Case 01Fannie Mae

MUSE — Model Risk Management at Fannie Mae

Enterprise model lifecycle governance, regulator-aligned and audit-ready.

Role
Lead UX Designer · Functional Platform Owner
Period
2023 — Present
Location
Austin, TX
Tags
MRM · Governance
MUSE — Model Risk Management at Fannie Mae
01Fannie Mae
1
Enterprise system of record
7
Governance roles, SoD enforced
100%
Models with traceable history
24 mo
Sustained platform ownership

Context

Fannie Mae's model risk management organisation operates hundreds of machine-learning models that underwrite trillions of dollars in mortgage decisions. The supporting tooling had sprawled into fragmented internal apps, each owned by a different team and used by a different persona — model owners, lead model users, auditors and governance specialists — with no shared design language, navigation or data model between them.

Problem

At Fannie Mae, tracking a model's full lifecycle meant hunting through spreadsheets, SharePoint folders, and whatever a teammate remembered. Registration, version history, validation checks, findings, sign-offs and renewals were scattered across disconnected tools — so when regulators asked whether a model was safe, compliant and traceable, no one could prove it easily.

Approach

  1. 01

    Translated SR 11-7-aligned MRM policy into concrete, screen-level workflows with MRM Oversight, Model Owners, Controllers and Internal Audit.

  2. 02

    Designed end-to-end flows for model creation, versioning, validation execution and scheduling, findings remediation, attestations and approved usages.

  3. 03

    Embedded segregation of duties into the UI — the platform refuses to let one role do another's job, which is what auditors look for first.

  4. 04

    Designed DevJoy so developers can train and iterate banking models without leaving governance behind — versioning, validation schedules and findings update automatically.

Leadership & scope

Functional platform owner across MUSE + DevJoy. Single design voice across 4 product surfaces and 7 governance personas, partnered with VP-level MRM Oversight and Internal Audit leadership.

Team

Direct: 3 designers + 1 researcher. Cross-functional: ~25 (eng, PM, MRM officers, audit partners).

Stakeholders

VP Model Risk Management, Chief Model Risk Officer, Head of Internal Audit, Director of TechOps, regulator-facing review committee.

Mentorship

Hired and mentored 2 mid-level designers into senior; established design crit rituals, governance-domain onboarding playbook, and a portfolio review track now used org-wide.

Decisions I owned
  • 01

    Killed a proposed 'super-admin' role — would have collapsed segregation of duties and broken SR 11-7 traceability. Re-routed work into role-aware queues instead.

  • 02

    Pushed back on a 'wizard-only' registration pattern; designed a stateful, resumable flow because real models take weeks to register across teams.

  • 03

    Aligned MRM, Audit and Engineering on a single status taxonomy — eliminated 3 conflicting lifecycle vocabularies that had been fighting in tickets for years.

AI-specific design decisions

How DevJoy handles the hard parts of putting ML behind a regulated governance surface.

Pattern 01

Confidence & provenance on every model output

Problem

Model owners and auditors need to know not just what a model said, but how sure it was and what data shaped that answer — without drowning in telemetry.

Decision

Every prediction surfaces a confidence band, the model version that produced it, and a one-click jump to the validation run, data lineage and approved-usage scope it was sanctioned under.

Trade-off

Adds vertical density on the result card; we earned it back by collapsing four legacy 'evidence' tabs into one inline strip.

Pattern 02

Human-in-the-loop validation queues

Problem

Independent validators were being asked to rubber-stamp AI-flagged findings. That breaks the independence regulators require.

Decision

Built a dual-track queue: AI proposes a finding severity and remediation, but the validator must independently classify before they can see the AI's suggestion. Disagreements are logged as governance evidence.

Trade-off

Slower throughput per validator, but every disagreement became a training signal — and audit defensibility went from 'argue about it' to 'point at the log'.

Pattern 03

Hallucination guardrails on AI training flows

Problem

DevJoy lets developers train new banking models. A hallucinated assumption baked into a training run can silently invalidate downstream approvals.

Decision

Training runs inherit the parent model's approved assumptions as locked guardrails. Any AI-suggested change to assumptions, inputs or scope routes to MO + PR for explicit re-attestation before the run continues.

Trade-off

Adds friction the first time a developer wants to deviate; the friction is exactly the control auditors asked for.

Background

What is a model lifecycle?

In banking, a model is any system that uses math or data to make decisions that affect customers or the business — like predicting loan defaults, setting interest rates, or detecting fraud. Because these decisions can have serious consequences, regulators require banks to prove every model is sound, properly tested, and used only in ways it was approved for. A model's lifecycle starts when someone registers it, then it goes through independent validation, gets activated for use, and must be revalidated regularly until it is retired. If a model changes, fails a test, or is used outside its approved scope, that needs to be tracked and fixed — with evidence an auditor can follow.

Process

How we built it

    / STEP 01

    Policy → workflow translation

    Worked with MRM Oversight, Model Owners, Controllers and Internal Audit to translate enterprise MRM policy and supervisory expectations into screen-level workflows. Mapped the governance hierarchy — Enterprise MRM → MO → AO/TO → MC → MD/PR → LMU — into the platform's role model, permissions and approval routing.

    / STEP 02

    Model lifecycle architecture

    Designed end-to-end flows for model creation, versioning, validation execution and scheduling, findings remediation, attestations, model associations, approved usages and adjustments. Every state transition is logged, every role has a clear queue, every artifact carries the evidence an examiner needs.

    / STEP 03

    Segregation of duties by design

    Embedded clear accountability into the UI itself — MD builds, PR independently reviews, MC controls the lifecycle, MO owns business risk, AO/TO own application and infrastructure, LMU applies outputs to decisions. The platform refuses to let one role do another's job.

    / STEP 04

    DevJoy — AI training on top of MUSE

    Designed DevJoy so model developers can train and iterate banking models without leaving governance behind. Training runs inherit the parent model's controls, assumptions and approved-usage scope; versioning, validation schedules and findings update automatically as work moves forward.

    / STEP 05

    Audit & examination readiness

    Made traceability the default, not a report. Every model surfaces its version history, validation status, open findings, attestations, associations and usage map on one screen — so independent validation, internal audit and regulatory reviews can be answered with a link instead of a binder.

From scattered evidence to a single system of record
Outcome at a glance

From scattered evidence to a single system of record

MUSE consolidated registration, validation, activation, revalidation and retirement into one workflow with role-aware queues, attestation chains and an audit trail every regulator can follow.

  • Enterprise system of record for the full model lifecycle
  • 7 governance roles with segregation of duties enforced in-product
  • 100% of models carry traceable version, validation & attestation history

Gallery

Browse every screen

Full walkthrough of the model lifecycle — registration through reactivation.

Act 01

Registration intake

The Model Developer captures what the model is, how it's built, and who's accountable — AI/ML technique, NPI handling, owners, delegates, and the inputs/outputs that downstream apps depend on.

Registration 2 of 5 — AI/ML technique flags & NPI handling
Registration 2 of 5 — AI/ML technique flags & NPI handling
Registration 3 of 5 — committees, owners, delegates & Lead Model User
Registration 3 of 5 — committees, owners, delegates & Lead Model User
Inputs, outputs, sensitivities & upstream/downstream apps
Inputs, outputs, sensitivities & upstream/downstream apps
Act 02

Submission & risk tiering

Registration completes, quick actions appear, and the model moves into MRM review. The MO suggests a Risk Tier; MRM determines the final one using the Risk Tiering Worksheet.

Pending registration — quick actions to cancel or review
Pending registration — quick actions to cancel or review
Submit for MRM review
Submit for MRM review
Registration ready — complete to advance
Registration ready — complete to advance
Registration completed — pending MRM review
Registration completed — pending MRM review
Quick actions — Submit for MRM Review, Implementation Approval
Quick actions — Submit for MRM Review, Implementation Approval
Assigned LV, LV2, validation start date & MDP verification
Assigned LV, LV2, validation start date & MDP verification
MO Suggested vs MRM Determined Risk Tier
MO Suggested vs MRM Determined Risk Tier
Act 03

MRM review & multi-role approvals

Stage 2 in three parts: inputs and peer review, associations and assumptions, then MDP approval with the full stakeholder sign-off chain. Implementation docs are reviewed and the Lead Validator attests.

Submit for MRM Review & Approval — Lead Validator attestation
Submit for MRM Review & Approval — Lead Validator attestation
Complete Model Registration — accept/reject decision
Complete Model Registration — accept/reject decision
Stage 2 (1 of 3) — inputs, outputs, sensitivities & peer reviewer
Stage 2 (1 of 3) — inputs, outputs, sensitivities & peer reviewer
Stage 2 (2 of 3) — usages, assumptions, JDIs & adjustments
Stage 2 (2 of 3) — usages, assumptions, JDIs & adjustments
Stage 2 (2 of 3) — MPM/PDRM plans & reconciliation testing
Stage 2 (2 of 3) — MPM/PDRM plans & reconciliation testing
Implementation Documentation Review — testing, vetting, registry
Implementation Documentation Review — testing, vetting, registry
Stage 2 (3 of 3) — MDP approval & multi-role sign-off
Stage 2 (3 of 3) — MDP approval & multi-role sign-off
Act 04

Activation

Once MRM approves, the MC accepts management status, confirms in-use and implementation dates, and activates the version against its approved usages — without disturbing existing downstream consumers.

Model Version detail — lifecycle, registration & management state
Model Version detail — lifecycle, registration & management state
Quick actions — Update Management Status, Activate, Cancel
Quick actions — Update Management Status, Activate, Cancel
Update Model Management Status — set to Accepted
Update Model Management Status — set to Accepted
Activate Model Version without changing usage
Activate Model Version without changing usage
Active In-Use Date & Model Implementation Date
Active In-Use Date & Model Implementation Date
Activation — usage associations review & confirm
Activation — usage associations review & confirm
Active state — Lifecycle Active, Management Accepted
Active state — Lifecycle Active, Management Accepted
Act 05

Reactivation

A retired model comes back. Planning submission, owners and roles reconfirmed, associations and risk re-evaluated, then Stage 1 and Stage 2 MRM review re-run with new governance approvals before it's live again.

Retired model — Pending Reactivation
Retired model — Pending Reactivation
Cancel or continue reactivation development submission
Cancel or continue reactivation development submission
Reactivation Initiation — Model/SDC version, date, business case
Reactivation Initiation — Model/SDC version, date, business case
Stage 1 (1 of 3) — owners, delegates, Lead Model User, dev roles
Stage 1 (1 of 3) — owners, delegates, Lead Model User, dev roles
Stage 1 (2 of 3) — associations, CMDB assets, dates, risk tier
Stage 1 (2 of 3) — associations, CMDB assets, dates, risk tier
Stage 1 CCFA v2.0 Reactivated — Model Planning Submission
Stage 1 CCFA v2.0 Reactivated — Model Planning Submission
Stage 1 — MRM review with LV 2 assignment & Risk Tier
Stage 1 — MRM review with LV 2 assignment & Risk Tier
Stage 1 MRM Review — accept/reject & LV attestation
Stage 1 MRM Review — accept/reject & LV attestation
Stage 2 MRM Review — Risk Tier, DAT & final attestation
Stage 2 MRM Review — Risk Tier, DAT & final attestation

Outcomes

What shipped, and what changed.

01

Enterprise system of record adopted across MRM, audit and business stakeholders.

02

Approval cycle time on governance flows reduced by ~50%.

03

Critical user errors on registration and validation flows down 62%.

04

Recoveries processing collapsed from one week to a few hours.

Functional Platform Owner
Vinoth Kumar Manickam
Product
MUSE platform & DevJoy team
Partners
MRM Oversight · Internal Audit · TechOPS