companion speaks directly to generative tools. The NIST AI Risk Management Framework (AI RMF 1.0, 2023) and its Generative AI Profile (NIST-AI-600-1, July 2024) give a common vocabulary for AI-specific risks such as confabulation and information integrity. They are voluntary rather than binding, but they are the reference an examiner and a model-risk team increasingly expect to see mapped alongside SR 11-7 when the model is generative.

What validating an AI compliance model means

Validation is where most AI compliance stories fall apart, so it is worth being concrete. SR 11-7 frames validation in three parts, and each maps cleanly onto an AI system:

Conceptual soundness. Is the design fit for purpose and is the data behind it appropriate and representative? For an AI model, this includes the data it learned from and the assumptions baked into it.
Ongoing monitoring. Does it still perform as the world changes? Models drift as customer behavior, products, and typologies move. Monitoring catches the drift before an examiner does.
Outcomes analysis. Do the results stand up when measured against benchmarks or back-tested against known answers? This is where a claim of accuracy becomes evidence of it.

The word that carries weight is independent. Validation done by the same people who built the model, with no distance and no challenge, is the kind an examiner discounts.

Explainability and the audit trail

An examiner cannot accept what cannot be explained. A model that produces a score or a narrative with no traceable reasoning gives a reviewer nothing to inspect, and a regulator reads "the AI decided" as the absence of a decision. Two things settle it. First, explainability: the institution can describe, in terms a reviewer follows, how the model reached its result. Second, the audit trail: every step is logged, so anyone can reconstruct the path from input to output long after the fact. Do both and an opaque output becomes defensible evidence.

The human in the loop

The most important control is also the simplest. A qualified person reviews the AI's work and attests to it before it is used. The machine drafts; the human decides. This is the line that keeps an AI compliance tool on the right side of the guidance, because accountability cannot sit with a model. It sits with a named person who can be asked to explain a filing or a decision. Any design that removes the human from that loop has removed the thing that makes the output defensible.

Questions to ask any AI compliance vendor

If you are evaluating a tool that puts AI anywhere near a compliance decision, put these to the vendor and weigh the answers:

How does the AI reach a result, and is that reasoning auditable?
How was the model validated, and by someone independent of the people who built it?
What ongoing monitoring detects drift as conditions change?
How is bias tested, and how often?
Where in the workflow does a human review and attest before output is used?
What audit trail could an examiner inspect, and how far back does it reach?
Can you produce documentation mapped to the elements of SR 11-7?

A vendor who cannot explain how the AI works is selling a tool you will not be able to defend. Govern your AI the way a good program governs everything else, and you can use it without ever losing the ability to stand behind the result.

Common questions

What is SR 11-7?

SR 11-7 is the U.S. interagency Supervisory Guidance on Model Risk Management, issued by the Federal Reserve and the OCC in 2011 (OCC Bulletin 2011-12). It sets the expectation that institutions manage the risk of any model they rely on through three things: sound model development, implementation, and use; effective and independent validation; and strong governance, policies, and controls.

Does SR 11-7 apply to AI compliance tools?

Yes. SR 11-7 defines a model broadly as a quantitative method that processes inputs into estimates or decisions. An AI system that scores risk, generates SAR narratives, or flags transactions fits that definition. When an AI tool influences compliance decisions, examiners expect it to be governed as a model: developed soundly, validated independently, and overseen with documented controls.

Can examiners accept AI-generated compliance work?

Examiners accept AI-supported work when the institution can show the AI is governed and a qualified human owns the output. The failure mode is an unexplained black box with no validation and no human accountability. A tool that can explain how it works, demonstrate it was validated, and prove a person reviewed and attested to each deliverable meets the expectation SR 11-7 sets.

What does it mean to validate an AI compliance model?

Validation under SR 11-7 has three parts: evaluating conceptual soundness (is the design and the data fit for purpose), ongoing monitoring (does it still perform as conditions change), and outcomes analysis (do its results hold up against benchmarks or back-testing). Validation should be performed with independence from the people who built the model, and documented so an examiner can follow it.

What questions should I ask an AI compliance vendor?

Ask how the AI reaches a result and whether that reasoning is auditable, how the model was validated and by whom, what ongoing monitoring catches drift, how bias is tested, where the human reviews and attests before output is used, and what audit trail an examiner could inspect. A vendor who cannot answer how the AI works is a vendor whose tool you cannot defend.