SR 11-7 Just Wrote Itself Out of the GenAI Conversation
The April 17, 2026 interagency MRM rewrite formally excludes generative and agentic AI from scope. That's not a retreat — it's an RFI window.
Paul Merrison
AI governance for financial services
I work on the gap between Model Risk Management frameworks like SR 11-7 and SS1/23 and the actual mechanics of generative and agentic AI systems in production. The interesting questions sit where regulatory expectations meet engineering controls — and most firms are trying to bridge that gap with policy documents alone.
I'm Chief Information Security Officer at Tetrate and a contributor to the FINOS AI Governance Framework, where I received the Newcomer Award at OSFF NYC 2025. I take a small number of fractional advisory engagements with banks, insurers and FS infrastructure firms working through AI governance implementation — and I write about the work here.
Recent Writing
View all posts →Why I Built Launcherly (After Two Failed Attempts at Building Anything)
Two products that never shipped, one pattern that killed them both, and the tool I eventually built to fix it
Why Deterministic Language Models Would Be A Big Deal For Banks
Coming to the same answer twice is kind of cool
Featured Speaking Engagements
View all talks → FINOS OSFF NY 2025 New York, USA
Bridging AI Governance and Cloud Infrastructure
How to use FINOS CALM architecture-as-code to implement re-usable deployment patterns for AI in financial services
FINOS Workshops Microsoft, NY, USA
Designing an Agentic AI Reference Architecture for Financial Services
Multiple three hour workshops where I guided attendees through the process of brainstorming and developing an AI reference architecture for financial services institutions.
APIDays London 2025 London, UK
Beyond Compliance Theater: Building Production-Ready AI Governance with Multi-Agent Workflows
How to build executable governance, transforming abstract policies into resilient, auditable code.
Featured Articles
View all articles → Tetrate Blog
Visualizing AI Governance: Why We Built a Modern CALM Tool
Tetrate developed a modern visualization tool for FINOS CALM to address the critical gap between AI governance frameworks and their practical implementation.
Tetrate Blog
AI Governance for CISOs: Securing SaaS AI Deployment
A practical guide for Chief Information Security Officers on implementing controls for governing distributed AI tools across enterprise SaaS applications.
Tetrate Blog
Securing the MCP Supply Chain: A New Approach to Agentic AI Governance
Examining how agentic AI systems depending on third-party Model Context Protocol (MCP) services face unique security challenges and proposing infrastructure-level governance solutions.