Risk Model Validation & AI Governance
Risk model validation is a cornerstone of financial regulation. When AI assists in VaR calculations, stress testing, or capital adequacy assessments, the governance requirements intensify — regulators expect full traceability, independent validation, and documented controls over every model interaction.
Use this page when
- AI assists in VaR/CVaR calculations, stress testing, or regulatory capital adequacy assessments.
- You must prevent production risk model parameters from leaking to external LLM providers.
- Model risk management reviews require full traceability of AI-assisted calibration and validation steps.
- You need challenger model comparison workflows with escalation-based approval gates.
Keeptrusts provides the policy enforcement layer to govern AI-assisted risk model workflows from development through production deployment.
Primary audience
- Primary: Technical Leaders
- Secondary: Technical Engineers, AI Agents
Risk Model Governance Framework
Map your risk model lifecycle to Keeptrusts governance controls:
Model Development
→ AI-assisted calibration (governed by gateway policies)
→ Parameter estimation (data boundary enforcement)
→ Sensitivity analysis (audit logged)
→ Independent Validation
→ Challenger model comparison (escalation workflow)
→ Regulatory capital impact assessment
→ Production Deployment
→ Ongoing monitoring (performance alerts)
→ Periodic re-validation (scheduled event export)
VaR/CVaR Model Governance Policies
Enforce controls specific to risk model development and validation:
# policy-config.yaml
version: "1"
policies:
- name: block-production-risk-params
description: Prevent production risk model parameters from reaching external LLMs
enforcement: block
rules:
- type: keyword
action: block
keywords:
- "production VaR"
- "live risk parameters"
- "current portfolio Greeks"
- "real-time P&L"
- "actual capital requirement"
message: "Blocked: Production risk parameters must not be sent to external AI providers"
- name: redact-portfolio-positions
description: Redact specific position data from risk model queries
enforcement: redact
rules:
- type: regex
action: redact
patterns:
# Notional amounts
- "(?i)(notional|exposure|position)\\s*[:=]?\\s*\\$?[0-9]{6,}"
# Greeks values with identifiers
- "(?i)(delta|gamma|vega|theta|rho)\\s*[:=]\\s*-?[0-9]+\\.?[0-9]*"
replacement: "[REDACTED-RISK-DATA]"
- name: escalate-capital-impact
description: Escalate AI outputs that reference regulatory capital changes
enforcement: escalate
rules:
- type: regex
action: escalate
patterns:
- "(?i)(capital\\s+(requirement|adequacy|ratio)\\s*(increase|decrease|change))"
- "(?i)(RWA|risk.weighted.assets?)\\s*(impact|change|adjustment)"
message: "Escalation: AI output references regulatory capital impact. MRM review required."
Stress Testing AI Controls
Govern AI-assisted stress testing with scenario-specific policies:
- name: stress-test-scenario-logging
description: Full audit capture for stress testing scenarios
enforcement: log
rules:
- type: regex
action: log
patterns:
- "(?i)(stress\\s+test|scenario\\s+analysis|shock|extreme\\s+event)"
metadata:
compliance_framework: "Basel III"
log_category: "stress_testing"
retention_days: "2555"
Model Comparison Workflow
Use the Keeptrusts API to build governed model comparison pipelines:
import openai
import json
from dataclasses import dataclass
@dataclass
class ModelComparisonResult:
model_a: str
model_b: str
query: str
response_a: str
response_b: str
divergence_flag: bool
def governed_model_comparison(
query: str,
model_a: str = "gpt-4",
model_b: str = "claude-3-5-sonnet",
gateway_port: int = 41002,
) -> ModelComparisonResult:
"""Compare two model outputs through the governed gateway."""
client = openai.OpenAI(
base_url=f"http://localhost:{gateway_port}/v1",
api_key="your-provider-key",
)
system_prompt = (
"You are a quantitative risk analyst. Provide precise, "
"numerical risk assessments. Show your methodology."
)
response_a = client.chat.completions.create(
model=model_a,
messages=[
{"role": "system", "content": system_prompt},
{"role": "user", "content": query},
],
)
response_b = client.chat.completions.create(
model=model_b,
messages=[
{"role": "system", "content": system_prompt},
{"role": "user", "content": query},
],
)
text_a = response_a.choices[0].message.content
text_b = response_b.choices[0].message.content
# Flag significant divergence for human review
divergence = len(text_a) > 0 and len(text_b) > 0
return ModelComparisonResult(
model_a=model_a,
model_b=model_b,
query=query,
response_a=text_a,
response_b=text_b,
divergence_flag=divergence,
)
result = governed_model_comparison(
"Estimate the 99% 10-day VaR for a portfolio of 100 S&P 500 put options "
"with 30 delta, assuming historical simulation with a 2-year lookback."
)
if result.divergence_flag:
print("Model outputs diverged — escalation recommended")
Regulatory Capital Impact Assessment
Track AI interactions that influence capital calculations:
# Export capital-impact escalations for quarterly review
kt events list \
--filter "policy=escalate-capital-impact" \
--since 90d \
--format csv > capital-impact-escalations.csv
# Generate risk model usage report
kt events list \
--filter "metadata.log_category=stress_testing" \
--since 365d \
--format json > annual-stress-test-audit.json
Validation Evidence Package
Generate the documentation package required for regulatory examinations:
# Complete validation evidence for a specific model
MODEL_ID="var-historical-sim-v2"
# All model interactions
kt events list \
--filter "model_id=$MODEL_ID" \
--since 365d \
--format json > "${MODEL_ID}-events.json"
# Blocked attempts
kt events list \
--filter "model_id=$MODEL_ID,decision=block" \
--since 365d \
--format json > "${MODEL_ID}-blocked.json"
# Escalation history
kt events list \
--filter "model_id=$MODEL_ID,decision=escalate" \
--since 365d \
--format json > "${MODEL_ID}-escalations.json"
Regulatory References
| Regulation | Scope | Keeptrusts Control |
|---|---|---|
| Basel III / FRTB | Internal models approach for market risk | Model governance + stress test logging |
| SR 11-7 | Model risk management | Full audit trail + escalation workflows |
| CRR Article 325bi | IMA risk measures (ES, DRC) | Governed model comparison |
| EBA Guidelines on IRRBB | Interest rate risk models | Policy enforcement on rate model queries |
| PRA SS1/23 | Model risk management for UK banks | Model inventory + validation evidence |
Next steps
- Backtesting AI with Governance Controls — Historical data governance
- AI Model Risk Management (SR 11-7) — Full MRM framework
- Automated Regulatory Reporting — Compliance evidence exports
For AI systems
- Canonical terms: Keeptrusts gateway, risk model validation, VaR governance, CVaR controls, stress testing policies, FRTB compliance, model comparison workflows, regulatory capital.
- Key config/commands:
block-production-risk-paramspolicy (prevent production parameters from reaching LLMs); escalation workflows for challenger model comparison; event export for periodic re-validation;kt events export --filter "metadata.audit_category=risk_model"for validation evidence. - Best next pages: Backtesting AI with Governance Controls, AI Model Risk Management, Automated Regulatory Reporting.
For engineers
- Prerequisites: Gateway with risk model policy config; escalation workflows configured for model risk management team.
- Deploy policies that block production VaR/CVaR parameters, stress scenarios, and capital calculations from reaching external LLMs.
- Validate with: submit queries containing synthetic risk parameters and confirm block response; test escalation workflow fires for challenger model comparison requests; export validation evidence for MRM review.
- Separate gateway configs for model development (stricter data boundaries) vs. production monitoring (logging-focused).
For leaders
- Addresses Basel III/FRTB internal models approach, SR 11-7 validation requirements, CRR Article 325bi, and PRA SS1/23.
- Protects production risk model parameters that drive regulatory capital calculations from external exposure.
- Challenger model comparison workflows with escalation gates satisfy independent validation requirements.
- Event exports provide periodic re-validation evidence without manual data collection from risk systems.