Governing models in the AI era

  • Blog
  • 10 minute read
  • July 14, 2026

Globally, regulatory expectations around model risk management have evolved from traditional model validation frameworks towards broader enterprise-wide governance and responsible AI oversight.

The US established the foundation of modern model risk management (MRM) through SR 11-7 (2011) and remains one of the most influential regulatory frameworks globally. It has recently updated its approach through SR 26-2 (2026), introducing a more risk-based approach on model materiality and ongoing monitoring. Notably, SR 26-2 explicitly excludes generative AI and agentic AI from its scope.

In Europe, supervisory initiatives such as ECB’s target review of internal models (TRIM) has focused on Pillar 1 risk models. The EU AI Act introduces dedicated requirements around AI risk classification, transparency, documentation, and human oversight. Singapore is widely considered one of the earliest regulators to formally address responsible AI in financial services through fairness, ethics, accountability, transparency (FEAT) principles in the use of AI and data analytics. The Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA) have been active in discussing AI governance. PRA has also updated its MRM principles for entities in April 2026. However, there was no introduction of new principles for AI-specific chapters. The Central Bank of the UAE (CBUAE) was among the early regulators in the Middle East to establish a comprehensive and enterprise-wide MRM framework through the Model Management Standards (MMS) and accompanying Model Management Guidance (MMG) issued in 2022. Unlike prudential frameworks focused primarily on regulatory risk models, the CBUAE framework applies broadly to models used across banking activities—including credit risk, provisioning, capital assessment, pricing, valuation, and decision-support processes.

In continuation to its endeavours to develop a holistic framework for enterprise-wide MRM practice and cover AI-/ML-driven models, the Reserve Bank of India (RBI) issued draft Guidance on Regulatory Principles for Model Risk Management on 24 June 2026. The said draft circular has made a significant shift in its focus from credit risk models to enterprise-wide risk models. The guidelines also emphasise on entire model architecture rather than policy-level changes, along with heightened focus on emerging risks due to AI/ML and external dependencies.

The RBI draft model risk management guidelines 2026 represent a convergence of these global developments, by combining traditional MRM principles with explicit AI governance requirements. Very few banking regulators globally have brought all of these concepts into a single prudential framework.

What does the updated guidance say—and mean in practice?

What the updated guidance says

  • The guideline shall be applicable to all regulated entities (RE).
  • RBI has explicitly included AI/ML models in MRM Framework (MRMF), along with traditionally defined systems that use mathematical, economic, and financial techniques. 
  • Algorithms, analytics, interfaces, applications, decision-based rules, computational tools which, by virtue of their use, have a material impact on decision-making, should also be classified as models.

Our view

The RBI has recognised the growing reliance on AI/ML and the increasing complexity of decision-making tools across banking operations. The broader definition signals a move towards enterprise-wide model governance, requiring institutions to treat model risk as a core risk management discipline rather than limiting it to underwriting, provisioning, or capital models.

What the updated guidance says

  • The direction focuses on a robust, board-approved MRMF rather than MRM policy.
  • The responsibility of the board is broadened to approve model risk related thresholds for an entity’s risk appetite, tolerance limits, and risk tiering of models.
  • The Risk Management Committee of the Board (RMCB) shall be responsible for review of validation reports of high-risk models, annual review of model tiering, and overseeing model monitoring of critical models—such as those approved with exceptions, third-party models, and models involving AI.
  • The guideline has also focused on aspects such as Business continuity management (BCM) and decommissioning. Details of decommissioned models for a minimum period of ten years from the date of decommissioning.

Our view

The requirement for board approved model risk appetite threshold elevates model risk from a technical validation exercise to a strategic risk management issue which is required to be governed through a formal risk appetite and board oversight.

The RBI expects entities to have a process to sunset model and have end-to-end traceability of the model’s lifecycle—such as a record/change log which will be useful for impact assessments, regulatory purposes, audit, and retrospective assessment of model-driven decisions.

What the updated guidance says

RE should implement the three lines of defence: model owners being the first line of defence, an independent MRM and validation function being the second line of defence, and a robust and independent internal audit function being the third line of defence.

Our view

Validation teams reporting into model development teams may no longer be considered sufficient for independent oversight as a clear three-line defence is mandated.

What the updated guidance says

Model inventory shall include active, inactive (including under development), and decommissioned models. Further, a model can be used, relied upon, or deployed only once it has been included in the inventory. Along with the key model details, its dependencies with upstream and downstream models and key observations from validation, monitoring, and audit are to be included as well.

Our view

While this may appear to be a small component in the framework, it proves to be a key workstream within the overall implementation roadmap. The larger challenge for institutes would be to identify what constitutes as ‘model’ and further gather the relevant information with respect to their dependencies. However, once the relevant information is collated, it would be a critical foundation for effective model governance.

What the updated guidance says

  • Risk-based model tiering is expected to be carried out for all the models and the same shall be approved and reviewed at least annually by the board and RMCB respectively.
  • The model tiering shall be based on model’s complexity and materiality.
  • The model risk tiering should be further used to define the intensity and frequency of model validation and monitoring; approval process; risk controls and mitigation; level of detailed inventory and documentation.

Our view

The model tiering requirements discussed represent the RBI’s move to set model tiering as the foundation of MRMF rather than a mere classification exercise. This has further advocated a risk-based allocation of time and resources rather than a one-size-fits-all framework for the different activities required during the model lifecycle.

What the updated guidance says

  • All models including third-party models are subject to independent validation by the RE.
  • Model validation shall also be conducted periodically and in case where internal or external thresholds get triggered.
  • Validation reports should be submitted to the RMCB or relevant authority within three months from completion of validation.
  • REs should perform due diligence prior to the use of third-party models and obtain minimum technical model documentation. 

Our view

REs will further need to review the specialist expertise and decide on enhanced methodologies for validation of AI and ML models. This may in turn establish potential reliance on external subject matter validation experts.

Selection and onboarding of vendors becomes a critical process by determining clear acceptance criteria based on vendor experience, opacity of model, detailed documentation, and suitability of data and methodology.

Additional requirements for AI and ML models

The principles of MRM apply to AI and ML models. However, their complex nature demands additional consideration:

What the updated guidance says

  • The RBI expects REs to understand where and how AI has been used in the respective models and the level of technological advancements used in the same.
  • In addition to factors such as materiality and complexity, risk-tiering of AI models should also be driven considering how much the RE relies on the AI model (reliance) and how independent decisions can be made using the AI model (autonomy).
  • The RBI expects entities to establish robust controls around data quality, monitor changes in model behaviour and data patterns, and maintain comprehensive documentation to support transparency, auditability, and effective governance throughout the model lifecycle.

Our view

  • It is logically pointed out that institutions can identify, measure, and monitor risks associated with AI models only once the impact on business reliance and decision-making powers is identified.
  • While the regulator has clarified ‘reliance’ and ‘autonomy’ to be critical factors for risk theory, the challenge lies in defining objective thresholds to measure them.
  • Robust third-party due diligence, contractual provisions to obtain minimum technical documents, pre-implementation review of model methodology and data shall play a critical role in mitigating risk from third-party AI models.

What the updated guidance says

REs are expected to test behavioural characteristics of AI models under stressed scenarios by considering the following:

  • Define thresholds for explainability and transparency of AI models based on their reliance in taking material decisions.
  • In cases where explainability thresholds are not met, RE should define enhanced requirements for model monitoring and validation, back testing, human interference in case of critical decisions, and impact assessment with existing traditional models.

Our view

The RBI has directed entities to decide on the minimum level of explainability expected from AI models based on their importance in business decisions while also acknowledging that certain AI technologies may not be able to achieve the highest expected levels of transparency. REs can maintain a list of models where explainability is limited or not fully achievable. These may include deep neural networks, large language models (LLMs), vendor black-box AI solutions. Thus, defining thresholds is critical for institutions to ascertain further controls and mitigants.

What the updated guidance says

  • REs should identify biased AI models that unfairly favour or disadvantage certain customer groups. Fairness testing should be conducted and necessary changes should be made to the model—such as recalibration, redesign, or reducing model complexity.
  • Models should be tested on new and different datasets (out of time, out of sample) to confirm that they continue to perform reliably in the real world and changing business conditions.
  • RE should conduct structured testing, including red-team exercises, to challenge AI models and identify weaknesses, vulnerabilities, unexpected behaviour, or harmful outputs before and during deployment, especially for customer-facing and generative AI models.

Our view

REs will have to define fairness metrics and establish thresholds for acceptable disparities in model outcomes.

Red teaming is a structured testing process where a team deliberately tries to make an AI model fail, behave incorrectly, generate harmful outputs, or bypass controls to identify weaknesses before real users or attackers do. The RBI recognises that AI models may behave differently under abnormal situations than during normal testing. Therefore, entities should proactively test AI models against these scenarios.

What the updated guidance says

The RBI has emphasised that AI models should not be the sole decision maker but also have a robust human oversight with arrangement for human intervention on need basis. Effective controls should be in place in case of requirement for override or deactivation. Model outputs and decisions should be back tested and reviewed periodically through human intervention.

Our view

The RBI has emphasised that AI should support rather than replace humans in decision making. As the scale and complexity of AI models increases, the RE will have to create robust governance on monitoring these models through human oversight, thereby leveraging efficiency gains of the technology through automation while preserving the accuracy and effectiveness of decisions.

What the updated guidance says

  • Deployment, usage, and modification of models should be secured by relevant access controls.
  • Cyber risk from third-party components, APIs, external interfaces should be safeguarded with relevant controls.
  • External users and customers should be informed with appropriate disclosures and warnings that they are interacting with AL/ML systems and allow them to access human assistance as required.
  • Dynamic or automatic updates should be regulated with appropriate controls, thereby defining the scope of automatic updates, data checks, and monitoring requirements.

Our view

The RBI has emphasised that the role of RE is not just limited to deployment of AI models and their validation. Models also require explicit monitoring and controls to define who can access them and what changes can be made. This puts additional responsibilities on the first line of defence—model owners for efficient use of models. At the same time, the third line of defence—auditors—is required to periodically review breaches of access controls and unauthorised changes to the model.

How will these changes affect the MRM practices across various risks?

Enhanced model validation, monitoring, explainability, and periodic review requirements are expected to improve the accuracy of risk assessment, portfolio management, provisioning, and pricing decisions through reliable credit underwriting models, behavioural scoring, early warning systems, collections, and expected credit loss (ECL) estimation.

For treasury and trading activities, the guidelines will increase oversight of models used for valuation, pricing, interest rate risk measurement, stress testing, and risk quantification. It will also strengthen governance around behavioural and forecasting models used for liquidity management, cash flow projections, deposit behaviour, prepayment assumptions, and interest rate risk in the banking book. 

As capital adequacy, stress testing, and Internal Capital Adequacy Assessment Process (ICAAP) processes rely heavily on model outputs, the framework will enhance the credibility and robustness of capital planning and risk forecasting models. Stronger validation, documentation, and governance will help banks maintain greater confidence in capital assessments, stress loss estimates, and strategic capital allocation decisions. As banks increasingly adopt AI and advanced analytics, weaknesses in model governance can have significant strategic and reputational consequences. 

The MRM guidelines strengthen controls around model development, validation, monitoring, and change management, reducing operational risks arising from model failures, data issues, incorrect assumptions, or unauthorised modifications. They also enhance the effectiveness of fraud detection, transaction monitoring, AML, customer authentication, and financial crime models by ensuring they are regularly validated and monitored. As banks increasingly adopt AI/ML models, neural networks, and agentic AI solutions for fraud prevention and real-time decision-making, the guidelines help manage risks related to model complexity, opacity, and autonomous behaviour, thereby reducing fraud losses, operational disruptions, regulatory breaches, and reputational damage.

The emphasis on documentation, traceability, independent validation, and model lifecycle governance will improve the defensibility of regulatory submissions and risk reporting. Furthermore, stronger controls around model fairness, explainability, transparency, and human oversight will help mitigate conduct risk by reducing the likelihood of biased, inconsistent, or inappropriate customer outcomes, thereby strengthening customer protection, regulatory compliance, and stakeholder trust.

The introduction of requirements relating to explainability, fairness, bias assessment, and human oversight is expected to strengthen customer protection. Banks will need to ensure that model-driven decisions remain transparent, fair, and consistent—particularly in customer-facing processes such as credit approvals, pricing, collections, and fraud detection. Stronger controls over customer data used in models will also support compliance with the Digital Personal Data Protection (DPDP) Act, reducing risks related to data privacy, misuse of personal information, and adverse customer outcomes.

We recommend regulated entities to take the following steps:

Entities should begin by expanding their view of model risk beyond traditional credit underwriting and regulatory capital models. The RBI has clearly recognised the growing reliance on AI/ML, advanced analytics, and automated decision-making tools across business functions. 

Entities should review their existing governance structures to ensure alignment with the three lines of defence model. Focus should be placed on establishing board-approved model risk appetite thresholds.

Additionally, in case of AI models, entities should proactively establish AI-specific governance frameworks that address emerging risks associated with AI and ML models. For third-party AI solutions, enhanced due diligence and contractual requirements should be introduced.

Entities should define what constitutes a model, identify all models and model-like tools across the organisation, and document their purpose, ownership, methodology, data sources, dependencies, validation status, and limitations. Institutions may maintain a register of models where explainability is inherently limited. For such models, additional controls, monitoring requirements, approvals, and compensating risk mitigants should be implemented. 

Entities should establish a structured model tiering framework based on factors such as materiality, complexity, customer impact, financial impact, regulatory significance, level of automation, and reliance in decision-making. Institutions should align all lifecycle activities—including development, validation, implementation, monitoring, modification, and retirement—to the assigned model risk tier.

Given the RBI’s expanded definition of models and strengthened validation expectations, entities should reassess their validation methodologies, capabilities, and resourcing models. For complex AI and ML models, entities may need to invest in specialised skills and, where necessary, leverage external subject matter experts to perform independent validation and challenge model assumptions effectively.

Entities should establish a formal framework for identifying, measuring, and monitoring bias and fairness risks across AI and non-AI models. The use of AI should be clearly disclosed to customers and users of the model with provision to request human intervention.

Further, entities should establish clear human intervention mechanisms, review triggers, escalation protocols, override processes, and accountability frameworks for AI-assisted decisions. 

Appropriate controls should be implemented to manage model access, changes, implementation activities, and production environments. Particular attention should be paid to third-party integrations, APIs, and AI platforms to ensure cybersecurity and operational resilience expectations are adequately addressed. Banks should also perform periodic vulnerability assessments, penetration testing, access reviews, and security monitoring to identify and mitigate cyber and operational risks.

Contact us

Kuntal Sur

Partner – Financial Services and Treasury Advisory, PwC India

Email

Authors

Kuntal Sur  Tarun Saraf  Tanvi Shirke

Follow PwC India