Skip to main content
Curvestone AI
Definition

Model risk management for AI: from validation to live monitoring

Updated

What is model risk management?

Model risk management (MRM) is the set of controls a firm uses to govern the models behind its decisions. It covers how a model is designed, how it is validated before use, and how it is monitored once live. The aim is to catch error, bias and drift before they reach a customer.

The UK baseline is the PRA's model risk management principles (SS1/23), which set five expectations:

  1. Model identification and a model inventory.
  2. Governance, with clear ownership and oversight.
  3. Development, implementation and use standards.
  4. Independent validation.
  5. Risk mitigation, including monitoring and controls.

Crucially, those principles apply regardless of the technology and cover vendor models as well as ones built in-house. That matters, because AI is about to test every one of them.

Why AI breaks point-in-time validation

Most model governance was designed around models that change on a fixed release cycle: you validate at deployment, then revisit annually. AI does not behave that way. As the Mills Review puts it, general-purpose and frontier models "can introduce challenges including opacity, model drift, data bias, hallucinations and emergent behaviours that are not always well addressed through traditional point-in-time validation approaches."

Three features drive the problem. Models update continuously, so the thing you validated is not the thing running next quarter. They draw on third-party inputs the firm "did not create or build," so control sits partly upstream. And they are probabilistic, so the same input can produce different outputs. A once-a-year review cannot see any of that in time.

What the Mills Review recommends

The Review is explicit that governance has to move. Model risk management should extend "beyond validation at the point of deployment towards live monitoring, tracking drift, model degradation and outliers," supported by "end-to-end controls across the AI lifecycle." It expects the FCA, with the PRA, to support more effective approaches to AI model risk as AI becomes a core operational capability.

That last phrase matters. The Review treats AI governance and model risk management not as a compliance overhead but as "a core capability" firms need to deploy AI at all. It is the same argument we make in why compliance is becoming a competitive advantage: the firms that can govern their models get to use them with confidence, and the firms that cannot move slower. None of this requires new rules; the Review builds on existing frameworks. For the wider picture, see what the Mills Review is.

Model risk across the three lines of defence

The Review frames AI governance across the familiar three lines. In the first line, AI supports customer operations and delivery. In the second, it supports risk, compliance and monitoring. In the third, it supports internal audit, assurance and testing. Across all three, it notes, "AI can increase speed and scale, but it also requires stronger evidence of control."

For model risk that means each line needs to see the model, not just its outputs. The first line needs to know when to override. The second needs live signals, not quarterly samples. The third needs an auditable record of how the model behaved and changed. Explainability is the connective tissue: a control the three lines cannot interpret is not really a control.

Monitoring for drift and bias in practice

Live monitoring is where MRM for AI actually differs from the old model. Instead of a validation report filed at go-live, the firm watches the model as it runs: tracking whether its decisions stay within the tested baseline, whether error rates creep up on particular segments, and whether outputs start to skew in ways that suggest bias or degradation.

Data quality is the foundation under all of it, which is why the CCAF found data quality to be the single biggest barrier to AI adoption, cited by 66% of vendors. A model is only as reliable as the inputs it runs on, and in lending those inputs are messy: photos, scans, protected PDFs and emails. Catching a problem early depends on running the check on every case as it moves, the argument behind real-time compliance monitoring, rather than discovering it in a sample months later.

What this looks like in practice

Consider a lender using an AI model to pre-assess affordability. Under the old approach, the model is validated at launch and reviewed next year. Under the approach the Mills Review points to, the lender monitors it continuously: every case the model touches is logged, its decisions are checked against the validated baseline, and an alert fires when behaviour drifts, for example if approval rates shift for a particular applicant profile.

When a provider updates the underlying model, the lender does not assume the old validation holds. It re-tests against real cases and records the result. The output is a living evidence trail rather than a document in a drawer, which is exactly what a supervisor, or an accountable senior manager, now needs to see. Whether to build or buy that capability is its own decision, covered in building or buying AI.

Model risk management checklist for AI

  1. Inventory every AI model touching a regulated decision, and record its owner and provider.
  2. Validate before deployment against real, representative cases, not just vendor benchmarks.
  3. Monitor continuously for drift, degradation and out-of-bounds behaviour, rather than annually.
  4. Set data-quality controls, because a model is only as reliable as the inputs it runs on.
  5. Keep lifecycle evidence: versions, changes, overrides and outcomes, ready for supervision.
Questions

Frequently asked questions

What is model risk management in financial services?
Model risk management is the set of controls a firm uses to govern the models behind its decisions, from how a model is built and validated to how it is monitored in use. It aims to catch errors, bias and drift before they cause harm. The PRA's principles set the UK baseline.
Why does AI change model risk management?
Traditional models were validated once and revisited periodically. AI models update continuously, draw on third-party inputs the firm did not build, and are probabilistic, so they can drift or degrade between reviews. The Mills Review says governance must therefore extend from a point-in-time check to live monitoring across the model's lifecycle.
What is model drift?
Model drift is when a model's performance changes over time as the data or environment it sees moves away from what it was trained and tested on. In finance that can mean quietly worse decisions on affordability or fraud. The Mills Review lists tracking drift and degradation as a core monitoring duty.
Does the Mills Review require new model risk rules?
No. The Review recommends no new rules and builds on existing frameworks. It asks the FCA, with the PRA, to support more effective approaches to AI model risk management, and expects firms to extend their own governance toward continuous, lifecycle monitoring. The direction is set through guidance, not fresh legislation.
How does model risk management relate to the Consumer Duty and the Senior Managers Regime?
They connect directly. Model risk management is how a firm shows the AI behind its decisions is controlled, which feeds the Consumer Duty's good-outcomes evidence and the reasonable steps a senior manager must demonstrate. The Mills Review treats strong AI governance as the shared foundation under both regimes.
Sources
  1. 01FCA, The Mills Review (full report)
  2. 02PRA SS1/23: Model risk management principles for banks
  3. 03Bank of England and FCA: AI in UK financial services 2024
  4. 04CCAF: The 2026 Global AI in Financial Services Report
  5. 05FCA AI Lab
Related reading
Dawid Kotur
Written by

Dawid Kotur

CEO and co-founder, Curvestone

Dawid co-founded Curvestone in 2024 after a decade working at the intersection of financial services and applied machine learning. He writes about the strategic direction of regulated-industry AI, the FCA's evolving approach to model risk, and the operational changes UK lenders are making in response to Consumer Duty. He sits on the FCA Smart Data Accelerator advisory cohort.

LinkedIn

Compliance that thinksahead. Automatically.

Join mortgage networks, lenders, and legal firms using Curvestone to review cases at scale.