Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature AI Risk

SR 26-2 and OCC 2026-13: What the New Model Risk Management Guidance Changes — and the GenAI Gap Your Program Needs to Close

The interagency guidance that replaced SR 11-7 on April 17, 2026 is voluntary and principles-based — and it explicitly excludes generative AI and agentic AI from scope. Here's what changed, what examiners will still test, and the gap your AI governance program needs to close before the AI-specific RFI lands.

By Rebecca Leung · July 2, 2026 ·
Table of Contents

TL;DR

  • On April 17, 2026, the OCC, Federal Reserve, and FDIC replaced SR 11-7 and OCC 2011-12 with new interagency model risk guidance — SR 26-2 / OCC 2026-13 — the first substantive update in 15 years
  • The new guidance is voluntary and principles-based: non-compliance will not generate supervisory criticism
  • It explicitly excludes generative AI and agentic AI from scope; a forthcoming AI-specific RFI is expected but not yet published
  • Your MRM program still needs to govern GenAI tools — “existing risk management expectations still apply” — and the Treasury FS AI RMF (230 control objectives) is the voluntary framework you should be using now

SR 11-7 ran American banking model risk management for 15 years. Every validation report, every model inventory, every board-level model risk committee agenda in the U.S. referenced it. On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly retired it.

The replacement — SR 26-2 (Federal Reserve) and OCC Bulletin 2026-13 — is different in almost every structural way. It’s voluntary. It’s principles-based. And it explicitly declines to govern the AI tools your organization is actually deploying at scale right now.

If you run a model risk function, here’s your read.


What the April 2026 Interagency Guidance Actually Changed

The biggest structural shift: SR 26-2 / OCC 2026-13 is not enforceable. The agencies explicitly stated that non-compliance will not result in supervisory criticism. After 15 years of SR 11-7 being cited in Matters Requiring Attention and enforcement actions as though it were binding regulation, that mechanism is gone.

SR 11-7 / OCC 2011-12 (2011)SR 26-2 / OCC 2026-13 (2026)
Enforcement weightEffectively binding — cited in MRAsVoluntary — non-compliance not criticizable
Validation approachPrescriptive: VaR backtesting, parallel outcomes analysis, process verification of codePrinciples-based: retain three core components, no prescribed methods
Board/management dutiesSpecific, enumerated tasksClear roles and accountability — no task lists
Internal audit tasksEnumerated in guidanceOrganizational independence retained; specific tasks not prescribed
Community bank applicabilityApplied regardless of institution sizeOCC 2025-26 (Oct 2025) already provided size-appropriate relief
GenAI/agentic AI scopeWas applied to ML models by extensionExplicitly excluded

Three core validation components are retained from the 2011 framework: conceptual soundness, outcomes analysis, and ongoing monitoring. Those don’t go away. What’s eliminated is the layer of prescriptive methodology underneath them — VaR backtesting frequency requirements, specific benchmarking approaches, override analysis requirements, enumerated audit steps.

The OCC also issued Bulletin 2025-26 in October 2025 — before the joint guidance — specifically providing relief to community banks. Institutions with up to $30 billion in assets would not receive negative supervisory feedback solely based on validation frequency or scope, as long as the bank determined its approach was commensurate with its risk profile. Annual model validation is no longer required for all models.


The GenAI Exclusion: Why the Agencies Punted

The April 2026 guidance spent considerable length on governance principles for traditional statistical models, then added a short paragraph that effectively said: generative AI and agentic AI are “novel and rapidly evolving,” they’re not within the scope of this guidance, existing risk management expectations still apply, and an AI-specific RFI is coming.

That’s not an oversight. It’s a deliberate policy call — and it has significant practical implications.

Why the exclusion makes regulatory sense, even if it creates operational headaches:

Conceptual soundness doesn’t translate cleanly to LLMs. For a credit risk model, conceptual soundness means evaluating the theoretical underpinning, data quality, and statistical methodology against objective benchmarks. For a large language model generating loan modification letters or summarizing regulatory filings, “conceptual soundness” is far harder to define and test. What does a validation benchmark look like when outputs are natural language?

Outcomes analysis breaks down for generative outputs. The SR 11-7 outcomes analysis framework was designed for models with quantifiable, auditable predictions — loan default probabilities, fraud scores, pricing. Evaluating an LLM’s outputs against outcomes requires different methods: hallucination rates, factual accuracy testing, sentiment drift, demographic bias in language — none of which map to traditional performance monitoring protocols.

The agencies need industry data before prescribing methods. A forthcoming Request for Information on AI, generative AI, and agentic AI model risk has been committed to by the OCC, Fed, and FDIC. As of July 3, 2026, it has not been published. The exclusion is intentional and temporary — the RFI will collect what the industry is actually doing before any binding standards are set.


What “Existing Expectations Still Apply” Means for Your MRM Program

The guidance’s exclusion of GenAI doesn’t mean your generative AI tools are ungoverned. The agencies were explicit: existing risk management and governance practices “should guide the determination of appropriate governance and controls” for tools not within scope.

What examiners will test — drawing on general safety-and-soundness authority and governance principles — even without binding model risk rules for GenAI:

Responsible ownership for each GenAI tool in production. Not a vendor relationship manager. A model risk owner who understands what the tool does, what data it processes, and what failure modes exist. The AI audit trail requirements examiners are testing apply here — documented ownership and accountability are the starting point.

Pre-deployment review for new GenAI use cases. The agencies expect evaluation before GenAI tools go live in customer-facing or risk-relevant contexts. What that evaluation looks like doesn’t have to follow SR 11-7’s validation framework — but it needs to exist and be documented.

Post-deployment monitoring. Outcomes analysis for generative AI looks different from statistical model performance monitoring: customer complaint rates tied to AI outputs, hallucination detection logs, escalated cases, adverse action accuracy where AI informs credit decisions. Some form of ongoing monitoring is expected regardless of the regulatory gap.

Third-party vendor risk assessment. The 2023 interagency third-party risk management guidance applies to AI vendor relationships. If your firm is using OpenAI, Anthropic, Microsoft Copilot, or any other AI provider for risk-relevant functions, those relationships require documented due diligence — including data handling, training opt-outs, and incident notification procedures.

FINRA flagged similar expectations in its December 2025 Annual Regulatory Oversight Report, which dedicated a full standalone section to GenAI governance for broker-dealers — including pre-deployment assessments, hallucination controls, supervisory systems for AI-generated outputs, and specific attention to agentic AI systems that may require novel oversight mechanisms.


The Treasury FS AI RMF: The Voluntary Standard Filling Part of the Gap

While federal banking regulators deferred on GenAI model risk governance, Treasury moved on February 19, 2026 with the Financial Services AI Risk Management Framework (FS AI RMF) — developed through the Financial Services Sector Coordinating Council (FSSCC), the Financial and Banking Information Infrastructure Committee (FBIIC), and the Cyber Risk Institute, with input from more than 100 financial institutions.

The FS AI RMF delivers four outputs:

  1. AI Adoption Stage Questionnaire — assessing where your organization is in the AI lifecycle
  2. Risk and Control Matrix (RCM) — the 230 control objectives mapped by risk domain and adoption stage
  3. User Guidebook — practical implementation guidance
  4. Control Objective Reference Guide — crosswalk to NIST AI RMF, ISO 42001, and other standards

The 230 control objectives cover seven risk domains: governance, data, model development, validation, monitoring, third-party risk, and consumer protection.

The framework is voluntary — Treasury’s endorsement gives it political weight, but it doesn’t create a regulatory obligation. What it does create is a documented reference point: if your firm is using the FS AI RMF as your GenAI governance framework, you have an answer when examiners ask what standard you’re applying.

The FS AI RMF also provides what SR 26-2 / OCC 2026-13 explicitly left out: a financial-services-specific vocabulary and control structure for generative AI and agentic AI governance. The forthcoming AI RFI from the banking agencies will likely build on it.


What State Regulators Aren’t Waiting For

If you’re tempted to treat the guidance gap as an invitation to defer GenAI governance until binding federal rules arrive, state regulators have different timelines.

NYDFS incorporated AI governance questions into its examination process and issued Frontier AI Cybersecurity Guidance in May 2026 specifically addressing large language models used in financial services. New York-regulated institutions face examination pressure on AI governance today, not after the AI RFI.

Colorado’s SB 26-189 — covering automated decision-making for consequential decisions including credit — takes effect January 1, 2027 for institutions doing business in Colorado. The CFPB’s Reg B changes effective July 21, 2026 reshape fair lending obligations for AI credit models from a consumer protection direction that SR 26-2 doesn’t address.

The voluntary nature of the federal banking guidance doesn’t neutralize state-level AI governance obligations.


The FSB Is Watching Too

The Financial Stability Board published a consultation report on sound practices for responsible AI adoption on June 10, 2026 — open for comment until July 22, 2026. The FSB’s 12 sound practices address: organization-wide AI governance, risk management through development and deployment stages, and cyber/ICT/third-party risk for AI.

On agentic AI specifically, the FSB consultation acknowledges that continuous human monitoring of individual agent decisions becomes impractical as systems multiply — recommending “human-in-command” oversight with AI monitoring other AI at scale. A final FSB report is expected October 2026, which may shape subsequent US regulatory action.


So What? A 90-Day Action Plan for MRM Teams

Days 1–30: Gap assessment Map your AI/ML model inventory to the new SR 26-2 / OCC 2026-13 framework. Which models are within scope of the revised guidance — traditional statistical models? Which are in the GenAI/agentic exclusion zone? For each GenAI tool in production, document: who owns it, what’s the use case, what data it touches, and what controls currently exist.

Days 31–60: GenAI governance documentation For each GenAI tool in production: pre-deployment review documented? Post-deployment monitoring in place? Third-party vendor assessment completed? This doesn’t require full SR 11-7–style validation — it requires demonstrating that governance exists and is proportionate to the use case’s risk. The AI Risk Assessment Template & Guide covers the pre-deployment checklist, vendor questionnaire, and AI use case inventory for this documentation work.

Days 61–90: FS AI RMF mapping Use the Treasury FS AI RMF to assess your control coverage against its 230 control objectives for your highest-risk GenAI use cases. This positions your firm to respond to the forthcoming AI RFI with a documented framework — and gives examiners a concrete reference point when they ask what standard you’re using to govern GenAI.

The three validation components SR 26-2 retained — conceptual soundness, outcomes analysis, ongoing monitoring — need to be adapted for generative AI even without binding guidance. MRM teams that start building that translation now will be better positioned than those waiting for the AI RFI to land.

The shadow AI inventory is step one. You can’t govern GenAI tools you don’t know about.


The irony of April 17, 2026: the day the agencies released the most significant model risk governance update in 15 years, they also confirmed that the models regulators most want to talk about — LLMs, AI agents, generative tools — aren’t covered yet. The regulatory calendar has a gap. What fills it, in the meantime, is documented governance — not waiting.

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

What did SR 26-2 and OCC 2026-13 change from SR 11-7?
SR 26-2 (Federal Reserve) and OCC Bulletin 2026-13, issued jointly on April 17, 2026, are voluntary and principles-based — non-compliance will not result in supervisory criticism. SR 11-7 was effectively binding and cited in MRAs. The new guidance retains three core validation components (conceptual soundness, outcomes analysis, ongoing monitoring) but eliminates prescriptive methodology requirements including VaR backtesting frequency, parallel outcomes analysis, and detailed board/audit task lists.
Does SR 26-2 / OCC 2026-13 apply to AI and machine learning models?
Traditional statistical ML models used in credit underwriting, fraud detection, and AML transaction monitoring generally remain within scope. However, the guidance explicitly excludes generative AI (LLMs, diffusion models) and agentic AI, citing that these are 'novel and rapidly evolving.' The agencies plan to issue a separate AI-specific Request for Information — not yet published as of July 2026.
Why did the agencies exclude generative AI from the new model risk guidance?
The agencies cited novelty and rapid evolution as the rationale. The deeper challenge is methodological: core validation concepts like conceptual soundness and outcomes analysis don't translate cleanly to generative outputs. Rather than issue premature prescriptive requirements, the agencies opted to gather data through a forthcoming AI-specific RFI first.
What is the Treasury FS AI RMF and does it replace SR 11-7 for AI?
The Financial Services AI Risk Management Framework (FS AI RMF), released February 19, 2026, is a voluntary framework endorsed by Treasury and developed by the FSSCC, FBIIC, and Cyber Risk Institute. It provides 230 control objectives across seven AI risk domains and four adoption stages, aligned with NIST AI RMF. It is not a regulatory requirement — but it is the closest financial-services-specific AI governance standard currently available.
Do community banks still need to validate models under the new guidance?
Yes, but with more flexibility. OCC Bulletin 2025-26 (October 2025) clarified that community banks will not receive negative supervisory feedback solely for the frequency or scope of model validation, as long as their approach is commensurate with their risk exposures and business complexity. Annual validation is no longer required for all models.
What will examiners test for AI governance even without binding AI model risk guidance?
Even without SR 26-2 applying to GenAI tools, examiners will test whether responsible ownership exists for each AI tool, whether a pre-deployment review process is documented, whether outputs are monitored post-deployment, and whether third-party AI vendor relationships have been risk-assessed under 2023 interagency third-party risk management guidance.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

AI Risk Assessment Template & Guide

Comprehensive AI model governance and risk assessment templates for financial services teams.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.