Databricks has published a blog post claiming that US banking regulators have rescinded long-standing model risk management guidance — including SR 11-7, OCC 2011-12, and FIL-22-2017 — and replaced it with a more principles-based framework. The post is authored by Pavithra Rao, Jennifer Miller, Chaitanya Varanasi, and Kim Hatton. 4o4 / AI has not independently verified these regulatory changes with the Federal Reserve, FDIC, or OCC, and this article relies solely on that vendor publication.
What the Databricks post claims regulators changed
The post identifies five shifts it attributes to the revised framework, compared to the prior guidance. The thread across all five, according to the post, is that “evidence must be produced as a byproduct of how models are built, not reconstructed after the fact.”
According to Databricks, the revision re-segments how controls are applied rather than rewriting the controls themselves. The post says inventory is tiered by materiality, controls are applied proportionately to tier, and the lifecycle must be defensible end-to-end. The authors say supervisors now treat GenAI and agentic systems as in-scope by principle.
Databricks states that on a traditional technology stack, meeting those expectations translates to “two to three quarters of sprint work: inventory migration, validation template rewrites, new monitoring pipelines, documentation refreshes, vendor-model onboarding, and parallel workstreams for GenAI and agentic systems.”
The platform argument
The Databricks post is explicitly a reference architecture pitch for the Lakehouse as MRM infrastructure, not a neutral regulatory summary. The authors frame the central question as: “what platform decision makes the next guidance change — and the one after that — a configuration exercise instead of a program?”
Their answer, per the post, is that proportionality — described as “the guidance’s stated central principle and historically the hardest to evidence” — becomes manageable through attribute-based access control tied to materiality tier tags in Unity Catalog. The example logic given in the post:
IF model.tier = 'Tier1'
THEN require_approver_role IN ('MRM_Validator', 'Model_Risk_Committee')
AND require_dual_control = TRUEUnder this design, according to the post, a tier reassignment becomes a metadata update rather than a pipeline migration.
The post proposes a Unity Catalog hierarchy with separate catalogs for inventory, classical ML, GenAI, monitoring evidence, and retired model archives. The stated purpose of the separation is to allow MRM leadership to grant examiners read-only access to evidence without exposing underlying training data, which Databricks describes as “a common sticking point in exam prep.”
GenAI and classical ML under one framework
A recurring concern in the post is the instinct to build a second governance framework for LLMs and agents alongside existing MRM apparatus for classical models. Databricks argues against this: “That doubles the cost, doubles the audit surface, and guarantees divergence.”
The proposed architecture registers both classical ML and GenAI models in the same registry with the same lifecycle stages and evidence patterns, adding layer-specific capabilities only where model type demands them. According to the post, this means that when supervisors extend MRM principles to GenAI, banks “do not stand up a second framework.”
The post identifies one lineage traversal as the practical test: an examiner asking “what data trained this model, who validated it, how has it drifted, and which production decisions used it?” should receive answers from a single traversal rather than a cross-team evidence-gathering exercise.
What the post does not address
The Databricks post is a vendor document. It does not address how regulators plan to examine compliance in practice, what transition timeline they may apply to banks currently operating under prior guidance, or whether the described rescission has been formally published by the agencies. Those questions are unaddressed in the post.