AI 模型风险管理信息文件
Information Paper on AI Model Risk Management
别名: AIRG · MAS AIRG · AI Risk Management Guidelines
阐述 MAS 对金融机构 AI 风险管理在治理、模型风险、数据、部署、监控上的期望。
Sets out MAS observations and supervisory expectations on FIs’ AI risk management across governance, model risk, data, deployment, and monitoring.
文件关系
- precedes-in-forcemas-airg-guideline-2027— 2025 咨询稿 → 2027-Q2 正式 Guideline
- referencesmas-feat-2018
- operationalisesmas-feat-2018— 将 FEAT 原则操作化为治理实操
原子条款(154)
在搜索器中打开 →本信息文件中强调的良好实践应普遍适用于其他金融机构,这些机构在开发和部署AI时应参考这些实践。
The good practices highlighted in this information paper should generally apply to other financial institutions (FIs), which should take reference from these when developing and deploying AI.
生成式AI可能放大现有AI风险。
With Generative AI, existing risks associated with AI may be amplified.
金融机构应在全行建立AI能力,以支持创新和风险管理。
FIs should build capabilities in AI across the bank to support both innovation and risk management.
金融机构应使用关键风险维度评估AI风险的重要性,以便按比例应用相关控制。
FIs should assess the materiality of risks that AI poses using key risk dimensions so that relevant controls can be applied proportionately.
金融机构应利用AI清单,提供全行AI使用的中央视图以支持监督。
FIs should utilise AI inventories, which provide a central view of AI usage across the bank to support oversight.
金融机构应建立跨职能监督论坛,确保全行适当管理不断演变的AI风险。
FIs should establish cross-functional oversight forums to ensure that evolving AI risks are appropriately managed across the bank.
金融机构应实施部署前检查和对已部署AI的监控。
FIs should institute pre-deployment checks and monitoring of deployed AI.
金融机构应为AI开发的关键领域建立标准和流程,如数据管理、稳健性和稳定性、可解释性和公平性、可重复性和可审计性。
FIs should establish standards and processes for key areas important for AI development, such as data management, robustness and stability, explainability and fairness, reproducibility and auditability.
金融机构应根据风险重要性在部署前对AI进行独立验证或同行评审。
FIs should conduct independent validation or peer reviews of AI before deployment based on risk materialities.
金融机构应制定明确的声明和原则,以规范AI的公平、道德、负责任和透明使用。
FIs should articulate clear statements and principles to govern areas such as the fair, ethical, accountable and transparent use of AI.
金融机构应更新现有风险管理职能的政策和程序,以加强AI治理。
FIs should update existing policies and procedures of relevant risk management functions to strengthen AI governance.
金融机构应识别全行的AI使用和风险,以便应用相应的风险管理。
FIs should identify AI usage and risks across the bank so that commensurate risk management can be applied.
这些关键关注领域通常也适用于生成式AI以及来自第三方提供商的AI(包括生成式AI)。
These key focus areas are generally also applicable to Generative AI, as well as AI (including Generative AI) from third-party providers.
现有的监管要求和监管期望,包括但不限于关于数据治理、技术和外包风险管理的通知、指南或信息文件,在相关情况下适用。
Existing regulatory requirements and supervisory expectations, including but not limited to notices, guidelines or information papers on data governance, technology and outsourcing risk management would apply, where relevant.
制定明确的声明和指南,以管理银行内AI的公平、道德、负责任和透明使用等领域。
developing clear statements and guidelines to govern areas such as fair, ethical, accountable and transparent use of AI across the bank
更新控制标准、政策和程序,并明确设定角色和职责以应对AI风险。
updating control standards, policies and procedures, and clearly setting out roles and responsibilities to address AI risks
在全行范围内建设AI能力,以支持创新和风险管理。
building capabilities in AI across the bank to support both innovation and risk management
建立跨职能监督论坛,以避免AI风险管理中的空白。
establishing cross-functional oversight forums to avoid gaps in AI risk management
记录相应结果、多个AI模型的性能比较以及选择最终模型的理由。
Document the corresponding results, comparisons of performance across multiple AI models and justifications for selecting the final model.
银行应建立跨职能的AI监督论坛。
Banks should establish cross-functional AI oversight forums.
缓解模型局限性 - 建立测试关键假设、识别局限性及其影响的框架和流程,并制定适当的缓解措施。
Mitigating model limitations - Frameworks and processes for testing key assumptions, identifying limitations and their expected impact, and establishing appropriate mitigants which are commensurate with the impact of the limitations.
验证 - 规定验证人员应审查的深度;确定验证优先级和频率的框架。
Validation - Setting out the depth of review expected of validators across the areas above; frameworks for determining the prioritisation and frequency of validation (including any revalidation conducted on deployed models).
记录指标及相关阈值、公平性评估结果以及使用任何受保护特征或属性的理由。
Document metrics and associated thresholds, results of fairness assessments and justifications for the use of any protected features or attributes.
监控与变更管理 - 设定适当的测试和阈值以评估已部署模型的持续性能,包括监控频率;以及变更已部署模型时应遵循的流程。
Monitoring and change management - Setting appropriate tests and thresholds to evaluate the ongoing performance of a deployed model, including the frequency of monitoring; as well as the processes to be followed (e.g., additional validations and approvals) for changes made to a deployed model.
记录使用的全局和/或局部可解释性方法、特征选择过程、结果分析、所选关键特征的描述以及包含某些关键特征的额外理由。
Document global and/or local explainability methods used, feature selection process, analysis of results, as well as description of key features selected and additional justifications for inclusion of certain key features.
银行应审查并在必要时更新现有政策和程序,以跟上AI使用增加或新AI发展的步伐。
Banks should review and, where necessary, update existing policies and procedures to keep pace with the increasing use of AI or new AI developments.
银行应将与AI相关的政策和程序汇编成中央指南,以确保全行应用一致的AI标准。
Banks should compile policies and procedures relevant to AI into a central guide to ensure consistent standards for AI are applied across the bank.
银行应将中央声明和原则落实到关键控制措施中,并将这些控制措施映射到负责的相关职能部门。
Banks should operationalise central statements and principles by mapping them to key controls, which are in turn mapped to the relevant functions responsible for these controls.
银行应制定关于如何负责任地使用AI的中央声明和原则,包括制定指导方针以管理AI的公平、道德、问责和透明使用。
Banks should set out central statements and principles on how they intend to use AI responsibly, including developing guidelines to govern fair, ethical, accountable, and transparent use of AI.
银行应开发AI培训,帮助员工有效且负责任地使用AI。
Banks should develop AI training that facilitate staff in leveraging and using AI in an effective and responsible manner.
银行应建立系统和流程以确保AI清单的完整性。
Banks should establish systems and processes to ensure the completeness of AI inventories.
银行应评估AI的风险重要性,涵盖影响、复杂性和依赖程度等关键维度。
Banks should assess the risk materiality of AI covering key risk dimensions such as impact, complexity, and reliance.
银行应建立或更新识别全行AI使用和风险的政策与程序。
Banks should establish or update policies and procedures for identifying AI usage and risks across the bank.
银行应确保人工智能仅在其获批使用的范围内使用,例如目的、司法管辖区、用例、应用、系统及其他开发、验证和部署条件。
Banks should ensure that AI are only used within the scope in which they have been approved for use, e.g., the purpose, jurisdiction, use case, application, system, and other conditions for which they have been developed, validated and deployed.
银行应维护正式的人工智能清单,全面记录人工智能在银行中的使用情况。
Banks should maintain a formal AI inventory with a comprehensive record of where AI is used in the bank.
在一个司法管辖区获批的AI不应自动视为在其他司法管辖区获批。
AI approved for use in one jurisdiction should not automatically be treated as approved for use in others as the data, assumptions and considerations may not be similar, and the AI may not perform as expected in a different context.
大多数银行已制定关于AI资产盘点范围、维护角色和更新流程的明确政策。
Most banks have established clear policies on the scope of AI assets to be inventoried, the roles responsible for maintaining the inventory, and the processes for updating it.
AI清单通常应捕获关键属性,如AI的目的和描述、使用范围、管辖区域、模型类型、模型输出、上下游依赖关系、模型状态、风险重要性评级、验证和部署的批准、负责任的AI要求、豁免或特许细节、个人身份信息的使用以及负责人等。
AI inventories generally capture key attributes such as the AI's purpose and description, scope of use, jurisdiction, model type, model output, upstream and downstream dependencies, model status, risk materiality rating, approvals obtained for validation and deployment, responsible AI requirements, waiver or dispensation details, use of personally identifiable information (PII), personnel responsible such as owners, sponsors, users, developers, and validators.
在评估风险重要性时,大多数银行考虑了定量和定性风险维度,通常分为三类:a. 对银行、客户或其他利益相关者的影响;b. AI模型或系统的复杂性;c. 对AI的依赖,包括AI的自主性或人类参与作为风险缓解措施。
In assessing risk materiality, most banks considered both quantitative and qualitative risk dimensions that could generally be grouped into three broad categories: a. Impact on the bank, its customers or other stakeholders, including but not limited to financial, operational, regulatory and reputational impact. b. Complexity due to the nature of the AI model or system, or the novelty of the area or use case in which AI is being applied. c. Reliance on AI, which takes into account the autonomy granted to the AI, or the involvement of humans in the loop as risk mitigants.
风险重要性评估对于银行校准AI风险管理方法至关重要,例如将AI的风险重要性与所需的验证和监控深度和范围相匹配。
Risk materiality assessments are critical for banks to calibrate their approach to risk management of AI across the diverse areas in which AI can be used (e.g., to map the risk materiality of AI to the depth and scope of validation and monitoring required).
用于分配风险重要性的定量和定性措施及方法应进行审查,例如,如果使用AI的业务性质发生变化,用于量化财务影响的措施应更新。
Quantitative and qualitative measures and methods used to assign risk materialities should be reviewed, e.g., measures used to quantify financial impact would be updated if the nature of the business in which AI was used had evolved.
银行应建立流程,审查分配给AI的风险重要性是否随时间保持适当。
Banks should establish processes to review that risk materialities assigned to AI remain appropriate over time.
对于较低风险重要性的AI,银行应在部署前进行与AI使用风险相校准的同行评审。
For AI of lower risk materiality, banks should conduct peer reviews that are calibrated to the risks posed by the use of AI prior to deployment.
银行应建立AI开发、验证和部署的标准和流程,以应对关键风险。
Banks should establish standards and processes for development, validation, and deployment of AI to address key risks.
在AI开发中,银行应更加关注数据管理、模型选择、稳健性和稳定性、可解释性和公平性,以及可重复性和可审计性。
For development of AI, banks should pay greater attention to data management, model selection, robustness and stability, explainability and fairness, as well as reproducibility and auditability.
对于验证,银行应要求对较高风险重要性的AI在部署前进行独立验证或审查,以确保遵守开发和部署标准。
For validation, banks should require independent validations or reviews of AI of higher risk materiality prior to deployment, to ensure that development and deployment standards have been adhered to.
为确保AI在部署后按预期运行,并检测和处理数据和模型漂移,银行应进行部署前检查,基于适当指标密切监控已部署的AI,并应用适当的变更管理标准和流程。
To ensure that AI would behave as intended when deployed and that any data and model drifts are detected and addressed, banks should perform pre-deployment checks, closely monitor deployed AI based on appropriate metrics, and apply appropriate change management standards and processes.
银行已建立AI全生命周期风险管理标准与流程,涵盖开发、验证、部署、监控和变更管理。
Banks have established standards and processes in the key areas of development, validation, deployment, monitoring and change management to support robust risk management of AI across its lifecycle.
确定数据适用性,包括数据对预期目标的代表性、完整性、可靠性、质量和相关性评估,以及确定训练和测试数据集的方法。
Determine suitability of data, such as the representativeness of data for the intended objective, assessment of completeness, reliability, quality, and relevance of data, and approaches for determining training and testing datasets.
定义模型预期目标,并证明模型选择与设计如何相关且适合实现目标,包括选择适合用例和目标的架构与技术。
Define the intended objective of the model and justify how the selection and design of the model is relevant and appropriate for achieving the desired objective, including the selection of architectures and techniques that are appropriate for the use case and objective.
设定适当的评估方法和阈值,评估模型在多种条件下按预期用途和目标执行的能力。
Set appropriate evaluation approaches and thresholds, and assess the model’s ability to perform under a range of conditions in accordance with its intended usage and objective.
提供足够细节以便独立方复现,包括数据来源、谱系和处理步骤;模型架构与技术;评估与测试方法及结果。
Provide sufficient detail to facilitate reproducibility by an independent party, including details on data sources, lineage, and processing steps; model architecture and techniques; evaluation and testing approaches and results.
银行应建立适用于所有AI的基线标准和流程,无论风险重要性如何。
Banks should establish baseline standards and processes for risk management of AI that apply to all AI across the bank, regardless of risk materiality.
对于风险重要性较高或有特定用例要求的AI,应补充增强的标准和流程。
For AI of greater risk materiality or with specific use case requirements, baseline standards and processes should be supplemented by enhanced standards and processes.
银行应建立额外的数据管理标准和流程,以确保用于AI开发和部署的数据适合其用途。
Banks should establish additional data management standards and processes to ensure that data used for AI development and deployment are fit for purpose.
全行通用的数据治理和管理标准与流程应适用于AI使用的数据。
General bank-wide data governance and management standards and processes should apply to data used for AI.
银行要求对高风险数据使用案例获得批准,例如第三方可能访问银行内部数据、使用员工数据进行监控或收集生物识别数据以识别个人。
Banks have required approvals to be obtained for high-risk data use cases, such as data use where a third party may have access to the bank’s internal data, use of employee data for monitoring, or the collection of biometric data to identify individuals.
多数银行要求开发者证明选择更复杂AI模型的合理性。
Most banks required developers to justify their selection of a more complex AI model over a conventional model or a simpler AI model.
部分银行要求开发者开发挑战者模型以证明AI模型的性能提升。
Some banks required developers to go beyond qualitative justifications, and develop challenger models to explicitly demonstrate the performance uplift of the AI model over the challenger model as part of this justification.
所有银行的AI开发标准已扩展,包含可解释性部分。
Development standards for AI across all banks had been expanded to include a section on explainability.
开发者应应用全局和/或局部可解释性方法,识别AI模型输入的关键特征及其相对重要性,评估这些特征是否直观,并为保留不直观的特征提供额外理由。
Developers should apply global and/or local explainability methods to identify the key features or attributes used as inputs to AI models and their relative importance; assess whether these features or attributes were intuitive from a business and/or user perspective; and provide additional justification for retaining features or attributes which were not intuitive.
银行应建立标准和流程,明确不同用例所需的最低全局和/或局部可解释性水平。
Banks should establish standards and processes to clearly define the minimum level of global and/or local explainability required for different use cases.
如果训练数据包含不公平地代表或不利特定群体的偏见,AI模型可能会在其预测或输出中延续这些不公平的偏见。
If the training data contained biases that unfairly represent or disadvantage specific groups of individuals, AI models may perpetuate these unfair biases in its predictions or outputs.
对于可能对个人产生重大影响的用例,大多数银行会进行正式评估,判断特定群体是否可能因AI驱动决策而系统性地处于不利地位。
For use cases that could have a significant impact on individuals, most banks would undertake a formal assessment on whether specific groups of individuals could be systematically disadvantaged by AI-driven decisions.
定义受保护特征或属性列表,在AI模型中使用这些特征或属性需要额外的分析和理由。
Defining a list of protected features or attributes, for which use of such features or attributes in AI models would require additional analysis and justification.
确定这些特征或属性是否用于训练AI模型,并基于此评估定义可能因AI决策而系统性处于不利地位的群体(风险群体)。
Determining whether such features or attributes were used in training AI models. Based on this assessment, to define groups of individuals at risk of being systematically disadvantaged by the AI-driven decisions (at-risk groups).
必要时,通过公平性措施确定AI驱动决策对风险群体造成系统性不利影响的程度。
Where necessary, determining the extent to which AI-driven decisions systematically disadvantaged against at-risk groups via fairness measures.
必要时,对在AI模型中使用受保护特征或属性提供充分的理由(例如,与AI模型预期目标的权衡)。
Where necessary, providing adequate justifications on the use of protected features or attributes in AI models (e.g., trade-offs against the intended objectives of the AI model).
银行应扩展现有文档要求,纳入相关AI开发流程和考量,以促进可复现性和可审计性。
Banks should expand existing documentation requirements to incorporate relevant AI development processes and considerations to facilitate reproducibility and auditability.
记录关键数据管理步骤,包括用于模型开发和评估的数据集和数据源,以及数据集如何被评估为适用、在模型训练前如何处理、并划分为训练、测试和/或验证数据集。
Document key data management steps including datasets and data sources used for model development and evaluation, details of how datasets were assessed as fit-for-purpose, processed ahead of model training, and split into training, testing and/or validation datasets.
记录AI模型如何训练或拟合训练数据集的细节,包括代码、软件包/环境及版本、关键设置(如超参数及选择方法)、随机种子值以及第三方复现训练过程所需的其他配置。
Document details of how the AI model was trained or fit to the training dataset, including codes, software packages/environment and versions, key settings (e.g., hyperparameters and selection approach), random seed values, and other configurations required for a third party to reproduce the training process.
记录AI模型性能如何评估以及最终模型如何选择的细节,包括评估方法、阈值和使用的数据集。
Document details of how the performance of the AI model was evaluated and how the final model was selected, including evaluation approaches, thresholds and datasets applied.
大多数银行还设立了开发者必须遵循的文档模板以确保一致性。
Most banks also set up documentation templates that developers were required to follow for consistency.
用于训练和测试AI模型的数据集应代表模型预期使用的全部输入值和环境范围。
Datasets chosen for training and testing or evaluation of AI models were expected to be representative of the full range of input values and environments under which the AI model was intended to be used.
训练和测试数据集也应检查以确保其分布或特征相似。
Training and testing datasets were also checked to ensure that their distributions or characteristics are similar.
银行关于AI模型稳健性和稳定性的标准和流程通常要求测试或评估方法与模型旨在支持的结果保持一致。
Banks' standards and processes on the robustness and stability of AI models generally required testing or evaluation approaches to be aligned with the intended outcomes that the AI models were meant to support.
银行高度重视将绩效指标的选择与AI模型旨在支持的结果保持一致。
Banks paid significant attention to aligning the choice of performance measures with the intended outcomes that the AI models were meant to support.
银行可进行稳定性分析,以比较数据分布和预测或输出的稳定性。
Banks may include stability analysis to compare the stability of data distributions and predictions or outputs.
银行可对AI模型在边缘情况或训练中典型值范围之外的输入进行压力测试。
Banks may include stress testing the response of AI models to edge cases or inputs outside the typical range of values used in training.
银行可进行错误分析,以识别预测误差中的潜在模式。
Banks may include error analysis to identify potential patterns in prediction errors.
银行可进行敏感性分析,以了解AI模型预测或输出如何随数据输入的不同排列而变化。
Banks may include sensitivity analysis to understand how predictions or outputs of AI models change under different permutations of data inputs.
银行可进行子群体分析,以评估AI模型在不同子群体或数据集子集上的表现。
Banks may include sub-population analysis to evaluate how AI models perform across different sub-populations or subsets within the datasets.
阈值需要明确定义、记录,并由开发者和验证者共同商定。
Thresholds need to be clearly defined and documented, as well as mutually agreed upon by developers and validators.
通常倾向于选择复杂度较低的AI模型,除非有明确的理由选择更复杂的模型。
Generally favouring AI models of lower complexity unless there are clear justifications to do otherwise.
应用可解释性方法识别对AI模型预测或输出重要的关键输入特征或属性,并从业务和/或用户角度评估其直观性。
Applying explainability methods to identify the key input features or attributes that are important for the AI model predictions or outputs and assessing that they are intuitive from a business and/or user perspective.
额外的性能测试要求,尽可能在未见数据上测试AI模型性能,例如使用交叉验证技术以及针对更多样本外/时间外数据集进行测试。
Additional performance testing requirements to test the performance of AI models on unseen data where possible, such as cross-validation techniques and testing against more out-of-sample/out-of-time datasets.
在部署AI之前,开发者通常需要提出解决验证中发现的问题的行动(如调整或补偿控制),并得到验证者的同意。
Actions to address issues identified during validation, such as the application of suitable adjustments or other mitigating or compensatory controls, would typically be proposed by developers and agreed to by validators before deploying AI.
银行应要求所有AI接受独立验证,验证的深度和严格程度根据AI的风险重要性评级而变化。
Banks should require all AI to be subject to independent validation, with the depth and rigour of validation varying based on the AI’s risk materiality rating.
银行应应用标准软件开发生命周期流程,确保AI应用或系统在部署前安全、无错误并按预期运行。
Banks should apply standard software development lifecycle (SDLC) processes to ensure that the AI application or system was secure, free from error and performed as intended before deployment.
银行应进行部署前检查和测试,以确保AI在投入使用前已正确实施并产生预期结果。
Banks should conduct pre-deployment checks and tests to ensure that the AI has been correctly implemented and produces the intended results before being deployed for use.
银行应对选定的高重要性AI进行额外测试,如前向测试。
Banks should conduct additional tests, such as forward testing, for selected high materiality AI.
关键额外要求和控制包括启用AI自动更新的理由,明确定义可自动更新的内容,例如限制为使用更新数据集重新训练AI模型,但不允许更改AI模型架构或超参数。
Key additional requirements and controls include justifications for enabling automatic updating of AI, clearly defining what can be updated automatically, for example, restricting changes to the retraining of AI model with more recent datasets, but not allowing for changes to AI model architectures or hyperparameters.
动态AI需遵守增强的要求和控制,以确保变更管理得到良好治理。
Dynamic AI need to be subject to enhanced requirements and controls to ensure that change management is well governed.
此类动态AI还需遵守增强的风险管理要求,例如增强的数据管理标准(如对数据质量和漂移的额外检查)以及增强的性能监控要求(如更严格的监控通知阈值)。
Such dynamic AI would also be subject to enhanced risk management requirements, such as enhanced data management standards, e.g., additional checks on data quality and drifts, as well as enhanced performance monitoring requirements, e.g., more stringent monitoring notification thresholds.
关键控制职能(如技术、数据、法律合规、第三方及外包领域)应确认检查已完成并签署,然后才能将AI部署到生产环境。
Key control functions, such as those in the areas of technology, data, legal and compliance, third-party and outsourcing, would also confirm that the checks have been undertaken and sign off before AI is deployed into production.
所有银行应重点关注AI的持续监控,确保其部署后按预期运行。
All banks paid significant focus to the ongoing monitoring of their AI to ensure that they continue to operate as intended post-deployment.
监控措施应针对预定义阈值进行跟踪,确保模型在可接受范围内运行。
Measures used for monitoring were tracked against predefined thresholds, usually determined at the development and validation stages, to ensure models perform within acceptable boundaries.
若进行重大重新开发,需在重新部署前进行重新验证和批准。
Where a major redevelopment was undertaken, revalidation and approval would be needed before the updated model could be redeployed.
银行应跟踪问题或事件从发现到解决的全过程,并根据重要性纳入相关升级流程。
Banks generally track issues or incidents from discovery to resolution, and incorporate a relevant escalation process based on the materiality of the issue or incident.
大多数银行应建立流程或系统,用于报告、跟踪和解决监控过程中出现的违规或异常问题。
Most banks also have a process or system for reporting, tracking and resolving issues or incidents if breaches or anomalies arise from the monitoring process.