Artificial intelligence is no longer experimental in financial services—it’s operational. From portfolio construction to compliance monitoring, AI is now embedded across the investment lifecycle. But while adoption has accelerated, governance has not kept pace.
That gap is becoming a regulatory and operational risk.
Recent signals from regulators—including the U.S. Securities and Exchange Commission—make it clear: firms are accountable for how AI is used, even when it’s embedded in third-party tools.
So what does “good” actually look like?
This blog outlines a practical, investment compliance–focused framework for AI governance, grounded in established model risk principles and modern AI risk expectations.
Why AI Governance Is Now a Compliance Imperative
AI introduces familiar risks—model error, misuse, data issues—but amplifies them in new ways:
- Non-deterministic outputs (especially generative AI)
- Lack of explainability
- Vendor opacity
- Continuous model evolution (model drift)
In investment compliance, these risks directly impact:
- Suitability and fiduciary obligations
- Disclosure accuracy
- Market conduct surveillance
- Client communications
Regulators are not waiting for perfect clarity. Instead, they are applying existing frameworks (like model risk management) to AI use cases.
For example:
- The Federal Reserve’s SR 11-7 guidance defines expectations for model risk management, including validation, governance, and monitoring
- The National Institute of Standards and Technology developed the AI Risk Management Framework (AI RMF) to manage AI risks across the lifecycle
- Treasury-backed initiatives now extend these principles specifically to financial services AI use cases
The takeaway:
AI governance is not a new discipline—it’s an evolution of model risk management applied to more complex systems.
The Gap: Why Most Firms Aren’t There Yet
Despite increased adoption, governance maturity is lagging:
- ~40% of investment firms use AI internally
- But 44% lack formal validation or testing processes
This creates a dangerous mismatch:
- High-impact decisioning
- Low visibility and control
In practice, most firms fall into one of three categories:
- Ad hoc AI usage (no inventory, no oversight)
- Partial governance (policies exist, but not enforced)
- Legacy MRM applied inconsistently to AI
“Good” governance closes this gap.
A Practical Framework for AI Governance in Investment Compliance
Below is a 5-part framework designed specifically for investment firms. It integrates:
- Model Risk Management (SR 11-7)
- AI-specific risk controls (NIST AI RMF)
- Regulatory expectations from SEC and banking agencies
1. AI Inventory & Use Case Classification
You cannot govern what you cannot see.
A “good” AI governance program starts with a centralized AI inventory that includes:
- Internal models (quant, ML, GenAI tools)
- Third-party/vendor AI systems
- Embedded AI in SaaS tools
Each use case should be classified by:
- Business function (trading, compliance, marketing)
- Decision criticality
- Regulatory impact
This aligns with regulatory expectations that firms remain responsible for AI use—even via vendors.
👉 Practical tip:
Extend your model inventory to include AI systems—not just traditional quant models.
2. Risk Tiering & Materiality Assessment
Not all AI requires the same level of governance.
A “good” framework introduces risk-based tiering, evaluating:
- Financial impact
- Client impact
- Regulatory exposure
- Model complexity
This mirrors updated regulatory guidance emphasizing risk-based approaches tailored to model materiality
Example tiers:
- Tier 1 (High Risk):
- Portfolio optimization models
- Trading signals
- Client recommendation engines
- Tier 2 (Moderate Risk):
- Compliance surveillance tools
- Fraud detection
- Tier 3 (Low Risk):
- Internal productivity tools
- Drafting assistants
👉 Why it matters:
Over-governing low-risk AI slows innovation. Under-governing high-risk AI creates compliance exposure.
3. Model Development & Documentation Standards
At the core of AI governance is discipline in how models are built and used.
SR 11-7 emphasizes that models must be grounded in:
- Clear assumptions
- Defined inputs
- Documented methodologies
For AI systems, this expands to include:
- Training data lineage
- Feature engineering logic
- Model limitations and biases
- Intended use vs. prohibited use
In investment compliance, documentation should explicitly address:
- How outputs are used in decision-making
- Where human oversight is required
- How errors are detected and escalated
👉 What “good” looks like:
- Every AI system has clear documentation accessible to compliance teams
- Use cases are tightly scoped and controlled
4. Validation, Testing & Ongoing Monitoring
Validation is where most firms fall short.
A “good” AI governance program includes:
Pre-deployment validation:
- Conceptual soundness testing
- Backtesting / benchmarking
- Sensitivity analysis
Ongoing monitoring:
- Performance drift detection
- Outcome analysis
- Exception tracking
SR 11-7 highlights the importance of independent validation and continuous monitoring
For AI, this must evolve to include:
- Monitoring for bias and fairness
- Output variability (especially GenAI)
- Vendor model updates
👉 Critical insight:
AI governance is not a one-time control—it’s a continuous lifecycle process.
5. Governance, Accountability & Controls
This is where frameworks either succeed or fail.
A “good” governance model includes:
Clear ownership:
- Business owner (use case accountability)
- Model owner (technical accountability)
- Compliance oversight
Policies and controls:
- AI usage policy
- Approval workflows
- Change management
Oversight structures:
- Model risk committee
- AI governance working group
Regulators expect accountability and transparency in AI oversight
The SEC has also formalized internal AI governance through leadership roles and structured compliance plans
👉 What “good” looks like:
- AI decisions are traceable
- Accountability is assigned—not implied
How This Comes Together: A Simple Operating Model
When implemented correctly, this framework creates a closed-loop governance system:
- Identify AI systems
- Classify and tier risk
- Apply appropriate controls
- Validate and monitor continuously
- Govern through clear accountability
This aligns closely with broader AI risk lifecycle models:
- Risk identification
- Risk assessment
- Risk mitigation
- Governance oversight
Common Pitfalls (and How to Avoid Them)
Even sophisticated firms struggle with:
1. Treating AI separately from model risk
Reality: AI is an extension of model risk—not a replacement
2. Over-relying on vendors
Reality: You are still accountable for outcomes
3. Lack of documentation
Reality: If it’s not documented, it doesn’t exist for regulators
4. No ongoing monitoring
Reality: AI degrades over time—governance must be continuous
The Competitive Advantage of “Good” Governance
AI governance is often viewed as a constraint.
In reality, it’s an enabler.
Firms that operationalize governance effectively can:
- Deploy AI faster (with confidence)
- Reduce regulatory risk
- Improve decision quality
- Build trust with clients and regulators
As financial services AI frameworks evolve, the firms that win will not be the ones that avoid AI—but the ones that govern it well.
Where TillieStar Fits In
At TillieStar, we help investment compliance teams move from theory to execution by:
- Structuring model and AI inventories
- Aligning governance with SR 11-7 and AI RMF principles
- Operationalizing validation and monitoring workflows
- Creating scalable compliance infrastructure
For additional insight, explore more from TillieStar’s Insights library:
- Building Scalable Compliance Programs in Investment Management
- Designing Effective Rule Governance for Modern Compliance Teams
- Preparing Compliance Infrastructure for Regulatory Change
Browse the full collection:
https://tilliestar.com/insights_blog/