AI Governance - Compliance Evidence

SR 11-7 for AI and model risk

SR 11-7 evidence mapping for AI and model risk in banking. Model inventory, validation support, ongoing monitoring, change control, and governance evidence.

Start with Quick AuditBook an AI Strategy Call

SR 11-7 evidence for AI and model risk.

For banks and capital-markets teams, TrustEvals turns AI behavior into evidence model-risk teams can use for inventory, validation, monitoring, and governance, under the AI Governance control lead. The bank-grade discipline US examiners already apply, mapped to live AI behavior.

SR 11-7 is US banking supervisory guidance for model-risk management. It is not an AI law and not an AI standard. For banking organizations, AI and machine-learning systems can fall into model-risk scope when they produce quantitative estimates, classifications, decisions, or decision support that affects business outcomes.

US banking supervisory guidance

Federal Reserve and OCC

Supervisory guidance for model risk management in banking organizations.

SR 11-7 AI model risk

The guidance names the expectations. You set the baseline.

SR 11-7 does not give an AI checklist. It gives model-risk expectations, and it does not define the threshold a given AI system has to clear before it is sound. TrustEvals sets the baseline per use case and proves it continuously, translating AI behavior into inventory, validation, monitoring, change control, and governance evidence.

Requirement. Maintain a complete inventory with ownership, purpose, use, limitations, and materiality.

Evidence. AI system inventory, model or agent owner, business use, materiality flag, dependency map, and approval state.

Requirement. Document design, data, assumptions, limitations, and implementation controls.

Evidence. Use-case baseline, data-source record, prompt or model version, control design, test set, and implementation signoff.

Requirement. Independently assess conceptual soundness, outcomes, ongoing performance, and limitations.

Evidence. Validation packet, benchmark results, exception analysis, challenger-review notes, weakness log, and remediation status.

Requirement. Track performance over time, monitor changes, escalate issues, and report model risk to governance forums.

Evidence. Drift report, control-health time series, incident trace, change log, stale-evidence flag, and committee-ready risk summary.

What teams should remember.

AI does not escape model risk because it looks like software.

If an AI system influences a banking decision, estimate, classification, or control outcome, model-risk teams need a defensible inventory and monitoring position.

Validation needs behavioral evidence.

Static documentation is not enough for systems whose outputs change with prompts, data, tools, vendors, or model versions. Validation needs observed behavior over time.

Governance forums need a summary, not raw traces.

TrustEvals keeps raw trace evidence available while producing risk summaries that model-risk committees, internal audit, and business owners can actually review.

SR 11-7 AI, asked plainly.

No. SR 11-7 is supervisory guidance for model-risk management in banking. AI systems can fall under model-risk scope depending on how they are used.

Systems that produce estimates, classifications, recommendations, decisions, or decision support for material banking activity are the highest-priority candidates for model-risk review.

TrustEvals produces behavioral evidence: baselines, eval results, drift reports, change history, incident traces, and exception analysis validation teams can review. We build governable AI solutions, and we are the independent read on whether they hold.

SR 11-7 is banking model-risk guidance. NIST AI RMF is a voluntary AI risk framework. Teams can use NIST vocabulary while preserving SR 11-7 model-risk evidence requirements, both on the same evidence.

Keep the evidence map connected.

NIST AI RMF

Use NIST AI RMF for AI risk vocabulary around the same monitoring evidence.

EU AI Act

Use EU AI Act mapping when banking AI systems also have EU regulatory exposure.

Compliance hub

Return to the standards, regulations, and guidance taxonomy.

Start with the quick audit.

The quick-entry artifact under AI Governance. Two weeks to an independent operating read: AI value, AI risk, fluency gaps, owners, and the next funded workstream. From there, the SR 11-7 evidence stream runs continuously.

Related links and sources

Source-linkedEvery recommendation traces back to workflow evidence, owners, and the decision it supports.
Board-readableThe output is written as an operating read, not a raw telemetry dump.
One readRoute into Strategy, Transformation, Fluency, Governance, or Quick Audit from the same evidence base.