Globally, regulatory expectations around model risk management have evolved from traditional model validation frameworks towards broader enterprise-wide governance and responsible AI oversight.
The US established the foundation of modern model risk management (MRM) through SR 11-7 (2011) and remains one of the most influential regulatory frameworks globally. It has recently updated its approach through SR 26-2 (2026), introducing a more risk-based approach on model materiality and ongoing monitoring. Notably, SR 26-2 explicitly excludes generative AI and agentic AI from its scope.
In Europe, supervisory initiatives such as ECB’s target review of internal models (TRIM) has focused on Pillar 1 risk models. The EU AI Act introduces dedicated requirements around AI risk classification, transparency, documentation, and human oversight. Singapore is widely considered one of the earliest regulators to formally address responsible AI in financial services through fairness, ethics, accountability, transparency (FEAT) principles in the use of AI and data analytics. The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been active in discussing AI governance. PRA has also updated its MRM principles for entities in April 2026. However, there was no introduction of new principles for AI-specific chapters. The Central Bank of the UAE (CBUAE) was among the early regulators in the Middle East to establish a comprehensive and enterprise-wide MRM framework through the Model Management Standards (MMS) and accompanying Model Management Guidance (MMG) issued in 2022. Unlike prudential frameworks focused primarily on regulatory risk models, the CBUAE framework applies broadly to models used across banking activities—including credit risk, provisioning, capital assessment, pricing, valuation, and decision-support processes.
In continuation to its endeavours to develop a holistic framework for enterprise-wide MRM practice and cover AI-/ML-driven models, the Reserve Bank of India (RBI) issued draft Guidance on Regulatory Principles for Model Risk Management on 24 June 2026. The said draft circular has made a significant shift in its focus from credit risk models to enterprise-wide risk models. The guidelines also emphasise on entire model architecture rather than policy-level changes, along with heightened focus on emerging risks due to AI/ML and external dependencies.
The RBI draft model risk management guidelines 2026 represent a convergence of these global developments, by combining traditional MRM principles with explicit AI governance requirements. Very few banking regulators globally have brought all of these concepts into a single prudential framework.
The RBI has recognised the growing reliance on AI/ML and the increasing complexity of decision-making tools across banking operations. The broader definition signals a move towards enterprise-wide model governance, requiring institutions to treat model risk as a core risk management discipline rather than limiting it to underwriting, provisioning, or capital models.
The requirement for board approved model risk appetite threshold elevates model risk from a technical validation exercise to a strategic risk management issue which is required to be governed through a formal risk appetite and board oversight.
The RBI expects entities to have a process to sunset model and have end-to-end traceability of the model’s lifecycle—such as a record/change log which will be useful for impact assessments, regulatory purposes, audit, and retrospective assessment of model-driven decisions.
RE should implement the three lines of defence: model owners being the first line of defence, an independent MRM and validation function being the second line of defence, and a robust and independent internal audit function being the third line of defence.
Validation teams reporting into model development teams may no longer be considered sufficient for independent oversight as a clear three-line defence is mandated.
Model inventory shall include active, inactive (including under development), and decommissioned models. Further, a model can be used, relied upon, or deployed only once it has been included in the inventory. Along with the key model details, its dependencies with upstream and downstream models and key observations from validation, monitoring, and audit are to be included as well.
While this may appear to be a small component in the framework, it proves to be a key workstream within the overall implementation roadmap. The larger challenge for institutes would be to identify what constitutes as ‘model’ and further gather the relevant information with respect to their dependencies. However, once the relevant information is collated, it would be a critical foundation for effective model governance.
The model tiering requirements discussed represent the RBI’s move to set model tiering as the foundation of MRMF rather than a mere classification exercise. This has further advocated a risk-based allocation of time and resources rather than a one-size-fits-all framework for the different activities required during the model lifecycle.
REs will further need to review the specialist expertise and decide on enhanced methodologies for validation of AI and ML models. This may in turn establish potential reliance on external subject matter validation experts.
Selection and onboarding of vendors becomes a critical process by determining clear acceptance criteria based on vendor experience, opacity of model, detailed documentation, and suitability of data and methodology.
The principles of MRM apply to AI and ML models. However, their complex nature demands additional consideration:
REs are expected to test behavioural characteristics of AI models under stressed scenarios by considering the following:
The RBI has directed entities to decide on the minimum level of explainability expected from AI models based on their importance in business decisions while also acknowledging that certain AI technologies may not be able to achieve the highest expected levels of transparency. REs can maintain a list of models where explainability is limited or not fully achievable. These may include deep neural networks, large language models (LLMs), vendor black-box AI solutions. Thus, defining thresholds is critical for institutions to ascertain further controls and mitigants.
REs will have to define fairness metrics and establish thresholds for acceptable disparities in model outcomes.
Red teaming is a structured testing process where a team deliberately tries to make an AI model fail, behave incorrectly, generate harmful outputs, or bypass controls to identify weaknesses before real users or attackers do. The RBI recognises that AI models may behave differently under abnormal situations than during normal testing. Therefore, entities should proactively test AI models against these scenarios.
The RBI has emphasised that AI models should not be the sole decision maker but also have a robust human oversight with arrangement for human intervention on need basis. Effective controls should be in place in case of requirement for override or deactivation. Model outputs and decisions should be back tested and reviewed periodically through human intervention.
The RBI has emphasised that AI should support rather than replace humans in decision making. As the scale and complexity of AI models increases, the RE will have to create robust governance on monitoring these models through human oversight, thereby leveraging efficiency gains of the technology through automation while preserving the accuracy and effectiveness of decisions.
The RBI has emphasised that the role of RE is not just limited to deployment of AI models and their validation. Models also require explicit monitoring and controls to define who can access them and what changes can be made. This puts additional responsibilities on the first line of defence—model owners for efficient use of models. At the same time, the third line of defence—auditors—is required to periodically review breaches of access controls and unauthorised changes to the model.
Kuntal Sur
Partner – Financial Services and Treasury Advisory, PwC India
Kuntal Sur Tarun Saraf Tanvi Shirke