Consulting · Data & AI

Independent model validation & regulatory-ready model risk

6,898 words31 min read

Independent model validation, AI audit, and enterprise AI governance aligned to SR 11-7, the EU AI Act, and NIST AI RMF - reducing regulatory risk while accelerating trusted AI adoption.

1Uninventoried2Validated3Governed4Monitored5AssuredGravitas Model Risk FrameworkFrom current state to a governed, real-time capability
The problem

What's at stake

Regulated enterprises must demonstrate that their models are sound, validated, and controlled. As AI adoption accelerates, model risk extends beyond traditional quantitative models to machine-learning and generative systems - expanding a perimeter many teams cannot yet cover.

Business impact

Why it matters

Rigorous model risk management satisfies examiners and internal audit, prevents costly model failures, and lets the business adopt AI without accumulating unmanaged risk.

The deeper problem is that models have proliferated faster than the discipline to govern them. In many institutions models are spread across teams, not fully inventoried, and validated, if at all, at a single point in time. As machine-learning and generative models enter decision-making, the population grows more complex and harder to explain, while the framework meant to control it lags behind.

That gap is where loss and regulatory findings originate. A model that was validated once can drift out of correctness unnoticed, an unvalidated model can carry risk no one has priced, and AI models can sit entirely outside the perimeter of governance. The exposure is invisible until it materialises, which is exactly why a continuous, evidenced capability matters.

Context

Why this matters now

Two forces are reshaping model risk at once. Machine-learning and generative-AI models are entering decision-making, and they are harder to explain and quicker to drift than the traditional models frameworks were designed for. At the same time, AI regulation is layering new expectations on top of long-standing prudential ones like SR 11-7 and OCC 2011-12.

The result is that point-in-time validation is no longer sufficient. Regulators and boards expect models to be inventoried, risk-tiered, governed across their life and monitored in production, with evidence to match. Building that capability is the purpose of this practice.

Our point of view

How we see this

Our point of view on model risk is that validation and management are not the same thing. A model validated at a point in time can still fail in production as conditions change, so the discipline that actually controls risk is lifecycle governance and ongoing monitoring, not a periodic tick in a box. Point-in-time validation on its own gives a false sense of comfort.

We also argue that AI and machine-learning models belong squarely inside the framework. They carry model risk too, and they now sit under both prudential and AI regulation, so leaving them outside governance is a fast-growing and increasingly visible exposure. The same tiering, validation and monitoring disciplines apply, adapted to how these models behave.

Finally, we treat independence as structural, not aspirational. Validation by the people who built a model is not validation, and independence that depends on goodwill erodes under delivery pressure. Setting the function up so independence is built into how it operates is what keeps the assurance credible when it matters most.

Our approach

How we work

Practitioner-led and vendor-neutral. We assess conceptual soundness, data and assumptions, performance, and implementation, and document findings to the standard reviewers expect - as a project or as ongoing MRM-as-a-Service.

In practice we begin by building a complete, risk-tiered inventory, because you cannot manage risk you cannot see, then strengthen independent validation and extend control across the model lifecycle. We add monitoring so degradation is caught in production, and we bring AI and machine-learning models into the same framework rather than leaving them outside it.

The throughline is that model risk is continuous, not episodic. A model validated once and never monitored can fail silently as conditions change, so the discipline that actually protects the institution is lifecycle governance and monitoring, evidenced in a way the board can rely on.

Our framework

Gravitas Model Risk Framework

Model risk is often managed as a validation checklist rather than a lifecycle capability. We use a five-stage framework to show sponsors whether the organisation can identify, validate, monitor and govern its models across their whole life, aligned to SR 11-7, OCC 2011-12 and the emerging AI standards, so the board can rely on the numbers models produce.

1UninventoriedModels unknown, unmanagedMost firms start here2ValidatedPoint-in-time checks3GovernedLifecycle controls4MonitoredOngoing drift detection5AssuredBoard-level confidence

Many institutions sit at Validated: models are checked at a point in time but not governed across their life or monitored for degradation. The value of an engagement is moving model risk from episodic validation to a continuous, assured capability.

Level 1 of 5

Uninventoried

Where the business is Models are spread across teams and not fully known. There is no single inventory, so the organisation cannot see its own model risk. For a sponsor, the practical signal is how much manual effort and disagreement surrounds the work at this point, and how much of it depends on a few individuals rather than a repeatable capability.

What it costs The exposure is invisible until it materialises, in a loss or an audit finding, and key-person dependency is high. Left unaddressed, this is the kind of cost that does not appear as a line item but shows up as slower decisions, avoidable rework and risk that is only priced once it materialises.

What we do We build a complete model inventory and risk-tier it, so scrutiny can scale with materiality rather than treating every model alike. We do this in a contained, evidenced way, with an agreed output, so the move to the next stage is something the business can see and fund with confidence rather than take on trust.

What good looks like In practice, a sponsor can recognise this stage by the amount of manual effort and disagreement around the numbers; the goal of the first move is to make that pain visible and bounded rather than pervasive.

Looks likecurrent realityCostwhat it drags onWe dohow we move you up
Level 2 of 5

Validated

Where the business is Models are validated at a point in time, but not governed across their life or monitored once in production. For a sponsor, the practical signal is how much manual effort and disagreement surrounds the work at this point, and how much of it depends on a few individuals rather than a repeatable capability.

What it costs A validated model can still fail as conditions change, so point-in-time checks give false comfort without lifecycle control. Left unaddressed, this is the kind of cost that does not appear as a line item but shows up as slower decisions, avoidable rework and risk that is only priced once it materialises.

What we do We strengthen independent validation and put lifecycle governance in place across development, approval, change and retirement. We do this in a contained, evidenced way, with an agreed output, so the move to the next stage is something the business can see and fund with confidence rather than take on trust.

What good looks like The tell-tale sign of this stage is that things look better on the surface while the underlying capability is still thin; our work here is about turning apparent order into real, evidenced control.

RealityCostOur moveNextstageValidated
Level 3 of 5

Governed

Where the business is Controls span the model lifecycle. Development, change and retirement are governed, not just the initial sign-off. For a sponsor, the practical signal is how much manual effort and disagreement surrounds the work at this point, and how much of it depends on a few individuals rather than a repeatable capability.

What it costs The gap now is production: a governed model can still degrade silently without monitoring. Left unaddressed, this is the kind of cost that does not appear as a line item but shows up as slower decisions, avoidable rework and risk that is only priced once it materialises.

What we do We add ongoing monitoring for drift and degradation, so a failing model is caught early rather than in a loss. We do this in a contained, evidenced way, with an agreed output, so the move to the next stage is something the business can see and fund with confidence rather than take on trust.

What good looks like At this stage the organisation has earned genuine trust in its foundation, and the conversation shifts from fixing problems to unlocking speed, efficiency and readiness for what comes next.

Looks likecurrent realityCostwhat it drags onWe dohow we move you up
Level 4 of 5

Monitored

Where the business is Models are monitored in production for drift and degradation. Problems surface early, and the framework covers AI and machine-learning models too. For a sponsor, the practical signal is how much manual effort and disagreement surrounds the work at this point, and how much of it depends on a few individuals rather than a repeatable capability.

What it costs Firms that stop here have strong control but may not yet give the board the summarised, evidenced assurance it needs. Left unaddressed, this is the kind of cost that does not appear as a line item but shows up as slower decisions, avoidable rework and risk that is only priced once it materialises.

What we do We build board and regulator-ready reporting so leadership can attest to model risk with evidence, including for AI models. We do this in a contained, evidenced way, with an agreed output, so the move to the next stage is something the business can see and fund with confidence rather than take on trust.

What good looks like Reaching this stage changes how the business feels day to day: decisions rest on current information, surprises are rarer, and effort moves from keeping the lights on to creating advantage.

RealityCostOur moveNextstageMonitored
Level 5 of 5

Assured

Where the business is The board has evidenced confidence in the organisation's models. Model risk is a continuous, assured capability across traditional and AI models. For a sponsor, the practical signal is how much manual effort and disagreement surrounds the work at this point, and how much of it depends on a few individuals rather than a repeatable capability.

What it costs This is what lets leadership rely on model outputs and sponsor further use, knowing the risk is genuinely controlled. Left unaddressed, this is the kind of cost that does not appear as a line item but shows up as slower decisions, avoidable rework and risk that is only priced once it materialises.

What we do We keep the framework current as models and regulation evolve, so assurance holds over time rather than lapsing. We do this in a contained, evidenced way, with an agreed output, so the move to the next stage is something the business can see and fund with confidence rather than take on trust.

What good looks like This final stage is less a destination than a standing capability; the work here is to keep it current as conditions, regulation and the estate evolve, so the gains hold rather than decay.

Looks likecurrent realityCostwhat it drags onWe dohow we move you up
Proprietary frameworks

The Gravitas framework family

Our work is built on a family of named, reusable methodologies we have developed across data, AI, cloud, governance and trading engagements. Each is a structured asset a client can recognise, reuse in its own proposals and board papers, and return to as the programme matures. The full family is below, with the assets most relevant to this practice highlighted.

Gravitas Enterprise Data Operating Model

Applied here

Our reference operating model for running data as an enterprise capability: the bands, roles and controls that connect strategy to delivery to foundation.

Gravitas AI Governance Framework

Applied here

A structured path from AI used-but-ungoverned to board-level assurance, mapped to the EU AI Act, NIST AI RMF and ISO 42001 and 23894.

Gravitas Trading Transformation Model

The five-stage model we use to move a trading business from fragmented spreadsheets to a governed, real-time, intelligent capability.

Gravitas Data Platform Reference Architecture

A vendor-neutral target-state architecture for a governed, cost-controlled, AI-ready data platform, from sources through to consumption.

Gravitas Governance Capability Index

Applied here

A capability index and heatmap for scoring where an organisation stands across data, AI, cloud and control, and where to invest next.

Gravitas Transformation Roadmap

A horizon-based roadmap format that sequences change into fundable, reversible slices tied to business outcomes.

Capability heatmap

Gravitas Governance Capability Index

An executive heatmap of where organisations typically stand at the outset, scoring coverage across the capabilities that matter so investment can target the gaps.

InventoryValidationMonitoringAssuranceCredit modelsMarket modelsMachine learningGenerative AICoverage:NoneBasicStrongLeading
Methodology

A delivery path built around outcomes

01

Inventory

Model inventory and risk tiering across the enterprise.

02

Validate

Independent validation: soundness, data, performance, implementation.

03

Monitor

Ongoing monitoring for drift and degradation.

04

Assure

Documentation, audit readiness, and regulatory reporting.

Our delivery path is deliberately staged so a sponsor always knows what is being done, why, and what it produces. Each phase has a clear purpose and a tangible output, and value is proven before scope widens. The phases below are how a typical engagement unfolds.

Inventory. Model inventory and risk tiering across the enterprise. This phase is scoped and time-boxed, with an agreed output, so it moves the engagement forward on evidence rather than open-ended effort.

Validate. Independent validation: soundness, data, performance, implementation. This phase is scoped and time-boxed, with an agreed output, so it moves the engagement forward on evidence rather than open-ended effort.

Monitor. Ongoing monitoring for drift and degradation. This phase is scoped and time-boxed, with an agreed output, so it moves the engagement forward on evidence rather than open-ended effort.

Assure. Documentation, audit readiness, and regulatory reporting. This phase is scoped and time-boxed, with an agreed output, so it moves the engagement forward on evidence rather than open-ended effort.

Operating model

Gravitas Enterprise Data Operating Model

How the capability runs end to end, from strategy and accountability at the top through governance and delivery to the cloud, data and security foundation.

Gravitas Enterprise Data Operating ModelStrategy and accountabilityModel riskstrategyBoard oversightRisk appetiteGovernance and controlPolicy andstandardsOwnership andstewardshipQuality andlineageRisk andcomplianceDelivery and platformArchitectureEngineeringIntegrationOperationsFoundationCloudSecurityDataFinOps
Principles

The principles behind our work

We treat model risk as a lifecycle capability, not a point-in-time validation, governing models from development through change, monitoring and retirement.

We tier by materiality so rigour lands where it matters, and we insist on genuine independence in validation, because validation by the builder is not validation.

We bring AI and machine-learning models into the same framework, aligned to both prudential expectations and emerging AI regulation, so nothing material sits outside governance.

Capabilities

Six capability themes for the sponsor

We group model risk work into six themes leadership can weigh, aligned to regulatory expectation rather than a validation checklist alone.

InventoryIndependentvalidationLifecyclegovernanceOngoingmonitoringAIReportingCapabilities

Inventory and risk tiering

A complete model inventory, risk-tiered so scrutiny scales with materiality rather than treating every model alike. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

Independent validation

Rigorous, independent validation of conceptual soundness, data, implementation and outcomes, aligned to SR 11-7 and OCC 2011-12. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

Lifecycle governance

Controls across development, approval, change and retirement, so a model is governed for its whole life, not just at sign-off. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

Ongoing monitoring

Monitoring for drift, degradation and changing conditions, so a model that has quietly stopped working is caught early. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

AI and machine-learning risk

Extending model risk to AI and machine-learning models, aligned to the EU AI Act, NIST AI RMF and ISO 42001 and 23894. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

Reporting and assurance

Board and regulator-ready reporting so leadership can attest to model risk with evidence rather than assertion. Done well, this means models are governed across their life and monitored in production, so failures are caught early rather than in a loss.

Inventory and risk tiering is the starting point, because you cannot manage risk you cannot see. We build a complete model inventory and tier it by materiality, so scrutiny scales with impact rather than treating every model alike. This is the single most effective step from invisible exposure to managed risk.

We keep the inventory live and tiered, because an accurate, current inventory is the precondition for directing validation and monitoring effort where materiality actually is.

Independent validation is where credibility lives. We validate conceptual soundness, data, implementation and outcomes independently, aligned to SR 11-7 and OCC 2011-12, because validation by the team that built the model is not validation. Genuine independence is what makes the assurance believable.

We protect the independence of validation structurally, because independence that depends on goodwill rather than on how the function is set up will erode under delivery pressure.

Lifecycle governance extends control beyond sign-off. We govern development, approval, change and retirement, so a model is controlled for its whole life, not just at the moment it is first approved. This closes the gap where a validated model quietly drifts out of correctness.

We govern change explicitly, since a model that is altered without controlled re-validation is a common and avoidable source of production failure.

Ongoing monitoring catches silent failure. We monitor for drift, degradation and changing conditions, so a model that has stopped working is caught early rather than in a loss or an audit finding. This is the difference between point-in-time comfort and continuous control.

We calibrate monitoring to each model's risk and behaviour, so drift is caught early without drowning the team in false alarms that get ignored.

AI and machine-learning risk brings the newest models into scope. We extend the framework to AI and machine-learning models, aligned to the EU AI Act, NIST AI RMF and ISO 42001 and 23894, so nothing material sits outside governance. As these models enter decision-making, leaving them out is a growing exposure.

We extend the same discipline to AI models rather than treating them as a separate, lighter category, because regulators increasingly do not, and neither should the institution.

Reporting and assurance closes the loop to the board. We build reporting that lets leadership attest to model risk with evidence rather than assertion, across both traditional and AI models. This is what makes it safe to rely on model outputs and to sponsor further use.

We tailor assurance reporting to what the board must attest, so model risk is a decision-grade summary rather than an unreadable technical appendix.

See the detailed capabilities within these themes
  • Model Risk Strategy & Framework. A model risk management framework calibrated to your regulatory context and model portfolio - governance structure, roles, risk appetite, and the policies and standards that operationalize it.
  • Model Inventory. A complete, defensible inventory of every model and AI system in the enterprise - the foundational control that no governance program can function without.
  • Model Tiering & Risk Classification. Risk-based tiering that concentrates validation and oversight where exposure is greatest, proportionate to materiality, complexity, and regulatory sensitivity.
  • Policies & Standards. Model risk policies, validation standards, and development guidelines that translate regulatory principles into enforceable, auditable enterprise controls.
  • Independent Model Validation. Effective-challenge validation performed independently of model development - conceptual soundness, data, implementation, and outcomes, documented to regulatory standard.
  • Model Testing & Benchmarking. Rigorous testing against benchmarks and challenger models to establish that a model performs as intended and outperforms credible alternatives.
  • Stress Testing & Sensitivity Analysis. Assessment of model behavior under stressed conditions and input perturbations, exposing fragility before it manifests in production.
  • Backtesting. Systematic comparison of model predictions against realized outcomes to quantify accuracy, calibration, and performance over time.
  • Performance Monitoring & Drift. Ongoing monitoring of model performance, data drift, and concept drift, with thresholds and alerts so degradation is detected before it affects decisions.
  • Bias Detection & Fairness. Quantitative fairness assessment across protected groups using established metrics and tooling, identifying and remediating discriminatory model behavior.
  • Explainability. Model explainability using SHAP, LIME, and appropriate techniques, so that decisions can be understood, challenged, and defended to regulators and customers.
  • Model Documentation. Documentation that meets regulatory expectations - development, assumptions, limitations, validation, and monitoring - produced efficiently and kept current.
  • Approval Workflow. Governed approval and change-control workflows that record who approved what, on what evidence, creating the audit trail regulators expect.
  • Periodic Reviews & Revalidation. Scheduled and triggered revalidation that keeps model risk assessments current as data, usage, and conditions evolve.
  • Retirement Strategy. Controlled model retirement and decommissioning, with archival that preserves the evidence trail for regulatory and audit purposes.
  • Audit Readiness & Regulatory Reporting. Preparation for supervisory examination and internal audit, with reporting that evidences a functioning control framework to regulators and boards.
  • AI Governance. Enterprise AI governance operating models that extend model risk discipline to the full population of AI systems, aligned to the EU AI Act and NIST AI RMF.
  • GenAI & LLM Governance. Controls purpose-built for generative AI and large language models - evaluation, guardrails, retrieval governance, and human oversight for non-deterministic systems.
  • Third-Party Model Reviews. Independent assessment of vendor models, foundation models, and embedded AI, addressing the transparency and concentration risks of models you did not build.
  • Managed MRM. Ongoing model risk management delivered as a service - validation capacity, monitoring, and governance operation under clear service levels.
Capability map

The capabilities we deliver, mapped

A capability map grouping the work into the domains a sponsor can reason about, each expandable into detailed workstreams.

InventoryModel inventoryRisk tieringMaterialityValidateConceptual soundnessData andimplementationOutcomesGovernDevelopmentChangeRetirementAssureMonitoringAI modelriskReporting
Reference architecture

Gravitas Data Platform Reference Architecture

A vendor-neutral target-state architecture, from sources at the base through ingestion and platform to the consumers at the top, with data and control flowing upward.

Data and control flow upward through the stackModel estateTraditional modelsMachine learningGenerative AIValidationIndependent reviewData and implementationOutcomesLifecycleDevelopmentChangeRetirementAssuranceMonitoringReportingBoard attestation
Outcomes

What changes for the business

The first change is control across the lifecycle: models are governed from development through change and retirement, so a validated model does not quietly fail in production unnoticed.

The second is proportion: risk tiering focuses effort where materiality is highest, making the framework both credible and affordable.

The third is assurance: with monitoring and evidence in place, the board can attest to model risk, including for AI models, with confidence rather than hope.

Together, these shifts move model risk from episodic validation to a continuous, assured capability, so the institution can rely on its models, including AI models, with evidence rather than hope.

Evidence

Results our engagements target

continuous
model risk capability replacing point-in-time checks at a global bank
AI in scope
machine-learning and generative models brought into the same governed framework
drift caught early
degradation surfaced by monitoring that periodic validation had missed at an insurer

Anonymized, representative outcomes. Actual results depend on scope, data quality and starting maturity.

Case studies

Anonymized engagements, structured for the sponsor

Global bankBanking

Challenge A growing model population, including machine-learning models, was validated only at points in time.

Approach We built a risk-tiered inventory, strengthened independent validation, and added lifecycle monitoring.

Outcome Model risk became a continuous capability that satisfied regulators and gave the board evidenced assurance.

Multinational insurerInsurance

Challenge Machine-learning models sat outside the traditional model risk framework as regulation tightened.

Approach We extended the framework to AI and machine-learning models, mapping controls to SR 11-7 and the EU AI Act, and added drift monitoring.

Outcome Degradation that periodic validation had missed was caught early, and AI models were brought inside the governed perimeter.

Asset managerAsset management

Challenge Models were spread across teams with uneven control and high key-person dependency.

Approach We established a single inventory and independent validation.

Outcome Key-person dependency fell and leadership gained a clear, current view of where model risk actually sat.

The business case

How the investment pays back

The sponsor's return is risk reduction that is both real and demonstrable. Governing models across their life and monitoring them in production catches failures early, before they become losses or audit findings, and independent validation removes the false comfort of point-in-time checks. Risk tiering keeps the effort proportionate to materiality.

Bringing AI and machine-learning models into the same framework closes a fast-growing exposure under both prudential and AI regulation. We size the programme to your model population and regulatory context, so the investment matches the risk, and the board gains assurance it can actually rely on.

Decision framework

A decision framework for sponsors

A simple decision aid for the choice this practice most often turns on, so leadership can see the recommended path for their situation.

How mature is ourmodel risk capability?IFmodels not fully inventoriedTHENBuild a risk-tiered inventoryIFvalidation is point-in-timeTHENAdd lifecycle governanceIFAI models sit outside scopeTHENExtend the framework to AI
Executive insight

Board considerations

Why validation alone is not model risk management.

Govern the lifecycle

A validated model can still fail in production as conditions change. Governance across development, change, monitoring and retirement is what actually controls model risk. In our experience this is the decision sponsors most often wish they had made earlier, because getting it wrong is expensive to unwind.

Tier by materiality

Applying the same rigour to every model wastes effort and under-controls the material ones. Risk tiering aligns scrutiny with impact. Treating it as a first-class principle rather than an afterthought is what separates programmes that hold up from those that quietly unravel.

Monitor for drift

Models degrade silently. Ongoing monitoring is the difference between catching a failing model early and discovering it in a loss or an audit finding. It is a small discipline that compounds, protecting both the budget and the credibility of the whole effort.

Bring AI into scope

Machine-learning and AI models carry model risk too, now under both prudential and AI regulation. Leaving them outside the framework is a growing exposure. Boards that insist on this find the rest of the programme easier to govern and far easier to defend.

Independence is non-negotiable

Validation by the team that built the model is not validation. Genuine independence is what makes the assurance credible. It is the difference between a capability that lasts and one that looks impressive at launch and decays soon after.

What to avoid

Common pitfalls we help you avoid

The failure modes we see most often in this work, and design engagements specifically to prevent.

  • Relying on point-in-time validation and treating a validated model as controlled for its whole life.
  • Applying uniform rigour to every model, so effort is misallocated relative to materiality.
  • Leaving AI and machine-learning models outside the framework as the population grows and regulation tightens.
  • Allowing validation to be performed by those close to the build, which undermines the credibility of the assurance.
The intersection

An integrated capability, not a single specialism

Most firms can claim expertise in one or two of these areas. Our differentiator is the intersection: we bring enterprise data architecture, governance, AI, cloud, deep regulated-industry knowledge and practitioner-grade ETRM expertise together as a single integrated capability, rather than handing a problem between separate specialists who never meet. That combination is uncommon, and it is why the pieces of an engagement are designed to fit.

Enterprise dataarchitectureGovernanceAICloudRegulatedindustriesETRM andtradingIntegrated consultingcapability

Model risk now spans traditional models, machine learning and generative AI, and doing it well requires model risk discipline, AI governance, governed data and the regulatory context of the institution together. Treating AI models as a separate, lighter category, or validating models without the data and governance around them, is where exposure hides. We bring these disciplines together.

For the sponsor, validation, controls, monitoring and the data models depend on reinforce each other, and one partner is accountable for a model risk capability that covers both traditional and AI models with evidence the board can rely on.

Differentiation

Why Durga Analytics

Large firms bring validators who leave; software vendors sell inventory tools that assume the governance exists; internal teams struggle to stay independent and current. We bring practitioners who make model risk a lifecycle capability, and three things that requires.

Practitioner-led delivery

We have built, validated and monitored models in regulated settings, so our framework reflects how model risk actually behaves in production, not just on paper. That means fewer surprises at the hard moments, because the people advising you have lived through them, and a design that reflects operational reality rather than an idealised diagram.

Vendor neutrality

We are not selling a model-risk platform. We strengthen the capability on the tools you run, adding tooling only where a genuine gap exists. It also means you can trust the recommendation itself, because it carries no hidden incentive, and you keep the leverage that comes from not being tied to one vendor's roadmap.

Integrated model, AI and data risk

Model risk, AI governance and data quality sit together, so validation, controls and the data models depend on reinforce each other. Because these disciplines sit in one team rather than being handed between separate specialists, the pieces are designed to fit, and you deal with one accountable partner rather than a committee of vendors.

Where it applies

Across your sector and estate

Model risk management is central for banks, insurers and asset managers under SR 11-7, OCC 2011-12 and equivalent regimes, and increasingly relevant for any organisation relying on consequential models, including AI. The maturity framework applies across them.

The regulatory overlay and model population differ by institution, so we tailor tiering, validation depth and reporting accordingly, while the path from uninventoried to assured stays constant.

Risk management

Risks we manage for you

Sponsors rightly worry about the ways engagements like this go wrong, so we manage the common risks explicitly rather than leaving them to chance. Scope creep is contained by delivering in fixed, valuable slices with agreed success measures, so the programme cannot quietly expand without a decision. Delivery risk is reduced by proving value early on a contained scope before widening, so problems surface while they are small and reversible.

Key-person and knowledge risk is addressed by working alongside your teams and leaving documented, operable artifacts, so the capability does not walk out of the door when we do. Vendor and lock-in risk is managed by staying neutral and designing for the platforms that fit your constraints, so you keep leverage. And the risk of governance or controls decaying after go-live is handled by building them into daily work and, where useful, continuing in a co-managed role so the gains hold.

Transformation roadmap

A horizon-based transformation roadmap

How we sequence the change into fundable, reversible horizons, each delivering value before the next is committed.

0-3 monthsInventoryModel inventoryRisk tiering3-9 monthsGovernIndependent validationLifecycle controls9-18 monthsAssureMonitoring andAI modelsBoard reporting
Working with us

How we engage

Engagements typically begin with a focused discovery and blueprint, a short, fixed-scope phase that baselines the current state, agrees the target and the success measures, and produces a prioritised roadmap a sponsor can fund with confidence.

From there we deliver in thin, end-to-end slices rather than a single monolithic programme, proving value early on a contained scope before widening. This keeps risk visible and reversible and gives leadership real results to point to at each step.

We work alongside your teams throughout rather than in a separate room, so knowledge transfers as we go and the capability we build is one your people can own and extend. Where it helps, we can continue in a co-managed or managed role after the initial build so the gains hold.

For the sponsor

Questions sponsors ask us

Sponsors who fund this work, rather than run it, tend to ask the same handful of questions. Here is how we answer them, in plain terms.

Deliverables

What you receive

Whatever the engagement, you are left with tangible artifacts rather than a set of recommendations to implement yourself. The deliverables below are working outputs your teams can use and extend, not a slide deck that gathers dust.

Each is designed to be durable: documented, owned and operational, so the value of the engagement outlives it and the capability keeps running once we step back.

  • Model inventory & tiering
  • Independent validation reports
  • Model monitoring framework
  • Bias, fairness & explainability assessment
  • Audit-readiness documentation
  • MRM-as-a-Service operating model

Model inventory

A complete, risk-tiered model inventory covering traditional and AI models.

Validation framework

An independent validation framework aligned to SR 11-7 and OCC 2011-12, with worked validations.

Lifecycle governance

Controls across development, change, monitoring and retirement, with monitoring for drift.

Assurance reporting

Board and regulator-ready reporting so leadership can attest to model risk with evidence.

Technology

Tools & platforms

SR 11-7 · OCC 2011-12EU AI Act · NIST AI RMFISO 42001 · 23894Explainability & bias toolingModel registriesLLM/GenAI evaluation
Industries

Where we deliver

BankingInsuranceCapital MarketsFintechPublic SectorHealthcare
Plain language

Key terms, briefly

A short glossary for sponsors and stakeholders who fund this work without needing to live in the detail.

Model risk

The risk that a model is wrong or misused, leading to poor decisions or losses; managing it is a regulatory expectation for many institutions.

Independent validation

Checking a model by people other than those who built it, which is what makes the assurance credible.

SR 11-7 / OCC 2011-12

The principal supervisory guidance on model risk management that many institutions are expected to follow.

Drift monitoring

Watching a model in production for signs it has stopped working, so failures are caught early rather than in a loss.

Further reading

Independent thought leadership

Our guides, board papers and outlooks sit alongside this practice, drawing on the same integrated capability.

FAQ

Frequently asked questions

Which frameworks do you align to?

SR 11-7 and OCC 2011-12 for model risk, and the EU AI Act, NIST AI RMF, and ISO 42001/23894 for AI governance.

Do you validate machine-learning and GenAI models?

Yes. Our framework covers traditional quantitative models as well as machine-learning and generative systems.

Can you provide ongoing validation?

Yes. MRM-as-a-Service embeds ongoing validation and monitoring into operations rather than one-off reviews.

Is validating our models not enough on its own?

No. A validated model can still fail in production as conditions change, so lifecycle governance and ongoing monitoring are what actually control the risk. Point-in-time validation alone gives a false sense of comfort.

How do we handle AI and machine-learning models?

By bringing them into the same framework, aligned to both prudential expectations and emerging AI regulation. These models carry model risk too, and leaving them outside governance is a fast-growing and increasingly visible exposure.

How do you keep validation independent?

By structuring the function so independence is built into how it operates rather than depending on goodwill, which is what keeps it credible under delivery pressure. Independence by intention erodes; independence by design holds.

What does the board actually receive?

A decision-grade, evidenced view of model risk across traditional and AI models, so leadership can attest with confidence rather than rely on point-in-time assurances that may already be out of date.

How do we keep effort proportionate?

Through risk tiering by materiality, so the deepest scrutiny lands on the models that matter most and lighter-touch controls suffice elsewhere. This makes the framework both credible and affordable.

What is model validation?

Model validation is the set of processes and activities that verify a model works as intended, is appropriate for its purpose, and is subject to effective challenge. It examines conceptual soundness, data and inputs, implementation, and outcomes, and produces documented evidence that the model is fit for use - or identifies the conditions and limitations under which it is.

What is independent model validation?

Independent model validation is validation performed by parties who are organizationally and functionally independent of the model's development. Independence is essential because a review conducted or unduly influenced by the developers cannot deliver genuine effective challenge. Supervisory guidance such as SR 11-7 treats independence as a defining requirement of credible validation.

What is effective challenge?

Effective challenge is critical analysis of a model by objective, competent, and appropriately empowered reviewers who actively probe its assumptions, data, methodology, and outcomes. It is the substance behind independent validation: not confirming that a model was built, but rigorously testing whether it should be trusted.

What are the four pillars of model validation?

The four pillars are conceptual soundness (is the methodology appropriate?), data and inputs (is the data fit for purpose?), implementation and process (does the built system match the design?), and outcomes analysis (does it perform, as evidenced by benchmarking, backtesting, and stress testing?). A complete validation addresses all four.

How often should models be revalidated?

Revalidation frequency is risk-based, driven by model tier, materiality, and stability. High-risk models are typically revalidated annually and whenever a material trigger occurs - significant performance change, data shift, or change in use. Lower-risk models are revalidated less frequently. The schedule should be defined in policy and enforced through governance.

What triggers an out-of-cycle model revalidation?

Common triggers include material deterioration in monitored performance, significant data or population drift, a change in the model's use or materiality, discovery of a defect, a change in the regulatory environment, or a major change to the model itself. A robust program defines these triggers explicitly so revalidation is not left to discretion.

What is a model validation report?

A model validation report is the documented output of the validation process. It records scope, the assessment against each validation pillar, findings rated by severity, the validator's overall conclusion, and required remediation. It is a primary piece of evidence in supervisory examination and must be produced to a standard that withstands scrutiny.

How do you validate a machine learning model?

ML validation applies the same four pillars but adapts the techniques: assessing training-data representativeness and leakage, evaluating feature engineering, testing generalization and overfitting, examining fairness across groups, and establishing explainability. Outcomes analysis relies on holdout and out-of-time testing, benchmarking against challengers, and ongoing monitoring for drift.

Can you validate models your firm did not build?

Yes - independent validation of models built by others is precisely our role. As an external, vendor-neutral party we bring the independence and quantitative depth that effective challenge requires, whether the model was built in-house, by another consultancy, or by a third-party vendor.

What is AI governance?

AI governance is the framework of policies, controls, roles, and processes through which an enterprise directs and oversees its use of AI so that AI systems are trustworthy, compliant, and aligned with organizational objectives and risk appetite. It extends model risk discipline to the full population of AI systems, including those outside traditional model definitions.

Model Risk Management for your organization

Scope an engagement with a senior practitioner.