Gone are the days of treating model risk management as a checkbox exercise. On April 17, 2026, federal regulators, including the Federal Reserve, FDIC, and OCC, overhauled existing guidance and replaced SR 11-7 and related issuances with a framework that requires a more integrated and risk-sensitive approach. This is more than just a technical update. This shows that regulators view models as core to banking operations and require the same oversight as credit and market risks.
Moving to principles and risk-based adjustments
The new model risk management framework requires banks to tier model inventories by materiality and apply controls proportionately. Lower-tier models are easier to monitor, but only if the tiering itself is auditable. This requires a unified lifecycle view with clear lineage across each stage, including development, validation, deployment, monitoring, and decommissioning.
The cornerstone of robust risk management, effective challenges require versioned and reproducible challenger models, outcome analysis, and sensitivity testing. Continuously monitoring performance and data drift using thresholds associated with importance is also paramount.
GenAI and Agentic System under MRM
Importantly, this guidance also extends its principles to generative AI and agent systems. Regulators are already scrutinizing LLM-based underwriting assistants, AML triage agents, and customer-facing co-pilots, and treat them by analogy as being within the scope. The core requirements are consistent. In other words, evidence of good governance must be an automatic by-product of how these models are built and managed, rather than an after-the-fact reconstruction.
This requires a platform decision to treat future guidance changes as configuration updates rather than multi-quarter programs. Banks need to move beyond fragmented point solutions and adopt a unified foundation for managing both traditional ML and GenAI.
Databricks MRM Reference Architecture
Databricks offers a reference architecture designed to meet these evolving expectations. It is centered around Unity Catalog for governance, providing an end-to-end lineage graph and a single source of truth for model inventory, ownership, and access. This architecture maps the entire ML lifecycle management to concrete capabilities and ensures that governance evidence is generated organically.
Key governance patterns include tiering of importance as metadata, allowing for rapid updates without rebuilding the platform. Proportionality is enforced through attribute-based access control (ABAC) associated with hierarchical tags, which embeds controls directly into the platform.
For example, the Tier-1 model requires explicit MRM validator approval to facilitate production, forcing dual controls. Lighter monitoring is applied to lower layers with access logs providing an audit trail. This approach streamlines compliance and reduces the burden of regulatory compliance for AI models.
The platform supports mapping each lifecycle stage to expected MRM evidence, from data sourcing and feature engineering to model development, validation, deployment, monitoring, and decommissioning. This ensures that documentation, monitoring, and validation are inherently linked to the production model version.
Ultimately, the new guidance will push banks toward a more integrated, platform-centric approach to model risk management. For both traditional and advanced AI systems, the ability to demonstrate comprehensive governance throughout the model lifecycle is no longer optional.
