Second-line model risk exists to challenge first-line models independently and refuse what it cannot validate. Generative AI arrives with confident demos but none of the documentation, reproducibility or evaluation discipline that SR 11-7 and SS1/23 expect. Faced with an unvalidatable artefact, a competent validator does the only responsible thing and withholds approval.
Generative AI is built by teams fluent in models but not in model risk management, so the validation evidence is an afterthought rather than a design input. The artefacts that exist were written to demo the capability, not to survive independent challenge. Second line cannot lower a standard that exists to protect the firm, so the two sides stall.
A validated, value-generating use case sits frozen while the documentation gap goes unaddressed. First and second line burn months in circular review because no one has built the artefact set both can accept.
The use case misses its window while competitors who built validation in from the start ship and compound the advantage. Worse, pressure to deploy without sign-off invites either a governance breach or a supervisory finding, each of which costs far more than doing the validation properly the first time.
Model documentation written in Word and tracked in Excel is exactly what no serious validator will accept. It has no version control, no reproducible evaluation, no link between a claimed result and the run that produced it, and it drifts out of date the moment the model changes. Scattered documents describe a model; they do not constitute the evidence base independent validation requires.
What clears second line is a proper validation artefact set: an independent validation conducted at arm's length, a versioned evaluation harness that anyone can rerun to reproduce results, and documentation of intended use, limitations, data, monitoring and change history. Assembled as an audit pack mapped to SR 11-7, SS1/23 and the wider control framework, it gives the validator something concrete to challenge and approve. The standard is met by construction, not by negotiation.
Moweb builds the validation artefact set second line actually needs: independent validation, a versioned evaluation harness your team can rerun, and an audit pack mapped to SR 11-7 and SS1/23, delivered on every engagement. We govern to NIST, ISO 42001 and the EU AI Act alongside the model-risk standards, partner-led and on a fixed fee, in 8 to 16 weeks to production. The deliverable is built to survive independent challenge, so approval follows the evidence rather than the argument.
Because working in a demo and being validatable are different things. Second line cannot approve what it cannot independently challenge, and a confident demo with no reproducible evaluation, documented intended use or version history gives a validator nothing to test. The block is correct given the evidence; the fix is to supply the evidence, not to overrule the validator.
Supervisors increasingly treat generative AI as a model within scope of existing model-risk frameworks, and prudent second-line teams already do. Whether or not a use case is formally in scope, the disciplines of independent validation, reproducible evaluation and documented limitations are what unblock it. Building to SR 11-7 and SS1/23 is the path of least resistance through approval.
No, and offering that is what hardens the deadlock. Validation must be independent of the build to satisfy model-risk standards and to be credible to a supervisor. Moweb conducts validation at arm's length from the build team, which is precisely the separation second line requires before it will sign off.
Documented intended use and limitations, data lineage, the versioned evaluation harness and its results, monitoring design, change history, and an evidence map to SR 11-7, SS1/23, NIST, ISO 42001 and the EU AI Act as relevant. It is the complete artefact set a validator challenges and a supervisor inspects. We deliver it on every engagement, not as an add-on.