Do Banks Still Need to Validate GenAI Models?

The rush to embed generative AI like Microsoft Copilot into banking workflows has outpaced traditional risk controls. By labeling these tools as simple productivity aids, banks sidestepped SR 11‑7’s rigorous back‑testing and conceptual soundness checks, allowing rapid deployment but also creating blind spots around model behavior. The regulator’s pivot to SR 26‑2, which deliberately omits GenAI from its scope, reflects a pragmatic pause while supervisory bodies grapple with the technology’s opacity.

Industry voices, however, warn that exemption is not a permanent shield. Citi’s senior risk executive Krishan Kumar Sharma outlined a six‑pillar framework that treats foundation models and their downstream applications as formal models, subjecting them to real‑time testing, prompt libraries, and human‑in‑the‑loop oversight. Early adopters such as Bank of America and Goldman Sachs have already instituted internal validation pipelines, signaling that disciplined governance can coexist with speed. These efforts aim to surface hallucinations, bias, and data leakage before they affect credit decisions or customer interactions.

Looking ahead, banks that ignore validation risk falling behind emerging supervisory expectations. Historically, regulators have allowed industry practice to mature before codifying standards—as seen with the transition from SR 11‑7 to SR 26‑2. Anticipating a dedicated GenAI rulebook, institutions should embed scalable validation controls now, balancing innovation with risk mitigation. Those that master this balance will not only satisfy future regulators but also build trust with clients wary of AI‑driven errors.