Model Governance: Managing AI From Build to Retire
Model governance is the set of policies, processes, and controls that manage an AI model across its entire lifecycle — from development through deployment, monitoring, and retirement. It answers a deceptively simple question: who approved this model, under what conditions, and is it still performing as intended?
We've worked with teams that have sophisticated MLOps pipelines — automated training, containerized deployment, CI/CD for models — but no governance layer. They can deploy a model in minutes. They can't tell you who approved the deployment, what validation was performed, or whether performance has degraded since launch. Speed without oversight isn't maturity. It's exposure.
The SR 11-7 Heritage
Modern model governance traces its lineage to the Federal Reserve's SR 11-7 guidance, issued April 2011. Originally written for banks, this supervisory letter established principles that now underpin model risk management across industries.
SR 11-7 defines a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." Three core activities follow:
Independent validation. The team that builds the model shouldn't validate it. SR 11-7 requires "effective challenge" — validation by people with appropriate incentives, competence, and influence. Your data scientists shouldn't self-certify their own models for production.
Model inventory. Every model should be cataloged with its purpose, owner, validation status, and risk tier. This maps directly to the AI system inventories now required under frameworks like the EU AI Act.
Ongoing monitoring. Validation isn't one-time. SR 11-7 requires continuous monitoring — process verification, benchmarking against outcomes, and sensitivity analysis — to confirm models perform as expected.
The OCC and FDIC adopted SR 11-7's principles, making these standards universal for financial services institutions. Regulators now apply SR 11-7 to AI and ML models, raising expectations around explainability, bias mitigation, and third-party model risk.
The Full Model Lifecycle
Model governance isn't a phase — it's a layer across every phase.
Development and Design
Governance starts before code. Document the business purpose, risk classification, data requirements, and acceptance criteria. The NIST AI RMF's MAP function addresses this — mapping context, intended use, and potential impacts before development begins. During development, maintain version-controlled code, document training data provenance, and record hyperparameter choices.
Validation and Approval
Before production, independently validate against design criteria: performance on held-out data, fairness evaluation across demographic groups, robustness testing, and risk assessment documentation. Route findings to a model approval authority with documented conditions — monitoring requirements, review frequency, sunset criteria.
Production Monitoring
This is where the largest gap exists. Teams invest in deployment but underinvest in detecting degradation. Monitor accuracy, latency, and fairness metrics in production. Detect data drift. Maintain incident response procedures. A credit scoring model trained on 2023 data may perform well initially but drift significantly as economic conditions change.
Retirement
Models don't live forever but rarely get formally retired. Define sunset criteria at design: maximum age without revalidation, performance thresholds triggering retirement, regulatory changes invalidating the approach. Retirement means archiving artifacts for audit trails, migrating dependent systems, updating the inventory, and notifying downstream consumers.
Model Cards, Registries, and Documentation
Documentation is the connective tissue. Model cards (Mitchell et al., 2019) provide standardized documentation of a model's intended use, performance, ethical considerations, and limitations. The EU AI Act's Article 13 transparency requirements effectively mandate model card-equivalent documentation for high-risk systems.
Datasheets for datasets (Gebru et al., 2021) apply the same rigor to training data — documenting motivation, composition, collection process, and limitations. Most model failures trace to data problems, making data documentation arguably more important than model documentation.
Model registries serve as the single source of truth: what models exist, where they're deployed, who owns them, and their current status. A registry is the operational backbone of your AI governance program.
The Gap Between MLOps and Model Governance
MLOps and model governance are complementary, not interchangeable.
MLOps handles infrastructure: containerization, orchestration, feature stores, model serving, retraining pipelines. It answers "can we deploy reliably and at scale?"
Model governance handles oversight: approval workflows, independent validation, regulatory compliance, documentation, audit readiness. It answers "should we deploy, and under what conditions?"
The integration point is the model registry — where governance metadata (approval status, risk tier, validation results) attaches to MLOps metadata (model version, deployment environment, performance metrics). When these systems of record are separate, the gaps are exactly where audit findings and regulatory violations live.
Building Governance That Scales
Sustainable model governance has three properties:
Proportionate controls. Not every model needs the same oversight. A content recommendation model carries different risk than an automated lending model. Tier controls by risk level — the NIST AI RMF and EU AI Act both endorse this approach.
Automated evidence collection. Validation results, deployment approvals, and monitoring metrics should flow into governance records automatically. The less manual effort governance requires, the more likely it happens.
Clear ownership. Every model needs a named owner — not a team, not a department. When accountability is diffuse, it's absent.
Ready to bring structure to your model lifecycle? Start your governance program or request a demo to see how Starkguard tracks models from development through retirement.