Model risk management was, until recently, a discipline that lived in two corners of the bank: credit risk and traded market risk. In the insurer, it lived in the actuarial function. Everywhere else, "models" was a loose term and the governance was loose to match.
That distinction has not survived 2026. The FCA's expectations, the EU AI Act's coming-into-force timetable and the PRA's SS1/23 implementation have together collapsed the perimeter. Anything that takes inputs, produces an outcome and influences a customer or a regulatory metric is in scope.
What the new perimeter actually covers
- Classical risk models — still in scope, still the gold standard for documentation rigour.
- Pricing and personalisation engines — explicitly in scope under Consumer Duty fair-value expectations.
- Fraud and AML detection — in scope, with elevated attention to false-positive demographics.
- Generative AI workflows — in scope as soon as they influence a customer decision or a regulatory output. Drafting tools used purely internally sit in a softer tier but still require inventory.
- Vendor-provided models — in scope, with the institution responsible for governance regardless of who built the model.
What good coverage looks like
A single inventory across all the above tiers, with risk-based validation cadence, continuous monitoring on the highest-tier deployments, documented challenger review where the regulator expects it, and a model-risk committee whose membership has genuine technical depth rather than a checkbox-attendance pattern.
The institutions that built this scaffolding for credit risk over the last two decades have the playbook. They just need to apply it at a perimeter five times wider, and at a velocity their existing governance committees cannot meet without restructuring. The institutions that did not build it — non-bank lenders, smaller insurers, asset managers entering retail — are constructing it now under deadline. The 2026 supervisory cycle will distinguish between the two visibly.