A function-by-function, control-by-control evaluation on AI risk across eleven banking lines and eight control layers — re-anchored to the OCC and Federal Reserve’s joint April 2026 model risk guidance, the Cyber Risk Institute FS-AI RMF v1.0, and the NIST AI RMF Core.
Executive introduction
AI is no longer a contained pilot inside the model risk team. It now sits inside underwriting decisions, AML alerts, vendor stacks, customer-facing chat, fraud scoring, and the data plumbing that runs all of it. The supervisory perimeter has caught up: in April 2026 the OCC and Federal Reserve issued joint Revised Guidance on Model Risk Management (OCC Bulletin 2026-13 / Fed SR 26-02), superseding SR 11-7, SR 21-8, OCC 2011-12, OCC 1997-24, and OCC 2021-19. The new regime explicitly extends model-risk discipline to vendor and third-party models — for the first time at parity with internal models — and folds in three lifecycle phases (Development & Use, Validation & Monitoring, Governance & Controls) with risk-based standards replacing the old materiality-tier vocabulary.
The Trusted AI Value Index translates that supervisory landscape into a single, defensible composite score per business line. Each of eleven bank functions is scored across eight control layers using an anchored 1-to-5 rubric. Every score is supported by three evaluation lenses — Risk Exposure, Regulatory Intensity, and Impact Severity — drawn directly from OCC 2026-13, the CRI FS-AI RMF, and NIST AI RMF MEASURE/MANAGE characteristics. Higher scores indicate higher residual risk; the goal is not to chase zeros but to make the gradient visible so capital, talent, and board attention follow it.
Key findings
1. Third-party risk is now the highest-residual-risk control layer — by a clear margin.
At a layer average of 4.64 (Critical), Third-Party Risk Management is the single largest delta in the ind. The new joint guidance closes the long-standing gap between internal and vendor models: vendor and third-party AI must now receive validation, monitoring, and governance at parity with bank-built models. Most institutions are not yet there.
2. Customer-facing decisioning is where regulatory intensity and impact severity converge.
Credit Risk & Underwriting (4.83) and Lending Operations (4.54) sit at the top of the function ranking. ECOA / Reg B, FCRA / Reg V, and the 2024 Interagency Statement on Automated Underwriting Systems together drive Consumer Protection, Fairness, and Transparency to 5.00 in these lines. Adverse-action notices generated by black-box ensembles are now an explicit examination focal point.
3. Compliance & AML is a 4.42 — and it is rising fastest.
Post-2021 AML enforcement, FinCEN’s encouragement of innovation paired with explicit model-governance expectations, and the joint guidance’s prescriptive Governance & Controls section put Compliance & AML at 4.42 (High). Alert-prioritization models, sanctions screening, and KYC enrichment are now in scope for full MRM treatment.
4. Fairness & Non-Discrimination is the most uneven layer across functions.
Although its layer average is the lowest in the index at 3.36 (Moderate), the dispersion is extreme: 5.00 in Lending and Credit Risk versus 1.00 in Cybersecurity and Treasury & ALM. Fair-lending obligations don’t apply uniformly — but the layer’s range tells you exactly where bias testing needs to be a board-reported control and where it does not.
5. The "boring" layers have become first-line risks.
Data Quality & Privacy (4.42) and Accountability & Oversight (4.33) now rival traditional model-validation concerns. Lineage attestation, drift monitoring, segregated access, and three-lines-of-defense documentation are no longer back-office hygiene — they are direct examination findings under OCC 2026-13’s lifecycle framing.
