Rethinking model risk management as AI reshapes banking

AI is quickly becoming an everyday part of banking, as new models promise sharper predictions and faster analysis. Credit scoring, pricing, fraud detection, and customer decisions are increasingly driven by models that learn from data and adapt to new patterns. 

Supervisors have followed this shift closely. The EU AI Act, along with existing expectations set by the ECB, PRA, and Federal Reserve, makes one point clear: AI needs governance that is traceable, explainable, and consistent.

AI can automate parts of model risk work and improve validation efficiency. At the same time, AI models themselves are harder to test, explain and monitor, or can behave in ways that are harder to explain. That behaviour needs to be understood and monitored.

As banks accelerate the adoption of AI and machine learning, they face a growing need for structured oversight of algorithmic decision-making. The goal is not to build new governance structures for AI. It is to apply the discipline that already works.

Opportunities and risks

AI represents a clear opportunity for validation units. As a powerful tool for simplifying or automating certain validation or model risk tasks, it can make these processes more efficient and robust.

At the same time, there is a new challenge for validation functions: to design and implement new techniques to validate AI-based models, as traditional validation approaches may no longer perform adequately.

The EU AI Act introduces new compliance obligations, including the identification and governance of high-risk AI systems. While these go beyond traditional MRM requirements, they do not necessarily require a separate framework. With thoughtful adaptation, banks can address AI risks using MRM structures they already have.

Adapting MRM to AI risk management

Most of the foundations of MRM translate well to AI. Governance, validation, monitoring and documentation are already central to model oversight. The task now is to extend these practices to reflect the specific behaviours and risks of AI models.

1. Shared principles: Both MRM and AI governance rely on transparency, explainability, and traceability. The model inventory concept extends naturally to an AI model registry, capturing use cases, risk tiers, data sources, and explainability scores. Core validation principles remain: conceptual soundness, data quality, and performance testing.
2. Proportionate oversight: Just as MRM applies risk-based tiering, AI models can be categorised by criticality, data sensitivity, and business impact. This ensures that high-risk algorithms (such as credit decisioning or pricing) receive deeper validation and continuous monitoring, while lower-risk models follow streamlined review.
3. Continuous monitoring and explainability: Existing MRM monitoring tools can be expanded to include AI-specific metrics such as data drift, bias detection, or feature importance tracking. Dashboards used for model performance reporting can integrate explainability indicators and ethical compliance checks aligned with the EU AI Act.
4. Integrated governance: AI governance committees can operate under the umbrella of the Model Risk Committee, ensuring consistency in policy, documentation, and issue remediation. This integration avoids fragmentation and reinforces the message that AI risk is model risk, subject to the same scrutiny and accountability.

By leveraging established MRM frameworks, banks can meet new AI regulatory requirements with minimal duplication, ensuring that innovation and control evolve in tandem.

The path forward

AI changes how models behave and how they should be validated, but it does not change the core purpose of MRM: ensuring that models used to guide decisions are sound, explainable and well-controlled. Banks that adapt their existing frameworks can meet the requirements of the EU AI Act and other emerging regulations while providing validation teams with the tools they need to assess more complex models.

The institutions that will move ahead are those that treat AI as an extension of their model landscape, not a separate discipline, and use their established MRM strengths to support safe, scalable innovation.