MUSE — Model Risk Management at Fannie Mae
Enterprise model lifecycle governance, regulator-aligned and audit-ready.

Context
Fannie Mae's model risk management organisation operates hundreds of machine-learning models that underwrite trillions of dollars in mortgage decisions. The supporting tooling had sprawled into fragmented internal apps, each owned by a different team and used by a different persona — model owners, lead model users, auditors and governance specialists — with no shared design language, navigation or data model between them.
Problem
At Fannie Mae, tracking a model's full lifecycle meant hunting through spreadsheets, SharePoint folders, and whatever a teammate remembered. Registration, version history, validation checks, findings, sign-offs and renewals were scattered across disconnected tools — so when regulators asked whether a model was safe, compliant and traceable, no one could prove it easily.
Approach
- 01
Translated SR 11-7-aligned MRM policy into concrete, screen-level workflows with MRM Oversight, Model Owners, Controllers and Internal Audit.
- 02
Designed end-to-end flows for model creation, versioning, validation execution and scheduling, findings remediation, attestations and approved usages.
- 03
Embedded segregation of duties into the UI — the platform refuses to let one role do another's job, which is what auditors look for first.
- 04
Designed DevJoy so developers can train and iterate banking models without leaving governance behind — versioning, validation schedules and findings update automatically.
Leadership & scope
Functional platform owner across MUSE + DevJoy. Single design voice across 4 product surfaces and 7 governance personas, partnered with VP-level MRM Oversight and Internal Audit leadership.
Direct: 3 designers + 1 researcher. Cross-functional: ~25 (eng, PM, MRM officers, audit partners).
VP Model Risk Management, Chief Model Risk Officer, Head of Internal Audit, Director of TechOps, regulator-facing review committee.
Hired and mentored 2 mid-level designers into senior; established design crit rituals, governance-domain onboarding playbook, and a portfolio review track now used org-wide.
- 01
Killed a proposed 'super-admin' role — would have collapsed segregation of duties and broken SR 11-7 traceability. Re-routed work into role-aware queues instead.
- 02
Pushed back on a 'wizard-only' registration pattern; designed a stateful, resumable flow because real models take weeks to register across teams.
- 03
Aligned MRM, Audit and Engineering on a single status taxonomy — eliminated 3 conflicting lifecycle vocabularies that had been fighting in tickets for years.
AI-specific design decisions
How DevJoy handles the hard parts of putting ML behind a regulated governance surface.
Confidence & provenance on every model output
Model owners and auditors need to know not just what a model said, but how sure it was and what data shaped that answer — without drowning in telemetry.
Every prediction surfaces a confidence band, the model version that produced it, and a one-click jump to the validation run, data lineage and approved-usage scope it was sanctioned under.
Adds vertical density on the result card; we earned it back by collapsing four legacy 'evidence' tabs into one inline strip.
Human-in-the-loop validation queues
Independent validators were being asked to rubber-stamp AI-flagged findings. That breaks the independence regulators require.
Built a dual-track queue: AI proposes a finding severity and remediation, but the validator must independently classify before they can see the AI's suggestion. Disagreements are logged as governance evidence.
Slower throughput per validator, but every disagreement became a training signal — and audit defensibility went from 'argue about it' to 'point at the log'.
Hallucination guardrails on AI training flows
DevJoy lets developers train new banking models. A hallucinated assumption baked into a training run can silently invalidate downstream approvals.
Training runs inherit the parent model's approved assumptions as locked guardrails. Any AI-suggested change to assumptions, inputs or scope routes to MO + PR for explicit re-attestation before the run continues.
Adds friction the first time a developer wants to deviate; the friction is exactly the control auditors asked for.
Background
What is a model lifecycle?
In banking, a model is any system that uses math or data to make decisions that affect customers or the business — like predicting loan defaults, setting interest rates, or detecting fraud. Because these decisions can have serious consequences, regulators require banks to prove every model is sound, properly tested, and used only in ways it was approved for. A model's lifecycle starts when someone registers it, then it goes through independent validation, gets activated for use, and must be revalidated regularly until it is retired. If a model changes, fails a test, or is used outside its approved scope, that needs to be tracked and fixed — with evidence an auditor can follow.
Process
How we built it
Policy → workflow translation
Worked with MRM Oversight, Model Owners, Controllers and Internal Audit to translate enterprise MRM policy and supervisory expectations into screen-level workflows. Mapped the governance hierarchy — Enterprise MRM → MO → AO/TO → MC → MD/PR → LMU — into the platform's role model, permissions and approval routing.
Model lifecycle architecture
Designed end-to-end flows for model creation, versioning, validation execution and scheduling, findings remediation, attestations, model associations, approved usages and adjustments. Every state transition is logged, every role has a clear queue, every artifact carries the evidence an examiner needs.
Segregation of duties by design
Embedded clear accountability into the UI itself — MD builds, PR independently reviews, MC controls the lifecycle, MO owns business risk, AO/TO own application and infrastructure, LMU applies outputs to decisions. The platform refuses to let one role do another's job.
DevJoy — AI training on top of MUSE
Designed DevJoy so model developers can train and iterate banking models without leaving governance behind. Training runs inherit the parent model's controls, assumptions and approved-usage scope; versioning, validation schedules and findings update automatically as work moves forward.
Audit & examination readiness
Made traceability the default, not a report. Every model surfaces its version history, validation status, open findings, attestations, associations and usage map on one screen — so independent validation, internal audit and regulatory reviews can be answered with a link instead of a binder.

From scattered evidence to a single system of record
MUSE consolidated registration, validation, activation, revalidation and retirement into one workflow with role-aware queues, attestation chains and an audit trail every regulator can follow.
- Enterprise system of record for the full model lifecycle
- 7 governance roles with segregation of duties enforced in-product
- 100% of models carry traceable version, validation & attestation history
Gallery
Browse every screen
Full walkthrough of the model lifecycle — registration through reactivation.
Registration intake
The Model Developer captures what the model is, how it's built, and who's accountable — AI/ML technique, NPI handling, owners, delegates, and the inputs/outputs that downstream apps depend on.



Submission & risk tiering
Registration completes, quick actions appear, and the model moves into MRM review. The MO suggests a Risk Tier; MRM determines the final one using the Risk Tiering Worksheet.







MRM review & multi-role approvals
Stage 2 in three parts: inputs and peer review, associations and assumptions, then MDP approval with the full stakeholder sign-off chain. Implementation docs are reviewed and the Lead Validator attests.







Activation
Once MRM approves, the MC accepts management status, confirms in-use and implementation dates, and activates the version against its approved usages — without disturbing existing downstream consumers.







Reactivation
A retired model comes back. Planning submission, owners and roles reconfirmed, associations and risk re-evaluated, then Stage 1 and Stage 2 MRM review re-run with new governance approvals before it's live again.









Outcomes
What shipped, and what changed.
Enterprise system of record adopted across MRM, audit and business stakeholders.
Approval cycle time on governance flows reduced by ~50%.
Critical user errors on registration and validation flows down 62%.
Recoveries processing collapsed from one week to a few hours.