AI Governance Library

Model Risk Management in the Age of AI

Model Risk Management (MRM) must evolve from periodic validation to continuous governance as Generative and Agentic AI systems introduce opacity, stochasticity, and autonomy that break traditional supervisory assumptions.
Jakub Szarmach
3 min read
Model Risk Management in the Age of AI
Model Risk Management in the Age of AI
Model Risk Management in the Age of AI.jpg
65 KB
download-circle

⚡ Quick Summary

This white paper from Moody’s Analytics reframes Model Risk Management (MRM) for the era of generative and agentic AI. It argues that traditional approaches—built on deterministic, interpretable models—are no longer sufficient. Instead, institutions must move toward continuous governance, embedding real-time monitoring, dynamic guardrails, and human oversight across the AI lifecycle. The paper is particularly strong in translating abstract governance shifts into operational controls, especially for financial institutions. Its core message is simple but impactful: AI systems should be governed as evolving socio-technical systems, not static models. This shift has major implications for validators, risk teams, and decision-makers.

🧩 What’s Covered

The document is structured around a clear narrative: why traditional MRM fails in the AI era, how models have evolved, and what new controls are required.

It begins by contrasting legacy supervisory frameworks like SR 11-7 with modern AI systems. Traditional models assumed predictability, interpretability, and full institutional control. In contrast, generative and agentic AI introduce stochastic outputs, black-box architectures, and reliance on external vendors.

A central contribution is the “three generations of models” framework:

  • Generation 1: deterministic, transparent models (e.g. logistic regression)
  • Generation 2: ML models with higher performance but reduced interpretability
  • Generation 3: generative and agentic AI with autonomy, stochasticity, and external dependencies

The visual table on page 4 effectively shows how transparency, determinism, and control degrade across generations, while capabilities increase.

The paper then moves into operationalization. For GenAI systems, MRM must include:

  • Behavioral testing (including adversarial prompts)
  • Real-time monitoring and observability
  • Human-in-the-loop decision checkpoints
  • Version control and fallback models
  • Vendor risk management (e.g. model pinning)

Importantly, monitoring shifts from model-centric to system-level—covering inputs, outputs, and emergent behaviors.

The case study of Moody’s Early Warning System (EWS) is a highlight. It demonstrates how GenAI (LLMs) can be integrated into a pipeline with ML and traditional models, while maintaining governance through:

  • Expert benchmarking
  • Output variability thresholds
  • Continuous monitoring triggers
  • Structured outputs and controlled sampling

The paper concludes by redefining the validator’s role—emphasizing new skills such as prompt engineering, behavioral testing, and system-level oversight.

💡 Why it matters?

This paper captures one of the most important transitions in AI governance: the move from model validation to system governance.

For practitioners, the key insight is that risk no longer resides in a single model—it emerges from interactions between components, external dependencies, and autonomous behaviors. This directly challenges existing regulatory and audit approaches.

The emphasis on observable behavior over internal explainability is especially relevant. It aligns with how many organizations are already struggling to govern LLMs in practice.

For financial institutions, the guidance is highly actionable. But the principles extend far beyond finance—to any organization deploying GenAI in decision-making workflows.

In short, this is a blueprint for operationalizing AI governance where traditional controls fail.

❓ What’s Missing

The paper is strong on conceptual framing and operational controls, but leaves several gaps:

  • Limited discussion of regulatory alignment (e.g. EU AI Act, ISO 42001)
  • No detailed implementation guidance (e.g. tooling, architecture patterns)
  • Minimal treatment of data governance and training data risks
  • Little focus on accountability structures (roles, committees, escalation paths)

Additionally, while the case study is useful, it represents a relatively controlled pipeline—not a fully agentic system. The challenges of autonomous multi-agent environments are only briefly acknowledged.

👥 Best For

Risk and compliance professionals in financial institutions
Model validators and MRM teams adapting to GenAI
AI governance leads designing control frameworks
Senior decision-makers evaluating AI adoption risks

📄 Source Details

White Paper
Authors: Nils Grevenbrock, Zhengpu Zhao, Nihil Patel
Organization: Moody’s Analytics
Year: 2026

📝 Thanks to

Nils Grevenbrock, Zhengpu Zhao, Nihil Patel and the Moody’s Analytics team

Whitepaper
About the author
Jakub Szarmach

Jakub Szarmach

Read next

Toward Risk Thresholds for AI-Enabled Cyber Threats

Insuring Emerging Risks from AI

White Paper on AI Governance: Leadership insights and the Voluntary AI Safety Standard in practice

Toward Risk Thresholds for AI-Enabled Cyber Threats

Bridging Ethics and Execution: AI Governance Lessons from Africa and the Asia-Pacific – White Paper

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.