Implement AI Governance

Before you can govern AI, you need to know what AI you have. In CoComply, navigate to the Govern module and use the Asset Catalog to create an AI Model inventory. For each model or automated decision system, record: model name and version, use case (credit scoring, fraud detection, customer segmentation, AML transaction monitoring, etc.), whether it is in production or in development, the source system it draws data from, the business owner, and the model risk tier (as defined by your Model Risk Management policy). Tag all SR 11-7 in-scope models explicitly.

• Include purchased vendor models and models embedded in third-party platforms — these are often missed and frequently in scope for SR 11-7.
• Use CoComply's Tier classification to align AI model risk levels with your existing model risk management framework.
• For each model, identify the Critical Data Elements it consumes — these become the CDEs that require governance and certification as part of AI governance.

AI governance is inseparable from data governance. The accuracy and fairness of a model is only as good as the data it was trained and scored on. In CoComply, link each AI model asset to the CDEs it uses as inputs. This creates a traceable path from regulatory submission to model output to underlying data. For each input CDE, confirm that a Data Owner is assigned, a data quality standard is documented, and a certification cadence is in place.

• Input CDE mapping is the artifact that satisfies OCC and FRB examiners who ask 'how do you know your model inputs are reliable?'
• For credit models subject to ECOA and Fair Lending scrutiny, flag input CDEs that are proxies for protected class characteristics.
• Use CoComply's lineage view to trace each model input CDE back to its source system — gaps in lineage are a finding waiting to happen.

SR 11-7 requires independent validation of models in proportion to their risk. In CoComply's Policies module, confirm that your Model Risk Management (MRM) Policy is current and references your model validation standards. Document for each in-scope AI model: when the last validation was completed, who performed it (internal or third-party), the validation outcome, any open model limitations or findings, and the next scheduled validation date. Store validation reports in CoComply's evidence vault.

• Use CoComply's Finding record to track open model limitations — these are conditional approvals that require active management.
• Examiners will ask whether model validation is truly independent. Document the reporting line and any conflict-of-interest safeguards in CoComply.
• For generative AI and large language models deployed in business workflows, document the evaluation methodology — traditional SR 11-7 validation approaches may need adaptation.

Model validation is periodic. Model monitoring is continuous. In CoComply's Operate module, configure monitoring for each AI model: define the key performance metrics (accuracy, precision/recall, GINI coefficient, PSI/CSI for drift), set threshold alerts for metric degradation, and assign a monitoring owner. CoComply surfaces monitoring alerts in the governance dashboard alongside DQ findings — so model performance issues and data quality issues are managed in a single operational workflow.

• Set model drift thresholds conservatively — it is better to investigate a false positive than to miss a real performance degradation.
• Link monitoring results directly to the model's CDE inventory: if input data quality degrades, model performance monitoring should flag it downstream.
• Document the escalation path for monitoring alerts — who gets notified, within what timeframe, and what action is required.

CoComply's AI Certification workflow applies the same attestation-and-evidence framework used for regulatory report certification to the AI context. For each in-scope AI model, initiate an AI Certification cycle: confirm input CDE ownership and data quality, collect attestations from model owners and data owners, document any known model limitations, and generate a certification record. This record is your primary evidence that the AI system is governed — available for examiner review on demand.

• AI Certification cycles should be tied to model validation schedules — certify inputs at the time of each validation.
• For high-frequency models (daily scoring), consider quarterly or semi-annual AI certification cycles rather than per-run.
• Include a plain-language explainability statement in the AI Certification record — examiners increasingly ask for non-technical explanations of how models make decisions.

Regulators are increasingly asking banks to describe their AI governance frameworks. When you receive an information request on AI — from the OCC, FRB, FDIC, or CFPB — CoComply gives you a production-ready response package: the AI Model inventory, input CDE mapping, validation records, monitoring results, and AI Certification history. Export the complete AI governance package from CoComply as a structured PDF or Excel file. This is your audit-ready answer to 'tell us about how you govern AI.'

• Maintain a standing AI Governance Summary document in CoComply that is updated quarterly — this makes examiner responses faster and more consistent.
• For consent orders or MRAs that reference AI governance, use CoComply's Findings module to track remediation commitments and evidence.
• Proactively share your AI governance posture with examiners during opening meetings — it signals organizational maturity and reduces examiner skepticism.