AI Risk · Model Risk · Assurance
Regulator-grade AI governance, stood up across your AI estate in 120 days.
An operating governance function — inventory, risk-tiering, AI Risk Files, three-lines operating model — aligned to ISO/IEC 42001, NIST AI RMF, the EU AI Act, the UAE AI Charter, SAMA and SR 11-7. The risk team owns it at handover.
AI Risk File
Regulator-gradeSystem #14 — Credit Decisioning
Tier: High · Owner: 1LoD · Version 3.2
- 01 · Model cardsigned
- 02 · Datasheet for the datasetsigned
- 03 · Bias test pack (Fairlearn · Aequitas · AIF360)signed
- 04 · Explainability (SHAP · Anchors · Grad-CAM)signed
- 05 · Adversarial robustness (ART)signed
- 06 · Controls mapping appendixsigned
41
Systems risk-tiered at one UAE tier-1 bank
0
Major non-conformities at ISO 42001 pre-audit
6 days
Median request-to-evidence-pack (n=18)
120 days
Stand-up to handover
Why your existing model risk framework is not enough
SR 11-7 was written for credit models. Not for a GenAI assistant or a deep CV system.
Existing model risk management understands credit models in PD/LGD/EAD form. AI/ML adds data lineage you cannot inspect by hand, bias dimensions PD/LGD never had to cover, drift on a weekly cadence, GenAI hallucination as a new failure mode, and explainability beyond a regression coefficient. We extend your MRM function rather than replace it.
Inventory pulled from MLOps
Not a manual spreadsheet that decays. The inventory updates when a new model is registered, and tiering is generated from observable attributes.
Bias and explainability built in
Fairlearn, Aequitas, AIF360 for bias. SHAP, LIME, Captum, Anchors, Grad-CAM for explanation. The evidence is generated by the model owner, reviewed by second line, available to internal audit on demand.
Drift and hallucination as first-class signals
Continuous assurance pulls signals from monitoring — drift, fairness drift, hallucination, refusal rate, override rate — into the quarterly committee pack. The conversation moves to substance fast.
The load-bearing artefact
The AI Risk File. Six tabs. Five frameworks evidenced at once.
Every AI system in scope receives a defensible evidence pack. Map once, satisfy ISO/IEC 42001, NIST AI RMF, EU AI Act Annex IV, the UAE AI Charter, SAMA, SR 11-7 and Dubai AI Ethics — from a single source of truth.
Tab 01
Model card
Owner, version, intended use, scope, training data summary, evaluation results, known limitations, sign-offs. The card travels with the model through MLOps; updates are tracked events.
Tab 02
Datasheet for the dataset
Datasheets for Datasets format. Collection, composition, labelling, consent, sensitive attributes, refresh cadence. Critical for bias and EU AI Act technical documentation.
Tab 03
Bias test pack
Demographic parity, equal opportunity, equalised odds, calibration by group. Generated with Fairlearn, Aequitas, and IBM AI Fairness 360. Slices relevant to UAE / KSA demographics.
Tab 04
Explainability suite
SHAP, LIME, Captum integrated gradients, Anchors for tabular; Grad-CAM for vision. Choice driven by audience: model risk needs SHAP, customer notice needs Anchors.
Tab 05
Adversarial robustness
ART — Adversarial Robustness Toolbox. Evasion, poisoning, model extraction. Quantified, not narrated. Specific attention to GenAI prompt injection and RAG provenance.
Tab 06
Controls mapping
One Risk File. Five-to-eight frameworks evidenced. Map once, reuse everywhere. The mapping appendix is regenerated from a single source of truth, so framework drift surfaces immediately.
Controls mapping done once, reused everywhere
One control. Mapped to six frameworks simultaneously.
The mapping appendix is regenerated from a single source of truth. Framework drift surfaces immediately. Eight illustrative controls below; the full matrix covers forty-seven control objectives across ISO 42001, NIST, EU AI Act, UAE Charter, SAMA, SR 11-7, PRA SS1/23 and Dubai AI Ethics.
| Control | ISO 42001 | NIST AI RMF | EU AI Act | UAE Charter | SAMA | SR 11-7 |
|---|---|---|---|---|---|---|
| AI inventory | 42001 §8.1 | GOVERN 1.5 | Annex IV (1) | Principle 1 | AI Annex 3.1 | §II.A |
| Risk tiering | 42001 §6.1 | MAP 1.1 | Art. 6 | Principle 4 | AI Annex 4.2 | §II.B |
| Bias testing | 42001 §8.4 | MEASURE 2.11 | Art. 10(2)(f) | Principle 5 | AI Annex 5.1 | §IV.B |
| Explainability | 42001 §8.5 | MEASURE 2.9 | Art. 13 | Principle 6 | AI Annex 5.2 | §V.A |
| Human oversight | 42001 §8.6 | MANAGE 1.3 | Art. 14 | Principle 7 | AI Annex 6.1 | §III.B |
| Robustness & security | 42001 §8.7 | MANAGE 4.2 | Art. 15 | Principle 8 | AI Annex 7.1 | §V.C |
| Post-market monitoring | 42001 §9.1 | MEASURE 4.3 | Art. 17 | Principle 9 | AI Annex 8.1 | §VI.A |
| Incident reporting | 42001 §10.2 | MANAGE 4.3 | Art. 62 | Principle 10 | AI Annex 9.1 | §VI.B |
* Mapping is illustrative and refreshed quarterly. Full matrix shipped under NDA with engagement scoping.
The 120-day stand-up
Inventory → tiering → Risk Files → operating model → handover.
Named senior pod in the SoW: a Brocode head of AI risk, a former regulator-side adviser, two senior AI risk engineers, and a delivery lead. Roles and CVs are visible before contract signature.
Week 0–3
Inventory and risk-tiering
AI system inventory pulled from MLOps registry plus stakeholder interviews. Risk tiering on observable attributes (autonomy, reversibility, scale of impact). Output: a tiered register signed by first and second line.
Inventory closed
Week 4–10
AI Risk Files on high-risk systems
Model card, datasheet, bias test pack, explainability suite, adversarial robustness summary, controls mapping. Produced for every high-risk system. Each file maps to five or more frameworks simultaneously.
Files defensible
Week 11–14
Governance Operating Model
Three-lines-of-defence RACI. Committee charters: AI Risk Committee, AI Ethics Board. Escalation thresholds. Inventory tool stood up in Atlan or Collibra, integrated with Credo AI or Fiddler where the customer already owns those.
Function live
Week 15–17
Regulator Rehearsal and handover
Half-day rehearsal with former examiner and former federal IT auditor stress-testing the evidence pack until gaps close. Then handover to the risk team — Brocode steps back into advisory.
120-day stand-up
The Regulator Rehearsal
A former examiner sits across the table and stress-tests the evidence pack.
Before any real regulator engagement, a Brocode panel — including a former central-bank examiner and a former UAE federal IT auditor — runs a half-day rehearsal. The risk team answers the questions that will actually be asked. Gaps close before the regulator sees them.
Named senior advisers
- 01Ex-Central Bank examiner (GCC)
- 02Ex-DoH inspector
- 03Ex-FCA AI policy lead
- 04Fellow of the Royal Statistical Society
- 05ISO/IEC 42001 lead implementers
CVs and current credentials shared under NDA before SoW.
Objections answered with evidence
Three things every CRO asks. Three production references.
SR 11-7 already covers us
UAE tier-1 bank, 41 systems risk-tiered.
Full AI Risk Files produced for 9 high-risk systems. ISO/IEC 42001 readiness assessment closed with zero major non-conformities. End-to-end in 134 days. SR 11-7 framework extended, not replaced.
We could buy a SaaS
UAE healthcare provider, clinical AI triage.
Risk-assessed and explainability-documented to DoH satisfaction. Evidence pack accepted on first submission. Integrated with the customer Holistic AI deployment rather than competing with it.
Big-4 is safer on cover
GCC sovereign entity, 12 internal AI systems.
UAE AI Charter alignment assessment. Public-facing transparency notice produced. Pack went under the customer name, not ours. Accepted on first submission to the parent ministry.
How we compare
Big-4, governance SaaS, single internal hire — honestly.
Big-4 ships slides and outsources the technical work. Governance SaaS automates parts of the evidence layer but cannot produce the narrative, the operating model or the rehearsal. A single internal hire takes 6–9 months and then needs a team. We deliver in 120 days and transfer the operating model so the internal hire inherits a working function.
| Capability | Brocode | Big-4 risk practice | Credo AI / Fiddler | IBM watsonx.governance | Single internal hire |
|---|---|---|---|---|---|
| Named senior advisers with regulator-side backgrounds | Ex-Central Bank examiner, ex-DoH inspector, ex-FCA AI policy lead | Partner-plus-pyramid | Product not service | Product not service | Single new hire |
| Produces the regulator-grade evidence narrative | Eventually | ||||
| Plugs into existing governance SaaS | Credo AI / Fiddler / watsonx / Holistic AI | Slides separately | Their platform only | Their platform only | Builds from scratch |
| Half-day Regulator Rehearsal Former examiner stress-tests the evidence pack. | |||||
| Independence vs implementation separation | Type-II assurance posture | Same firm sells implementation | Vendor | Vendor | No separation |
| Operating model and three-lines RACI | Templates | Not delivered | Not delivered | Eventually | |
| Time from regulator request to evidence pack | 6 days median (n=18) | Weeks | Tool not pack | Tool not pack | 11 weeks typical |
Free download
Specimen Regulator-Grade AI Risk File
A sixty-four page redacted PDF based on a real engagement — model card, datasheet, bias test pack, explainability suite, robustness, and the controls mapping appendix to ISO/IEC 42001, EU AI Act, UAE AI Charter and NIST AI RMF. Plus a one-pager: 21 questions a UAE or KSA regulator will ask about your AI in 2026.
- Specimen model card (redacted)
- Datasheet for the dataset (Datasheets for Datasets format)
- Bias test pack — demographic parity, equal opportunity, equalised odds, calibration
- Explainability suite — SHAP, LIME, Captum, Anchors, Grad-CAM
- Adversarial robustness summary — ART evasion + poisoning + extraction
- Controls mapping — ISO 42001, NIST AI RMF, EU AI Act, UAE Charter
- 21 questions a UAE / KSA regulator will ask about your AI in 2026
Frequently asked
What CROs and Heads of Model Risk actually want to know.
Existing MRM understands credit models in PD/LGD/EAD form: stable, parametric, validated annually. AI/ML adds data lineage you cannot inspect by hand, bias dimensions that PD/LGD never had to cover, drift on a weekly cadence not annual, GenAI hallucination as a new failure mode, and explainability beyond a regression coefficient. We extend the existing MRM function rather than replace it. In banks where MRM is mature, the engagement focuses on AI-specific extensions: bias test packs, GenAI guardrails, the AI Risk File template, and the model-card-from-MLOps automation.
Talk to the Head of AI Risk
A 90-minute maturity review. Senior adviser on the call, not a sales lead.
Tell us the regulator letter date, the inventory size, and the frameworks you need to evidence. We will tell you which parts of the standard 120-day stand-up apply, where your existing tooling already does the work, and where the operating-model gaps will surface in the next audit.
The maturity review is independent. If you also need implementation we will declare the conflict and ring-fence the workstreams; if you want pure assurance we will refuse the implementation work for that AI system.
Continue exploring
Related capabilities and stories
AI Consulting & Strategy
Many governance conversations start as strategy conversations.
Read moreMLOps & AI Infrastructure
Drift monitoring, retraining triggers and evidence pipelines live here.
Read moreGenerative AI Development
GenAI-specific governance — hallucination, prompt injection, RAG provenance.
Read moreBanking & Financial Services
The dominant industry. SR 11-7 plus CBUAE plus SAMA model risk extensions.
Read moreHealthcare
DoH, MOHAP, DHA clinical AI governance and approvals.
Read more