What “Good” Looks Like: A Practical Framework for AI Governance in Investment Compliance

Artificial intelligence is no longer experimental in financial services—it’s operational. From portfolio construction to compliance monitoring, AI is now embedded across the investment lifecycle. But while adoption has accelerated, governance has not kept pace.

That gap is becoming a regulatory and operational risk.

Recent signals from regulators—including the U.S. Securities and Exchange Commission—make it clear: firms are accountable for how AI is used, even when it’s embedded in third-party tools.

So what does “good” actually look like?

This blog outlines a practical, investment compliance–focused framework for AI governance, grounded in established model risk principles and modern AI risk expectations.


Why AI Governance Is Now a Compliance Imperative

AI introduces familiar risks—model error, misuse, data issues—but amplifies them in new ways:

  • Non-deterministic outputs (especially generative AI)
  • Lack of explainability
  • Vendor opacity
  • Continuous model evolution (model drift)

In investment compliance, these risks directly impact:

  • Suitability and fiduciary obligations
  • Disclosure accuracy
  • Market conduct surveillance
  • Client communications

Regulators are not waiting for perfect clarity. Instead, they are applying existing frameworks (like model risk management) to AI use cases.

For example:

  • The Federal Reserve’s SR 11-7 guidance defines expectations for model risk management, including validation, governance, and monitoring
  • The National Institute of Standards and Technology developed the AI Risk Management Framework (AI RMF) to manage AI risks across the lifecycle
  • Treasury-backed initiatives now extend these principles specifically to financial services AI use cases

The takeaway:
AI governance is not a new discipline—it’s an evolution of model risk management applied to more complex systems.


The Gap: Why Most Firms Aren’t There Yet

Despite increased adoption, governance maturity is lagging:

  • ~40% of investment firms use AI internally
  • But 44% lack formal validation or testing processes

This creates a dangerous mismatch:

  • High-impact decisioning
  • Low visibility and control

In practice, most firms fall into one of three categories:

  1. Ad hoc AI usage (no inventory, no oversight)
  2. Partial governance (policies exist, but not enforced)
  3. Legacy MRM applied inconsistently to AI

“Good” governance closes this gap.


A Practical Framework for AI Governance in Investment Compliance

Below is a 5-part framework designed specifically for investment firms. It integrates:

  • Model Risk Management (SR 11-7)
  • AI-specific risk controls (NIST AI RMF)
  • Regulatory expectations from SEC and banking agencies

1. AI Inventory & Use Case Classification

You cannot govern what you cannot see.

A “good” AI governance program starts with a centralized AI inventory that includes:

  • Internal models (quant, ML, GenAI tools)
  • Third-party/vendor AI systems
  • Embedded AI in SaaS tools

Each use case should be classified by:

  • Business function (trading, compliance, marketing)
  • Decision criticality
  • Regulatory impact

This aligns with regulatory expectations that firms remain responsible for AI use—even via vendors.

👉 Practical tip:
Extend your model inventory to include AI systems—not just traditional quant models.


2. Risk Tiering & Materiality Assessment

Not all AI requires the same level of governance.

A “good” framework introduces risk-based tiering, evaluating:

  • Financial impact
  • Client impact
  • Regulatory exposure
  • Model complexity

This mirrors updated regulatory guidance emphasizing risk-based approaches tailored to model materiality

Example tiers:

  • Tier 1 (High Risk):
    • Portfolio optimization models
    • Trading signals
    • Client recommendation engines
  • Tier 2 (Moderate Risk):
    • Compliance surveillance tools
    • Fraud detection
  • Tier 3 (Low Risk):
    • Internal productivity tools
    • Drafting assistants

👉 Why it matters:
Over-governing low-risk AI slows innovation. Under-governing high-risk AI creates compliance exposure.


3. Model Development & Documentation Standards

At the core of AI governance is discipline in how models are built and used.

SR 11-7 emphasizes that models must be grounded in:

  • Clear assumptions
  • Defined inputs
  • Documented methodologies

For AI systems, this expands to include:

  • Training data lineage
  • Feature engineering logic
  • Model limitations and biases
  • Intended use vs. prohibited use

In investment compliance, documentation should explicitly address:

  • How outputs are used in decision-making
  • Where human oversight is required
  • How errors are detected and escalated

👉 What “good” looks like:

  • Every AI system has clear documentation accessible to compliance teams
  • Use cases are tightly scoped and controlled

4. Validation, Testing & Ongoing Monitoring

Validation is where most firms fall short.

A “good” AI governance program includes:

Pre-deployment validation:

  • Conceptual soundness testing
  • Backtesting / benchmarking
  • Sensitivity analysis

Ongoing monitoring:

  • Performance drift detection
  • Outcome analysis
  • Exception tracking

SR 11-7 highlights the importance of independent validation and continuous monitoring

For AI, this must evolve to include:

  • Monitoring for bias and fairness
  • Output variability (especially GenAI)
  • Vendor model updates

👉 Critical insight:
AI governance is not a one-time control—it’s a continuous lifecycle process.


5. Governance, Accountability & Controls

This is where frameworks either succeed or fail.

A “good” governance model includes:

Clear ownership:

  • Business owner (use case accountability)
  • Model owner (technical accountability)
  • Compliance oversight

Policies and controls:

  • AI usage policy
  • Approval workflows
  • Change management

Oversight structures:

  • Model risk committee
  • AI governance working group

Regulators expect accountability and transparency in AI oversight

The SEC has also formalized internal AI governance through leadership roles and structured compliance plans

👉 What “good” looks like:

  • AI decisions are traceable
  • Accountability is assigned—not implied

How This Comes Together: A Simple Operating Model

When implemented correctly, this framework creates a closed-loop governance system:

  1. Identify AI systems
  2. Classify and tier risk
  3. Apply appropriate controls
  4. Validate and monitor continuously
  5. Govern through clear accountability

This aligns closely with broader AI risk lifecycle models:

  • Risk identification
  • Risk assessment
  • Risk mitigation
  • Governance oversight

Common Pitfalls (and How to Avoid Them)

Even sophisticated firms struggle with:

1. Treating AI separately from model risk

Reality: AI is an extension of model risk—not a replacement

2. Over-relying on vendors

Reality: You are still accountable for outcomes

3. Lack of documentation

Reality: If it’s not documented, it doesn’t exist for regulators

4. No ongoing monitoring

Reality: AI degrades over time—governance must be continuous


The Competitive Advantage of “Good” Governance

AI governance is often viewed as a constraint.

In reality, it’s an enabler.

Firms that operationalize governance effectively can:

  • Deploy AI faster (with confidence)
  • Reduce regulatory risk
  • Improve decision quality
  • Build trust with clients and regulators

As financial services AI frameworks evolve, the firms that win will not be the ones that avoid AI—but the ones that govern it well.


Where TillieStar Fits In

At TillieStar, we help investment compliance teams move from theory to execution by:

  • Structuring model and AI inventories
  • Aligning governance with SR 11-7 and AI RMF principles
  • Operationalizing validation and monitoring workflows
  • Creating scalable compliance infrastructure

For additional insight, explore more from TillieStar’s Insights library:

Browse the full collection:
https://tilliestar.com/insights_blog/

Leave a comment

Your email address will not be published. Required fields are marked *