4 report formats available. Click any tab below to preview. Each is generated in seconds from your existing Smartflow audit data.
OCC / FRB SR 11-7 Model Risk
FINRA 3110 Supervision
EU AI Act High-Risk AI
All Frameworks Comprehensive
Executive Summary
During Q1 2026, Acme Capital Management deployed and operated four AI language models through the Smartflow enterprise AI gateway. All four models are classified in the AI inventory with assigned risk tiers, business owners, and applicable regulatory frameworks. The gateway processed 847,291 AI inference requests during the period. Guardrail policies blocked 2,341 requests (0.28%) for policy violations. Zero information barrier violations were recorded. Three models have completed independent validation; one (gpt-4o for Quantitative Research) is classified Tier 2 with validation in progress. No model was used in a manner inconsistent with its documented use case or validated scope.
99.72%
Policy Compliance Rate
Section 1 — AI Model Inventory
| Model |
Provider |
Risk Tier |
Use Case |
Business Owner |
Validation |
Q1 Requests |
| claude-3-5-sonnet |
Anthropic |
Tier 2 — Moderate |
Research analyst support, document summarization |
Research Technology |
Validated |
412,841 |
| gpt-4o |
OpenAI |
Tier 2 — Moderate |
Quantitative model documentation, code review |
Quant Research Group |
In Progress |
287,103 |
| claude-3-haiku |
Anthropic |
Tier 3 — Low |
Internal help desk, policy Q&A |
IT Operations |
Validated |
141,298 |
| gemini-1.5-pro |
Google |
Tier 2 — Moderate |
Client communications drafting (human review required) |
Wealth Management |
Validated |
6,049 |
Section 2 — Governance Controls & Guardrail Evidence
All models routed exclusively through the Smartflow gateway. No direct API calls to model providers were detected in network logs for the examination period.
PII/sensitive data blocking100%
Prompt injection detection100%
Output compliance scanning100%
Information barrier enforcement100%
Audit log completeness100%
gpt-4o validation completion62%
| Policy Category | Requests Blocked | Block Rate | Top Trigger |
|---|
| PII / Personal Data Exposure | 1,204 | 0.14% | SSN pattern in prompt |
| MNPI Content Detection | 687 | 0.08% | Material deal reference |
| Prompt Injection Attempt | 312 | 0.04% | Instruction override payload |
| Off-scope Model Usage | 138 | 0.02% | Trading recommendation request |
| Total | 2,341 | 0.28% | — |
Section 3 — SR 11-7 Compliance Findings
MRM-001 — Model inventory maintained and current
All AI models in production are registered in the Smartflow AI Inventory with assigned risk tiers, business owners, applicable frameworks, and validation status. Inventory is updated automatically as new models are observed in traffic.
SR 11-7 §III.A — Model inventory requirements
MRM-002 — Independent validation completed for Tier 1 & validated Tier 2 models
Three of four models have passed independent validation. Validation documentation is available in the model registry. gpt-4o validation is 62% complete with a target completion date of April 28, 2026.
SR 11-7 §III.B — Model validation standards
MRM-003 — gpt-4o validation in progress (no production risk)
gpt-4o is operating within its documented scope (Quantitative Research documentation only) while validation is in progress. A compensating control requires human review of all gpt-4o outputs before use in model documentation. Validation expected complete Q2 2026.
SR 11-7 §III.B — Pre-implementation validation; compensating controls documented
MRM-004 — Ongoing monitoring controls in place
All models are subject to continuous monitoring via Smartflow's VAS (Visibility, Audit, Security) log system. Monthly performance reviews are conducted by model owners. Drift detection thresholds are configured for each Tier 2 model.
SR 11-7 §III.C — Ongoing monitoring and outcomes analysis
MRM-005 — Model use governance enforced at gateway layer
Smartflow enforces that each AI model operates only within its approved use case via scope-based routing policies. Requests outside approved scope are blocked and logged. 138 such blocks were recorded in Q1 2026.
SR 11-7 §III.D — Policies, procedures, and controls
JW
Jennifer Wu, Chief AI Risk Officer
Acme Capital Management · Prepared for Q1 2026 Model Risk Review
Report hash: sha256:a4f9c2e8b1d3…7f92 · Smartflow SR117-2026Q1-0482
Supervisory Attestation Summary
Meridian Securities LLC used AI-assisted communication drafting tools during Q1 2026. All AI-generated or AI-assisted content subject to customer communication rules was reviewed by a registered principal prior to use. The firm's supervisory system includes Smartflow's information barrier enforcement as a technology control that prevents AI tools from crossing registered representative and research department walls. No violations of FINRA Rule 3110 or 3120 were identified during the examination period. This report constitutes the firm's supervisory attestation for AI-related activity.
14,872
AI-Assisted Communications
14,872
Principal-Reviewed
Information Barrier Configuration
| Barrier Name | Side A (Restricted) | Side B (Protected) | Action | Q1 Checks | Violations |
|---|
| Research Wall |
investment-banking
m-and-a-advisory |
equity-research
public-sales |
Block + Alert |
1,204 |
0 |
| Fixed Income Wall |
structured-products
credit-trading |
fixed-income-research |
Block + Alert |
688 |
0 |
| Arbitrage Desk Wall |
risk-arb-desk |
all-registered-reps |
Block + Log |
341 |
0 |
AI Supervision Review Log — Sample (Q1 2026)
All AI-assisted customer communications passed through a designated supervisor review queue before transmission. The following is a representative sample from the 14,872 reviewed items.
| Date | Representative | AI Tool Used | Communication Type | Reviewer | Outcome |
|---|
| 2026-03-28 |
R. Kowalski · CRD#441209 |
gemini-1.5-pro |
Quarterly summary letter |
M. Chen, Principal |
Approved |
| 2026-03-21 |
A. Patel · CRD#512847 |
gemini-1.5-pro |
Performance review email |
M. Chen, Principal |
Approved w/ Edits |
| 2026-03-15 |
T. Okonkwo · CRD#387214 |
claude-3-5-sonnet |
Options strategy explanation |
D. Walsh, Principal |
Approved |
| 2026-02-08 |
S. Lindqvist · CRD#298641 |
gemini-1.5-pro |
New account welcome letter |
D. Walsh, Principal |
Approved |
SUP-001 — Written supervisory procedures address AI use
The firm's WSP (Rev. 2026-01-15) includes Section 14.C: "AI-Assisted Communications," covering approved tools, mandatory principal review, and prohibited use cases. Smartflow is listed as the approved AI gateway in the WSP appendix.
FINRA Rule 3110(b)(1) — Written supervisory procedures
SUP-002 — 100% principal review of AI-assisted client communications
Smartflow's workflow enforcement required all gemini-1.5-pro and claude-3-5-sonnet outputs intended for client transmission to enter the supervisor review queue. 14,872 items were reviewed; 14,872 bear a principal approval record in the audit log.
FINRA Rule 3110(b)(4) — Review of correspondence
SUP-003 — Information barriers functioning as designed
Three technology-enforced information barriers operated continuously during Q1 2026. Zero cross-wall AI queries were completed. 2,233 queries were blocked at the Smartflow gateway and logged with violation metadata available for examiner review.
FINRA Rule 3110 / FINRA Regulatory Notice 18-04 — Information barrier controls
RB
Robert Blake, CCO · Meridian Securities LLC
FINRA BD-4412 · Q1 2026 AI Supervision Attestation
Report hash: sha256:b7e3d9f1a2c4…8a41 · Smartflow FINRA3110-2026Q1-0031
Conformity Assessment Summary
FinTech Partners GmbH operates two AI systems that fall within scope of the EU AI Act Annex III high-risk categories: (1) a creditworthiness assessment assistant and (2) a KYC document analysis system. Both systems operate through the Smartflow enterprise AI gateway, which provides the required logging, human oversight enforcement, and transparency documentation required under Chapter III, Section 2 of the EU AI Act. This report demonstrates conformity with Articles 9 (risk management), 10 (data governance), 13 (transparency), 14 (human oversight), and 17 (quality management).
100%
Human Oversight Rate
High-Risk AI System Registry (Annex III)
Assists credit analysts in evaluating retail loan applications. Outputs are advisory only — all credit decisions require human approval before commitment.
Annex III Category
Art. 2(1)(a) — Creditworthiness
Validation
Independent · Oct 2025
Extracts and classifies identity document fields for AML/KYC onboarding. Human compliance officer confirms all identity determinations before account activation.
Annex III Category
Art. 2(1)(d) — Biometric
Validation
Independent · Jan 2026
Article-by-Article Conformity Evidence
Art. 9 — Risk Management System
A documented risk management process is maintained for both high-risk AI systems. Risk assessments were completed prior to deployment and updated following the Q4 2025 model version change. Smartflow's guardrail system provides the ongoing risk mitigation controls described in the risk register.
EU AI Act Art. 9 — Continuous risk management process
Art. 10 — Data and Data Governance
Training data provenance is documented for both systems. Input data to the AI systems during inference is logged with masked PII. Smartflow's data classification layer ensures no prohibited data categories (Art. 10(5)) are passed to model providers.
EU AI Act Art. 10 — Data and data governance requirements
Art. 13 — Transparency and Information Provision
End-users (credit analysts, compliance officers) are informed when AI assistance is being provided. All AI-generated outputs carry a disclosure tag in the user interface. Smartflow's VAS log records the model, version, and timestamp for each AI inference presented to a user.
EU AI Act Art. 13 — Transparency and provision of information
Art. 14 — Human Oversight
Both high-risk AI systems operate in an advisory-only capacity. CreditWise AI outputs require explicit approval by a licensed credit analyst before any credit decision is recorded. KYC Analyzer outputs require compliance officer confirmation. Override rates (8.3% and 3.1%) are logged and reviewed monthly.
EU AI Act Art. 14 — Human oversight measures
Art. 17 — Quality Management System
A quality management system is in place covering design control, post-market monitoring, and version change management for both AI systems. Smartflow generates automated performance metric reports monthly that feed into the QMS review cycle.
EU AI Act Art. 17 — Quality management system
Human Oversight Activity Log — Q1 2026
2026-03-29
Monthly override rate review — CreditWise AI
Q1 override rate 8.3% reviewed by Chief Credit Officer. Within acceptable range (policy threshold 15%). No model drift detected.
2026-03-01
KYC Analyzer version update — v2.1 → v2.2
gpt-4o model version pinned to 2025-11-15. Post-update validation completed; accuracy on EU document types confirmed at 99.1%.
2026-02-12
Art. 22 incident review — False ID flag
KYC Analyzer incorrectly flagged a valid German Personalausweis. Human override applied, root cause identified (font rendering artifact), guardrail rule added to Smartflow. Customer not impacted.
2026-01-08
Annual EU AI Act compliance review completed
External DPO review confirmed conformity with Articles 9, 10, 13, 14, 17. Smartflow audit logs reviewed and certified complete. No gaps identified.
KM
Katja Müller, Data Protection Officer · FinTech Partners GmbH
EU AI Act Art. 17 Quality Management — Q1 2026 Attestation
Report hash: sha256:c1a8e4f2b9d0…3c77 · Smartflow EUAIA-2026Q1-0017
Multi-Framework Executive Summary
First National Digital Bank, N.A. deployed six AI models across retail banking, commercial lending, and operations during Q1 2026. All models operate through the Smartflow AI governance gateway. This comprehensive package satisfies evidence requirements for a concurrent OCC model risk examination, FINRA supervision audit, FFIEC IT examination inquiry, and EU AI Act conformity review. The institution maintains a unified AI governance program with Smartflow as the single control point for all AI traffic, enabling this single report to address all four regulatory frameworks simultaneously.
100%
Audit Log Completeness
Cross-Framework Compliance Dashboard
| Framework | Requirements | Satisfied | Open Items | Status |
|---|
| SR 11-7 (OCC / FRB) |
Model inventory, validation, monitoring, governance |
8/9 |
Annual vendor model review due Apr 30 |
Minor Gap |
| FINRA 3110/3120 |
WSP, principal review, barrier enforcement, recordkeeping |
6/6 |
None |
Fully Compliant |
| FFIEC IT Exam |
Asset inventory, access control, incident response, audit trails |
11/12 |
Penetration test scheduled for AI gateway endpoints |
Minor Gap |
| EU AI Act |
Art. 9, 10, 13, 14, 17 conformity for high-risk systems |
5/5 |
None |
Conformity Documented |
Full Model Inventory (All Frameworks)
| Model | Tier | Frameworks | Validated | Owner | Q1 Volume |
|---|
claude-3-5-sonnet
Retail Lending AI |
Tier 1 |
SR 11-7 EU AI Act |
Oct 2025 |
Consumer Lending |
841,204 |
gpt-4o
Commercial Credit Analyst |
Tier 1 |
SR 11-7 FFIEC |
Nov 2025 |
Commercial Banking |
412,888 |
claude-3-haiku
Broker Communication Assist |
Tier 2 |
FINRA 3110 FFIEC |
Dec 2025 |
Wealth Mgmt |
391,047 |
gemini-1.5-pro
Operations Summarizer |
Tier 3 |
FFIEC |
Sep 2025 |
Operations |
284,311 |
gpt-4o-mini
Fraud Narrative Drafting |
Tier 2 |
SR 11-7 FFIEC |
In Progress |
Fraud Operations |
128,772 |
claude-3-5-haiku
Internal HR Assistant |
Tier 3 |
Internal only |
Feb 2026 |
Human Resources |
62,104 |
Two minor open items were identified. Neither constitutes a violation or requires immediate cessation of AI use. Both have documented remediation plans with target completion dates.
REM-001 — Annual vendor model review (SR 11-7)
The vendor assessment for Anthropic and OpenAI as third-party model providers is due April 30, 2026 per the bank's model risk management policy. A review questionnaire has been sent to both vendors. Responses are pending. No impact on model operation during review period per MRM policy §7.2.
Target completion: April 30, 2026 · Owner: Chief Model Risk Officer
REM-002 — Penetration test of AI gateway endpoints (FFIEC)
The Q1 FFIEC examination identified that the last penetration test of the Smartflow gateway API endpoints was conducted in Q3 2025. Per FFIEC guidance, annual testing is recommended. A test is scheduled for April 15–18, 2026 with an approved security vendor.
Target completion: April 18, 2026 · Owner: CISO
DP
Diana Park, Chief AI & Data Governance Officer
First National Digital Bank, N.A. · Multi-Framework Q1 2026 Examination Package
Report hash: sha256:e2f4a8c1b7d3…9e02 · Smartflow COMP-2026Q1-0009