Beyond compliance: Building resilient model risk frameworks

March 2026

Since Supervisory Statement (SS) 1/23 came into effect in May 2024, firms have made significant efforts to align their model risk management (MRM) frameworks to its principles. However, following the PRA’s review of firms’ practices, many firms are now reassessing their frameworks, governance structures and operational processes, particularly as they adapt to the new complexities introduced by AI and GenAI models. In this article from KPMG in the UK, we outline the key areas where firms are focusing their attention, offer our perspective on where improvements are most needed, and highlight the practical ways KPMG is supporting firms to strengthen their approach.

Across the industry, firms face growing business pressures: limited capacity, rising cost constraints and increasing expectations to demonstrate the value of modelling and validation. At the same time, they must modernise MRM capabilities and prepare to adopt AI safely. These demands are converging at a point where existing workflows and tooling were not built for today’s scale or complexity, making targeted investment and specialist support increasingly essential.

These pressures are reflected across the MRM lifecycle. Capacity constraints, offshored workloads and accumulating issues risk obscuring firms’ true model risk profile, while greater efficiency is needed to prevent delays and risk build‑up. The expanding risk landscape – particularly with AI – requires deeper and more diverse skillsets, spanning systems, legal, data engineering and modelling. Model inventories and supporting tools must also evolve to capture richer information and handle growing volumes. AI‑enabled tooling presents a significant opportunity to automate ingestion, strengthen analytics and streamline governance end‑to‑end.

Despite widespread adoption of risk appetite statements, many firms struggle to translate these frameworks into actionable insights for senior leadership. Boards and executives need clarity on where risks sit relative to appetite, and how remediation plans are progressing. The PRA requires quantitative and qualitative metrics that reflect total model risk, rather than relying solely on counts or proportions. It also emphasises the need for strong processes to identify models accurately and recommends regular confirmations from business units.

The boundaries of MRM continue to evolve. Questions around the treatment of challenger or one-off models remain unresolved, while governance of Deterministic Quantitative Methods (DQMs) is still a moving target. Inventory systems are under pressure and often lack essential information, including vendor models, foundational assumptions and regulatory attestations. In addition, inventories often cannot ingest or display model monitoring results e.g., thresholds exceeded, drift indicators, stability tests – which provide a current view of risk. As demands for accurate and complete data increase, legacy tools are proving inadequate, resulting in operational inefficiencies and reduced transparency.

External changes have increased validation workloads, causing coverage gaps, especially in lower-tier models. At the same time, the scope of validation has expanded beyond methodological appropriateness and rigour to include data testing and process assurance. Validation teams are now expected to challenge data quality, test end‑to‑end processes and confirm operational soundness. Meeting these broader expectations requires more efficient workflow tools and risk‑based prioritisation to maintain output without compromising quality.

In addition, the expanding range of risks, both business-driven and the unique risks posed by AI, requires continuous upskilling and training of modellers and validators. Traditional hiring strategies may no longer suffice; firms should consider broadening talent pools to include systems specialists, legal experts and data engineers to help enhance coverage of the required skillset.

The implementation of SS1/23 has prompted firms to revisit tiering methodologies. The PRA has observed wide variation in tiering approaches across the industry, leading to inconsistent risk management and unclear prioritisation – for example a lack of standardisation when assessing complexity and understanding how a model’s risk profile impacts different legal entities. The PRA has signalled that these approaches will need ongoing review, reinforcing the need for frameworks that are both robust and adaptable.

AI introduces a broader and more complex risk profile that spans model, data, legal, operational and technology domains, requiring cross‑functional committees to provide coordinated oversight. Leading firms are responding by embedding AI governance within their existing MRM frameworks, recognising that AI is fundamentally a model, sharing many core characteristics with traditional approaches but with amplified risks around explainability, data dependency, adaptability, and third‑party reliance. Central to this approach are use case level AI inventories, which provide visibility over where and how AI is used across the firm.

At the same time, there is broad recognition that traditional MRM controls based on SS1/23 may not fully capture AI‑specific risks such as dynamic learning behaviour and data drift. AI and ML models, particularly those that can dynamically recalibrate, can evolve cumulatively beyond their approved risk appetite. As a result, firms may need to adapt tiering methodologies to include dimensions such as explainability, ethical considerations – e.g. as per the EU AI Act – and performance degradation.

The complexity of AI models also amplifies validation demands. Traditional validation techniques, such as cross‑validation, back‑testing and standard performance metrics, are often less effective in AI, ML and big‑data contexts. Training datasets may be unrepresentative of the target population, meaning conventional validation may fail to detect generalisation issues. New testing approaches are therefore emerging to ensure outputs are tied to verified underlying evidence, including the implementation of custom guardrails and behavioural fail-safes to constrain model outputs safely.

Finally, emerging agentic AI systems, which chain multiple models and reasoning processes together, are likely to require governance and validation approaches that assess behaviour across several layers of processing rather than relying solely on statistical accuracy or individual-model validation. This includes evaluating reasoning tasks, interactions between components and dependencies on other systems.

As pressures continue to build, many firms are exploring model validation as a service to help cope with surges in workload and provide specialist skills. Managed services offer access to scalable specialist advice while reducing operational bottlenecks and enabling in‑house teams to remain focused on high‑priority and regulatory‑sensitive models. KPMG is actively supporting clients through this approach, helping them stabilise validation backlogs and strengthen overall lifecycle resilience. 

Drawing on practical insights from recent projects, we can also help firms build more resilient and effective frameworks to address expectations under SS1/23 and the emerging challenges of AI governance. 

KPMG model risk management professionals can support you to enhance your model risk management frameworks and approaches, including: 

• Upgrading model inventories for greater completeness, governance and integration of monitoring results
• Enhancing risk appetite frameworks and reporting, including metrics, dashboards and narrative clarity for Boards
• Building or strengthening AI governance frameworks
• Refreshing MRM policies and standards, including scope definitions for DQMs, tactical models and agentic systems
• Conducting targeted reviews (e.g., inventory completeness, tiering, validation coverage, governance diagnostics) to meet SS1/23 expectations