Bringing AI into your SR 11-7 program

Model-risk teams already have a framework for this. SR 11-7 doesn't need to be reinvented for generative AI — it needs to be extended to it. The challenge is that LLMs behave unlike the statistical models the program was built around: they're non-deterministic, prompt-sensitive, and easy to adopt without anyone telling model risk.

This brief walks the four pillars of SR 11-7 and what each looks like when the model is an LLM.

The hardest part of an AI model inventory is completeness. LLMs enter firms through application features, copilots, and agents — often faster than any intake process tracks.

Deriving the inventory from the actual request path solves this structurally: if a model is being called, it's observed, and it's in the inventory.

Ongoing monitoring for an LLM means more than availability. It means watching usage, cost, and governance findings — the rate of blocked prompts, redactions, and policy violations — as behavioral signals.

Captured inline, these become the monitoring evidence SR 11-7 expects, attributable by team and workflow.

Effective challenge and independent validation depend on documentation a reviewer can trust. For AI, the most credible documentation is an immutable record of what the model was permitted to do and what it actually did.

A tamper-evident audit trail serves as that record — versioned policy plus a hash-chained history that can't be quietly edited after the fact.

SR 11-7's governance pillar is about controls and accountability. Policy-as-code that your compliance and model-risk teams can read — not buried in application code — keeps the control owner and the control aligned.

Meilynx supplies the inventory, monitoring, documentation, and controls; your validators keep the judgment. The program stays yours — it just finally covers the models that arrived last.