GARP RAI: Data and AI Model Governance

Use this page to isolate Data and AI Model Governance before returning to mixed GARP RAI practice.

Topic snapshot

Sample questions

These questions are original Finance Prep practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.

Question 1

Topic: Data and AI Model Governance

A bank’s AI governance committee finds that business units are using internally built models and vendor AI tools, but procurement records, model-validation files, and operational runbooks are not linked. The committee needs a practical basis for oversight and risk classification across the AI lifecycle. What is the best action to take first?

• A. Publish a responsible AI principles statement and ask each business unit to self-certify compliance annually.
• B. Collect vendor assurance reports for all third-party AI tools and treat them as the system of record.
• C. Create a centralized AI inventory that records each AI system, owner, use case, risk rating, data sources, model or vendor, and lifecycle status.
• D. Require independent validation of every AI model before documenting systems already in production.

Best answer: C

What this tests: Data and AI Model Governance

Explanation: The immediate governance need is visibility: the committee cannot classify, oversee, or prioritize AI risks without a reliable record of what AI systems exist and how they are used. A centralized AI inventory serves that purpose by documenting each AI system and key attributes such as business owner, use case, risk rating or classification, data, model, vendor involvement, and lifecycle status. Validation, vendor reviews, and policy attestations may be important controls, but they depend on knowing the population of AI systems first. The inventory becomes the foundation for classification, accountability, monitoring, and lifecycle governance.

• Independent validation is important for in-scope models, but doing it before identifying the full AI population may miss systems and misprioritize effort.
• Vendor assurance reports help with third-party risk, but they do not capture internally built systems or business ownership.
• A principles statement supports responsible AI culture, but it is not a record of systems, owners, risks, data, vendors, and lifecycle status.

An AI inventory is the core governance record used to identify AI systems and capture ownership, use, risk, data, model/vendor, and lifecycle information.

Question 2

Topic: Data and AI Model Governance

A bank wants to reuse an AI system originally validated for prioritizing collections outreach. The same vendor model and code would now rank small-business loan applications for expedited underwriting. The user population, input data, business decision, and customer impact are materially different. What is the best validation action before deployment?

• A. Rely on the prior validation because the model code and vendor have not changed.
• B. Deploy with enhanced monitoring and complete validation after enough underwriting outcomes are observed.
• C. Perform an independent, use-case-specific validation covering data suitability, model performance, fairness, explainability, and controls for the lending purpose.
• D. Update the model inventory and obtain vendor confirmation that the technical configuration is unchanged.

Best answer: C

What this tests: Data and AI Model Governance

Explanation: Reusing an AI system for a new business purpose is a material change even when the model code is unchanged. Validation should assess whether the model remains fit for the new intended use, including whether the new input data are representative, performance is acceptable for the decision, outputs are explainable enough for users, and fairness or customer-impact risks are controlled. In this case, moving from collections prioritization to loan underwriting changes the decision context and risk profile, so independent review before deployment is the appropriate governance action.

• Prior validation is insufficient because it addressed a different intended use and population.
• Post-deployment monitoring is important but does not replace pre-deployment validation for a material reuse.
• Inventory updates and vendor confirmations support governance but do not demonstrate fitness for the new lending purpose.

A materially new purpose requires validation against the new context, data, impacts, and controls rather than reliance on the prior validation.

Question 3

Topic: Data and AI Model Governance

A financial institution maintains a centralized register that lists each AI system, its business owner, use case, risk rating, data sources, model or vendor components, and lifecycle status. Which governance concept does this description best match?

• A. Model validation report
• B. AI inventory
• C. Data lineage map
• D. AI risk appetite statement

Best answer: B

What this tests: Data and AI Model Governance

Explanation: An AI inventory is a centralized record of AI systems across the organization. It supports governance by identifying what AI is being used, who owns it, what business purpose it serves, how risky it is, what data and models are involved, whether vendors are used, and where the system sits in its lifecycle. This differs from a single validation report, a technical data-flow artifact, or a high-level risk appetite document. In the stem, the broad register of AI systems and governance attributes points directly to an AI inventory.

• A model validation report evaluates a specific model or system; it is not the enterprise-wide register of AI use.
• A data lineage map focuses on data origin and movement, not ownership, use cases, risk ratings, vendors, and lifecycle status for AI systems.
• An AI risk appetite statement sets acceptable risk boundaries; it does not catalog individual AI systems.

An AI inventory is the governance record used to track AI systems and key ownership, use, risk, data, model, vendor, and lifecycle attributes.

Question 4

Topic: Data and AI Model Governance

A bank deploys an AI model to prioritize transaction-fraud alerts. After a new mobile app feature changes customer transaction patterns, the model continues producing scores, but there is no process to compare live feature distributions or alert outcomes with deployment baselines and escalate material changes. Which lifecycle control is the best match for this gap?

• A. Access recertification for users who can view model outputs
• B. Ongoing model monitoring for drift and performance changes with escalation criteria
• C. Model inventory attestation for ownership and use-case classification
• D. Independent pre-implementation validation of model design and testing evidence

Best answer: B

What this tests: Data and AI Model Governance

Explanation: The most appropriate lifecycle control is ongoing monitoring after deployment. The stated gap is not that the model lacked initial approval or documentation; it is that production data and outcomes are no longer being compared with the baseline conditions under which the model was accepted. Monitoring should track relevant indicators such as input distribution changes, output patterns, error rates, override rates, or business outcomes, and should define escalation criteria when changes may affect performance, fairness, or reliability. In this case, the new mobile app feature could create data drift or performance degradation, so a production monitoring control directly addresses the risk.

• Pre-implementation validation is important before release, but it does not by itself monitor changes that occur after deployment.
• Model inventory attestation supports governance visibility, but it does not test whether live model behavior has shifted.
• Access recertification addresses authorization and confidentiality risks, not production drift or outcome monitoring.

The gap is post-deployment detection and escalation of changes in live inputs and outcomes relative to expected baselines.

Question 5

Topic: Data and AI Model Governance

A bank has a credit-decision AI model in production. Each month, the model owner compares approval rates and error rates across defined demographic groups and escalates when disparities exceed documented tolerances, even when overall model accuracy is stable. Which monitoring activity is described?

• A. Data quality monitoring
• B. User behavior monitoring
• C. Fairness monitoring
• D. Control effectiveness testing

Best answer: C

What this tests: Data and AI Model Governance

Explanation: Fairness monitoring evaluates whether an AI model’s decisions, recommendations, or errors have materially different impacts across relevant groups. In this scenario, the key signal is not overall accuracy but differences in approval rates and error rates by demographic group, with escalation when disparities exceed tolerance. That makes the activity a responsible AI and model governance control focused on fairness risk after deployment. Other monitoring activities remain important, but they track different signals: data quality checks input completeness and validity, user behavior monitoring reviews how people interact with the system, and control effectiveness testing assesses whether designed controls are operating as intended.

• Data quality monitoring would focus on missing values, invalid fields, lineage, or timeliness of input data, not outcome disparities across groups.
• User behavior monitoring would examine usage patterns, overrides, prompts, or misuse by staff or customers.
• Control effectiveness testing would assess whether controls such as approvals, reviews, or alerts operate as designed, rather than directly measuring group-level outcome differences.

The activity tracks whether model outcomes or errors differ across groups beyond approved tolerances.

Question 6

Topic: Data and AI Model Governance

A bank plans to deploy a machine-learning model for loan decision support. Policy requires a party outside the model development team to assess conceptual soundness, data suitability, testing evidence, limitations, and performance before production approval. Which governance role is best suited for this activity?

• A. First-line model owner
• B. Independent model validation function
• C. AI governance committee
• D. Internal audit

Best answer: B

What this tests: Data and AI Model Governance

Explanation: In a three-lines-of-defense model, the first line owns and operates the AI use case, while an independent validation or risk review function provides technical challenge before deployment. For an AI model, validation typically examines whether the model is conceptually sound, uses appropriate and representative data, has been tested adequately, has known limitations documented, and performs within intended-use expectations. A governance committee may rely on that validation evidence when deciding whether to approve use, but it normally does not perform the detailed validation work. Internal audit provides third-line assurance over the governance framework and controls, often after processes are in place, rather than conducting the pre-production model validation itself.

• The first-line model owner is accountable for development, operation, and ongoing use, but is not independent of the model build.
• The AI governance committee may approve or escalate decisions, but it typically reviews evidence rather than performing detailed validation.
• Internal audit assesses governance and control effectiveness, but it is not the usual pre-use technical validator.

Independent model validation is best suited to provide pre-use technical challenge of model design, data, testing, limitations, and performance.

Question 7

Topic: Data and AI Model Governance

A bank’s AI governance team reviews quarterly control testing for a machine-learning fraud detection model. The same exception has occurred in three consecutive quarters: required drift-monitoring reviews were completed late or lacked reviewer evidence. The model remains in production and no confirmed customer harm has been found, but the process owner cites unclear handoffs between data science and operations. Which action is the BEST next improvement step?

• A. Suspend the model immediately until an independent party rebuilds the monitoring control from scratch.
• B. Close the exceptions after the missed reviews are reperformed because no confirmed customer harm has occurred.
• C. Increase the frequency of management attestations while leaving the drift-monitoring workflow unchanged.
• D. Open a formal issue, perform root-cause analysis, and track remediation that clarifies ownership and strengthens monitoring evidence.

Best answer: D

What this tests: Data and AI Model Governance

Explanation: Repeated AI control exceptions are evidence that the control is not operating reliably, even if no loss or customer harm has yet been confirmed. Continuous improvement requires more than fixing the latest missed review. The governance response should identify why the control keeps failing, assign accountable owners, revise handoffs or procedures, improve evidence requirements, and track the remediation to closure through the issue-management process. This approach addresses the underlying control weakness while keeping governance visibility over the remediation. The stem points to unclear handoffs, so clarifying ownership and strengthening the monitoring evidence are directly responsive to the known cause.

• Reperforming missed reviews treats the symptom but does not address why the same exception keeps recurring.
• More attestations may add reporting, but they do not fix the workflow, accountability, or evidence problem.
• Immediate suspension and a full rebuild may be disproportionate when the facts show repeated control weakness but no stated severe model failure or harm.

Repeated exceptions indicate a systemic control weakness that should be remediated through issue management, root-cause analysis, accountable ownership, and tracked closure.

Question 8

Topic: Data and AI Model Governance

A bank’s first-line analytics team has built an AI model to support small-business loan renewal decisions. The team reports strong pilot performance, but the governance file shows no independent challenge of the model design choices, training data representativeness, key assumptions, known limitations, or control plan. Which action is the BEST next step before production approval?

• A. Approve production use because the pilot performance result demonstrates that the model is fit for purpose.
• B. Defer review until post-launch monitoring produces enough production outcomes to test drift.
• C. Ask the first-line analytics team to self-certify the missing documentation and proceed with launch.
• D. Require an independent review that challenges the model design, data, assumptions, performance, limitations, and controls.

Best answer: D

What this tests: Data and AI Model Governance

Explanation: Independent review is a governance challenge function, not merely a documentation check or duplicate performance test. Before a material AI model is approved for production, reviewers should assess whether the model design is appropriate for the use case, whether data are representative and well governed, whether assumptions are reasonable, whether performance evidence is sufficient, whether limitations are understood, and whether controls and monitoring are adequate. Strong pilot performance is useful evidence, but it does not replace independent challenge because high-level metrics can mask data bias, design weaknesses, untested assumptions, or inadequate controls. In this scenario, the missing independent assessment should be completed before production approval.

• Pilot performance alone is insufficient because it does not assess design rationale, data representativeness, assumptions, limitations, or controls.
• First-line self-certification does not provide the independent challenge expected in model governance.
• Waiting for post-launch monitoring leaves unresolved pre-production risks in a model used for credit decision support.

Independent review is the appropriate challenge process before approval when material model elements and controls have not been independently assessed.

Question 9

Topic: Data and AI Model Governance

A bank plans to deploy an AI model that will automatically approve or decline unsecured loan applications. Independent validation has an unresolved high-severity finding: recent out-of-time testing shows materially higher false-decline rates for a customer segment, and the proposed monitoring dashboard does not track segment-level outcomes. The business sponsor asks to launch on schedule and fix the finding in the next model refresh. What is the best action?

• A. Prevent deployment in its current form unless the finding is remediated or approved compensating controls are implemented before launch.
• B. Allow deployment if the model development team confirms that overall accuracy remains within tolerance.
• C. Approve deployment with a post-launch plan to review customer complaints for evidence of unfair outcomes.
• D. Approve deployment because independent validation has documented the issue and the business owns the model outcome.

Best answer: A

What this tests: Data and AI Model Governance

Explanation: Unresolved validation findings should be evaluated based on severity, use case, and available controls. Here, the model makes automated credit decisions, and validation found materially higher false-decline rates for a customer segment. That is a high-impact risk involving model performance, fairness, and customer harm. Because the proposed monitoring does not even track the affected segment, post-launch detection is also weak. The best action is to prevent deployment in its current form unless the issue is remediated and revalidated, or formally approved compensating controls—such as manual review, limited use, enhanced segment monitoring, or decision override controls—are in place before launch.

• Documenting the issue does not make the risk acceptable; unresolved high-severity findings require governance action.
• Customer complaints are a weak lagging control and may miss systematic false declines.
• Overall accuracy can hide segment-level harm, especially when validation has already identified a material disparity.

A material unresolved validation finding affecting high-impact automated decisions should block deployment unless effective compensating controls reduce the risk to an approved level.

Question 10

Topic: Data and AI Model Governance

An internal audit team is reviewing AI governance documents for a new credit-decision support model. The artifacts include:

• Doc A: “All high-risk AI systems must be approved by the AI Governance Committee before production.”
• Doc B: “High-risk AI systems must have validation evidence, a named owner, and a monitoring plan.”
• Doc C: “Open the inventory tool, complete the required fields, attach the validation report, and submit for approval.”
• Doc D: “The deployment workflow blocks production release unless an inventory ID and committee approval are recorded.”

What is the best classification action?

• A. Classify all four documents as controls because each supports production approval.
• B. Classify Doc A and Doc B as procedures because both use mandatory language, and classify Doc C and Doc D as standards.
• C. Classify Doc A as a policy, Doc B as a standard, Doc C as a procedure, and Doc D as a control.
• D. Classify Doc A as a standard, Doc B as a procedure, Doc C as a control, and Doc D as a policy.

Best answer: C

What this tests: Data and AI Model Governance

Explanation: In an AI governance framework, a policy states high-level management expectations or requirements, such as requiring governance approval for high-risk AI before production. A standard translates policy into mandatory criteria, such as requiring validation evidence, ownership, and monitoring. A procedure gives the operational steps for completing a task, such as using the inventory tool and submitting evidence. A control is the actual activity or mechanism that prevents, detects, or corrects risk; here, the deployment workflow blocks release if required approvals are missing. The best action is therefore to classify each artifact according to its function, not merely by its topic or the fact that it supports governance.

• Treating the workflow block as a policy confuses an enforcement mechanism with a governance requirement.
• Labeling all artifacts as controls ignores that policies, standards, and procedures can support a control environment without being controls themselves.
• Mandatory wording does not automatically make a document a procedure; standards often use mandatory requirements.

This mapping correctly separates high-level governance intent, mandatory requirements, step-by-step instructions, and an enforcement activity.

Continue with full practice

Use the GARP RAI Practice Test page for the full Finance Prep practice bank, mixed-topic practice, timed mock exams, and explanations.

Related focused pages

• Free GARP RAI Full-Length Practice Exam
• GARP RAI: History and Overview of AI Concepts
• GARP RAI: AI Tools and Techniques
• GARP RAI: Risks and Risk Factors
• GARP RAI: Responsible and Ethical AI

Free review resource

Use the full Finance Prep practice page above for the latest review links and practice page.