Glossary term
Glossary term
Governance and Compliance
The risk remaining after controls and treatments have been applied. Residual risk should be reviewed against appetite and accepted only by the right level of authority. Acceptance should be explicit, time-bound where needed, and made by someone with authority over both the business benefit and the potential harm.
Under SR 11-7, US federally regulated banks require senior business owners to formally accept residual model risk after MRM validation, evidenced in model approval memos.
OpenAI's GPT-4 System Card (March 2023) and subsequent model cards document remaining risks and limitations accepted at release including hallucination and harmful advice.
Anthropic's Responsible Scaling Policy commits to not deploying systems if residual risk crosses ASL thresholds, requiring board notification and pause until mitigations are validated.