SR 11-7: 7 Steps to Comply with this Standard

AI and machine learning models are now central to decision-making in financial services. Institutions rely on them for credit approvals, fraud detection, and risk modeling. However, as the use of these models expands, model approval is increasingly delayed. The slowdown often results from internal scrutiny around fairness, explainability, and governance—especially in the absence of clear AI-specific regulations. In response, regulators have begun applying SR 11-7, the Federal Reserve’s 2011 model risk framework, as the default benchmark for evaluating AI models.

Despite 87% of executives claiming to have clear AI governance frameworks, fewer than 25% have fully implemented tools to manage risks like bias, transparency, and security. This disconnect creates operational friction. Development slows when governance criteria are unclear or change late in the process. Compliance teams are left trying to assess model risk without reliable infrastructure, and risk committees struggle to evaluate model readiness without consistent review standards. 

Facing these internal gaps and growing external scrutiny, many institutions are turning to SR 11-7 as a practical and enforceable framework for AI model oversight. Developed initially to manage traditional quantitative models, SR 11-7 was not designed with modern ML/AI/GenAI systems in mind. In the absence of tailored guidance, however, its core principles around model validation, oversight, and risk control are now being treated as the foundation for AI governance. This application poses new challenges for institutions that must apply legacy oversight frameworks to systems that are more complex, less interpretable, and continuously evolving. 

To navigate this shift, teams need a clear understanding of how SR 11-7 is relevant to ML/AI/GenAI models and what specific steps are required for compliance.

What Is SR 11-7 and Why It Still Matters

SR 11-7 is “Supervisory Guidance on Model Risk Management,” originally published by the U.S. Federal Reserve in 2011. A model, as outlined in the guidance, includes any approach that uses quantitative methods, assumptions, or algorithms to process input data into outputs that influence decision-making.

The guidance applies across the model lifecycle. It covers development, implementation, validation, and ongoing monitoring. Institutions are expected to understand how their models operate, where they can fail, and how to mitigate associated risks. These expectations apply whether the model is developed in-house, purchased from a vendor, or built by a third party.

What SR 11-7 Covers

SR 11-7 rests on two foundational requirements. First, every institution must establish a well-defined model risk management framework. Second, model risk must be actively identified, measured, and controlled throughout the entire lifecycle.

To meet these requirements, institutions must maintain:

• Independent and effective model validation

• Ongoing performance tracking

• Complete and accurate documentation

• Centralized model inventory

• Clear governance roles and responsibilities

These components form the basis for both supervisory reviews and internal accountability.

Why SR 11-7 Matters in the Age of AI

AI and machine learning models meet the criteria outlined in SR 11-7. They use quantitative techniques, rely on assumptions, and influence regulated decisions. Financial institutions using these models are subject to the same oversight standards that apply to traditional statistical models.

In practice, both examiners and internal risk teams have adopted SR 11-7 as the primary framework for evaluating AI systems. Its broad definitions and structured focus on validation, monitoring, and governance have made it adaptable to the complexity of machine learning, even in the absence of finalized AI-specific regulation in the U.S.

Who Is SR 11-7 for?

SR 11-7 applies to U.S. financial institutions supervised by the Federal Reserve, OCC, and FDIC. It applies to organizations that develop or rely on models for regulated financial decision-making, including external vendors serving those institutions.

The guidance applies across roles:

• Technical teams must align model development practices with validation and control expectations. 

• Compliance teams are responsible for interpreting the guidance and enforcing it internally. 

• Business leaders must account for model performance, explainability, and regulatory scrutiny when introducing AI systems into operational workflows.

Because SR 11-7 expectations span multiple teams, effective compliance depends on clearly defined responsibilities and alignment across the entire model lifecycle.

7 Steps to Comply with SR 11-7

To comply with SR 11-7, institutions deploying AI models should follow these core steps:

Step 1: Establish a Model Risk Management Framework (MRM)

A model risk management (MRM) framework defines how an institution organizes its approach to model governance. It includes documented policies, defined roles, and formal procedures for how models are developed, validated, approved, and monitored. SR 11-7 requires institutions to put this structure in place to ensure that oversight is consistent and grounded in clearly assigned responsibilities.

The framework serves as the foundation for applying controls throughout the model lifecycle. It provides a repeatable process that links technical work with business and compliance review, helping institutions apply the same standards across all models, including those using machine learning.

To build a practical MRM framework:

• Define model risk policies that set governance expectations across model types and business units

• Categorize models into risk tiers based on complexity and potential impact

• Assign ownership to specific teams for each phase of the model lifecycle (e.g., development, validation, monitoring)

• Establish escalation protocols for risk issues or model failures

• Align governance documentation with supervisory expectations and internal audit standards.

Citrusˣ supports MRM implementation by centralizing governance artifacts and providing a shared system of record. The platform allows teams to assign model owners, track changes, and maintain a complete, auditable inventory. It makes it easier for institutions to apply consistent oversight and keep responsibilities clear across all teams involved in model governance.

Step 2: Maintain a Centralized, Auditable Model Inventory

A model inventory provides a single point of reference for all models in use, in development, or retired across the institution. It includes key metadata such as ownership, business function, validation status, and version history. SR 11-7 requires institutions to maintain a complete inventory to ensure visibility into how models are used and what risks they pose.

Without a complete inventory, oversight teams lack basic insight into the model landscape. They may not know which models are active, who is responsible for them, or whether they’ve been reviewed. This increases the risk of models operating without supervision, relying on outdated inputs, or being overlooked during governance reviews. SR 11-7 expects institutions to track every model, not just those deemed high risk.

To build and maintain an effective model inventory:

• Log key attributes for each model, including type, inputs, outputs, business owner, and purpose.

• Track development stage, deployment status, and changes over time.

• Include models of all types—AI/ML/GenAI, statistical, vendor-supplied, and internally developed.

• Include tools that meet SR 11-7’s broad definition of a model—even if they are not algorithmic—such as decision rules, spreadsheets, or vendor-provided engines.

• Implement version control and validation history to support audits and change reviews.

• Set up a regular review schedule to keep inventory records current and accurate.

To meet SR 11-7 expectations for model inventory, use an AI governance platform that centralizes records and tracks how models change over time. It should allow teams to assign ownership, log validation status, and maintain a history of model activity in one system.    These functions create a reliable source of information for oversight and simplify preparation for audits and supervisory reviews.

Step 3: Validate Models Independently and Recurringly

Model validation is the process of confirming that a model functions as intended and produces reliable results under relevant conditions. SR 11-7 requires that validation be performed by teams who are not involved in model development to ensure that results are independently evaluated. Institutions like generative AI startups must repeat validation at regular intervals to reflect changes in inputs or how the model is used.

Without this process in place, models may continue to operate after their assumptions are no longer valid. Institutions risk missing errors in logic or shifts in performance that affect business decisions. SR 11-7 treats validation as an essential control that must keep pace with the model and the context in which it operates.

To execute a compliant validation process:

• Conduct conceptual soundness reviews to assess model logic and underlying assumptions.

• Perform backtesting to compare predictions with actual outcomes.

• Run sensitivity analyses to identify how input changes affect outputs.

• Benchmark performance against relevant standards or peer models.

• For AI/ML models, include fairness testing, bias audits, adversarial robustness checks, and explainability reviews.

• For GenAI models, validation should include explainability reviews, fairness testing, bias audits, and adversarial robustness checks. Additional steps may involve hallucination analysis, toxicity or harmful content detection, input-output consistency testing, and output traceability when using retrieval-augmented generation (RAG). Teams should also assess whether the model adheres to defined use constraints and whether content moderation filters are working as intended.

• Independent reviewers should not report to, or collaborate with, the model development team.

• Document findings and communicate results to model owners and governance committees.

To validate models at scale, it’s best to employ a governance platform that automates key steps and enforces a repeatable process. Look for tools that support performance testing, fairness checks, explainability reviews, and alignment with internal validation policies. They give teams a reliable way to document results, trace findings over time, and show compliance without rebuilding workflows from scratch.

Step 4: Implement Model Approval & Change Control Procedures

Every model must be formally approved before it is used in production and reviewed again when changes are made. SR 11-7 requires institutions to document both the initial authorization and any updates that may affect how a model behaves. These events include retraining events, configuration changes, and replacements that alter core logic or inputs.

Explicit approval and change controls help decision-makers evaluate how the model works and what impact an update may have on its performance or regulatory status. These procedures reduce the risk of untracked changes and ensure that models continue to operate within approved boundaries.

To establish effective approval and change control:

• Define clear criteria for pre-deployment model review, including validation sign-off and documentation checks.

• Assign ownership and approval authority across model risk, compliance, and business stakeholders.

• Create a formal process to log and review any post-deployment changes, including retraining triggers, new data inputs, or model replacements.

• Define what constitutes a material change and what requires revalidation and governance review when thresholds are met.

• Track the rationale, impact, and outcome of changes through structured documentation.

• Ensure version control and rollback mechanisms are in place.

Citrusˣ supports this process with integrated workflows for model approval and change control. It captures sign-offs, tracks version history, and maintains audit logs that document how decisions are made. Teams can manage updates through a structured review process that reduces operational risk and meets both internal and regulatory expectations.

Step 5: Ensure Explainability and Transparency

Explainability refers to understanding how a model generates its outputs and how changes in inputs affect its behavior. SR 11-7 expects institutions to ensure that models are interpretable by technical and non-technical stakeholders involved in oversight. When the logic behind a model’s predictions cannot be clearly explained, it becomes harder to assess whether the model is being used appropriately.

Institutions need to demonstrate how each model works, what inputs influence its predictions, and whether those relationships are stable. This transparency is vital for AI and machine learning models, which often involve complex patterns that are not immediately intuitive. Explainability allows institutions to justify the use of these models in regulated decisions and to respond to internal and external review.

To strengthen explainability and transparency:

• SHAP (Shapley Additive Explanations) is a popular model interpretation method based on cooperative game theory. It calculates how much each input feature contributes to a model’s prediction. Use SHAP to explain individual outputs in a way that can be traced to specific variables.

• LIME (Local Interpretable Model-Agnostic Explanations) is a technique that builds simple, interpretable models around individual predictions. It helps approximate how a complex model behaves in a specific case by generating a locally faithful explanation.

• Counterfactual explanations show how a prediction would change if one or more input values were different. They help clarify decision boundaries and support fairness reviews by highlighting where small changes could produce different outcomes.

• Document model logic, input assumptions, and rationale for design decisions.

• Run input sensitivity analyses to determine which variables most influence predictions.

• Create accessible summaries tailored for non-technical reviewers and regulators.

Explainability can be enhanced by using a platform with a proprietary engine that supports global, local, and clustered explainability. Teams can analyze trends across the model, explore individual predictions, or examine how models behave across segments of data. This level of transparency supports internal understanding and helps satisfy SR 11-7’s requirement.

Step 6: Monitor Model Performance Continuously

Once a model is in production, its performance must be monitored to confirm it still meets expected standards. SR 11-7 requires institutions to track model accuracy over time, detect changes in input data, and identify when a model is used outside its original scope. Ongoing monitoring helps determine when a model needs to be reviewed or adjusted.

If performance degrades and no one is tracking it, models can continue to influence decisions without oversight. Outputs may drift from intended use, and errors may go unnoticed until they create regulatory exposure. Consistent model monitoring allows teams to respond early, correct problems, and maintain control over model usage. For example, in AI-driven wastewater management solutions, models must adjust to seasonal demand patterns and sensor degradation. Similar shifts affect AI in finance—but without alerts or historical context, the risks may go unnoticed until a failure triggers regulatory scrutiny.

To establish effective model monitoring:

• Define core metrics such as accuracy, precision, recall, robustness, and stability.

• Track data drift to detect changes in input distributions relative to training data.

• Monitor prediction drift to identify shifts in model output behavior.

• Set thresholds for key indicators and define retraining triggers when performance drops.

• Include checks for unauthorized or unintended use cases, which may indicate model misuse—a risk explicitly cited in SR 11-7.

• Log deviations and establish investigation workflows for root cause analysis.

• Coordinate with business and compliance teams to review high-impact issues.

At this stage, using an AI and LLM Validation and Risk Management Platform that supports continuous oversight with real-time monitoring tools is critical. Use it to track model performance metrics and detect both data drift and explainability drift. It should have alerts to notify relevant teams if thresholds are breached, and integrated audit logging to maintain a transparent record of model behavior over time. 

Step 7: Document the Entire Model Lifecycle

SR 11-7 requires institutions to maintain complete documentation for every phase of the model lifecycle. These records include the model’s purpose, design assumptions, validation plan and results, approval decisions, deployment context, and ongoing monitoring activities. Each stage must be recorded in a way that allows regulators and internal reviewers to trace how the model has been evaluated and managed over time.

When lifecycle documentation is incomplete or fragmented, teams lose track of how decisions were made and what risks were addressed. Oversight gaps like this weaken an organization’s ability to respond to audits or justify continued model use. Maintaining a complete, accessible record of the model lifecycle is central to effective governance and regulatory compliance.

To ensure lifecycle documentation meets SR 11-7 expectations:

• Record model purpose, assumptions, design choices, and data sources.

• Include detailed validation results, testing methodologies, and rationale for conclusions.

• Track approval decisions, including sign-offs, risk tiering, and governance checkpoints.

• Maintain logs of post-deployment changes, performance monitoring results, and incidents.

• Use version control to preserve history and demonstrate how models evolve.

• Make all documentation accessible to relevant stakeholders during reviews or audits.

Meeting SR 11-7 documentation expectations is simplified by employing a model governance platform that logs model activity over time. It should capture key decisions, record changes, and store evidence of how each model has been reviewed. These logs make it easier to support internal oversight and respond to regulatory requests without assembling information from multiple sources.

Apply SR 11-7 to AI Models with Confidence

SR 11-7 remains the most widely applied standard for managing model risk in regulated financial institutions. While initially developed for traditional models, its structure has proven adaptable to modern ML/AI/GenAI systems. Institutions that understand how to apply it can reduce operational risk, improve oversight, and move models into production with greater control.

Citrusˣ is the AI and LLM validation and risk management platform built for regulated environments. It tests performance under real-world conditions, monitors for risk signals, and generates documentation that aligns with SR 11-7. It gives institutions a direct path to compliance without delaying deployment.

To see how Citrusˣ can help your organization stay ahead of regulatory expectations, request a demo today.