Feature AI Risk
SR 26-2 and OCC 2026-13: What the New Model Risk Management Guidance Changes — and the GenAI Gap Your Program Needs to Close
The interagency guidance that replaced SR 11-7 on April 17, 2026 is voluntary and principles-based — and it explicitly excludes generative AI and agentic AI from scope. Here's what changed, what examiners will still test, and the gap your AI governance program needs to close before the AI-specific RFI lands.
Table of Contents
TL;DR
- On April 17, 2026, the OCC, Federal Reserve, and FDIC replaced SR 11-7 and OCC 2011-12 with new interagency model risk guidance — SR 26-2 / OCC 2026-13 — the first substantive update in 15 years
- The new guidance is voluntary and principles-based: non-compliance will not generate supervisory criticism
- It explicitly excludes generative AI and agentic AI from scope; a forthcoming AI-specific RFI is expected but not yet published
- Your MRM program still needs to govern GenAI tools — “existing risk management expectations still apply” — and the Treasury FS AI RMF (230 control objectives) is the voluntary framework you should be using now
SR 11-7 ran American banking model risk management for 15 years. Every validation report, every model inventory, every board-level model risk committee agenda in the U.S. referenced it. On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly retired it.
The replacement — SR 26-2 (Federal Reserve) and OCC Bulletin 2026-13 — is different in almost every structural way. It’s voluntary. It’s principles-based. And it explicitly declines to govern the AI tools your organization is actually deploying at scale right now.
If you run a model risk function, here’s your read.
What the April 2026 Interagency Guidance Actually Changed
The biggest structural shift: SR 26-2 / OCC 2026-13 is not enforceable. The agencies explicitly stated that non-compliance will not result in supervisory criticism. After 15 years of SR 11-7 being cited in Matters Requiring Attention and enforcement actions as though it were binding regulation, that mechanism is gone.
| SR 11-7 / OCC 2011-12 (2011) | SR 26-2 / OCC 2026-13 (2026) | |
|---|---|---|
| Enforcement weight | Effectively binding — cited in MRAs | Voluntary — non-compliance not criticizable |
| Validation approach | Prescriptive: VaR backtesting, parallel outcomes analysis, process verification of code | Principles-based: retain three core components, no prescribed methods |
| Board/management duties | Specific, enumerated tasks | Clear roles and accountability — no task lists |
| Internal audit tasks | Enumerated in guidance | Organizational independence retained; specific tasks not prescribed |
| Community bank applicability | Applied regardless of institution size | OCC 2025-26 (Oct 2025) already provided size-appropriate relief |
| GenAI/agentic AI scope | Was applied to ML models by extension | Explicitly excluded |
Three core validation components are retained from the 2011 framework: conceptual soundness, outcomes analysis, and ongoing monitoring. Those don’t go away. What’s eliminated is the layer of prescriptive methodology underneath them — VaR backtesting frequency requirements, specific benchmarking approaches, override analysis requirements, enumerated audit steps.
The OCC also issued Bulletin 2025-26 in October 2025 — before the joint guidance — specifically providing relief to community banks. Institutions with up to $30 billion in assets would not receive negative supervisory feedback solely based on validation frequency or scope, as long as the bank determined its approach was commensurate with its risk profile. Annual model validation is no longer required for all models.
The GenAI Exclusion: Why the Agencies Punted
The April 2026 guidance spent considerable length on governance principles for traditional statistical models, then added a short paragraph that effectively said: generative AI and agentic AI are “novel and rapidly evolving,” they’re not within the scope of this guidance, existing risk management expectations still apply, and an AI-specific RFI is coming.
That’s not an oversight. It’s a deliberate policy call — and it has significant practical implications.
Why the exclusion makes regulatory sense, even if it creates operational headaches:
Conceptual soundness doesn’t translate cleanly to LLMs. For a credit risk model, conceptual soundness means evaluating the theoretical underpinning, data quality, and statistical methodology against objective benchmarks. For a large language model generating loan modification letters or summarizing regulatory filings, “conceptual soundness” is far harder to define and test. What does a validation benchmark look like when outputs are natural language?
Outcomes analysis breaks down for generative outputs. The SR 11-7 outcomes analysis framework was designed for models with quantifiable, auditable predictions — loan default probabilities, fraud scores, pricing. Evaluating an LLM’s outputs against outcomes requires different methods: hallucination rates, factual accuracy testing, sentiment drift, demographic bias in language — none of which map to traditional performance monitoring protocols.
The agencies need industry data before prescribing methods. A forthcoming Request for Information on AI, generative AI, and agentic AI model risk has been committed to by the OCC, Fed, and FDIC. As of July 3, 2026, it has not been published. The exclusion is intentional and temporary — the RFI will collect what the industry is actually doing before any binding standards are set.
What “Existing Expectations Still Apply” Means for Your MRM Program
The guidance’s exclusion of GenAI doesn’t mean your generative AI tools are ungoverned. The agencies were explicit: existing risk management and governance practices “should guide the determination of appropriate governance and controls” for tools not within scope.
What examiners will test — drawing on general safety-and-soundness authority and governance principles — even without binding model risk rules for GenAI:
Responsible ownership for each GenAI tool in production. Not a vendor relationship manager. A model risk owner who understands what the tool does, what data it processes, and what failure modes exist. The AI audit trail requirements examiners are testing apply here — documented ownership and accountability are the starting point.
Pre-deployment review for new GenAI use cases. The agencies expect evaluation before GenAI tools go live in customer-facing or risk-relevant contexts. What that evaluation looks like doesn’t have to follow SR 11-7’s validation framework — but it needs to exist and be documented.
Post-deployment monitoring. Outcomes analysis for generative AI looks different from statistical model performance monitoring: customer complaint rates tied to AI outputs, hallucination detection logs, escalated cases, adverse action accuracy where AI informs credit decisions. Some form of ongoing monitoring is expected regardless of the regulatory gap.
Third-party vendor risk assessment. The 2023 interagency third-party risk management guidance applies to AI vendor relationships. If your firm is using OpenAI, Anthropic, Microsoft Copilot, or any other AI provider for risk-relevant functions, those relationships require documented due diligence — including data handling, training opt-outs, and incident notification procedures.
FINRA flagged similar expectations in its December 2025 Annual Regulatory Oversight Report, which dedicated a full standalone section to GenAI governance for broker-dealers — including pre-deployment assessments, hallucination controls, supervisory systems for AI-generated outputs, and specific attention to agentic AI systems that may require novel oversight mechanisms.
The Treasury FS AI RMF: The Voluntary Standard Filling Part of the Gap
While federal banking regulators deferred on GenAI model risk governance, Treasury moved on February 19, 2026 with the Financial Services AI Risk Management Framework (FS AI RMF) — developed through the Financial Services Sector Coordinating Council (FSSCC), the Financial and Banking Information Infrastructure Committee (FBIIC), and the Cyber Risk Institute, with input from more than 100 financial institutions.
The FS AI RMF delivers four outputs:
- AI Adoption Stage Questionnaire — assessing where your organization is in the AI lifecycle
- Risk and Control Matrix (RCM) — the 230 control objectives mapped by risk domain and adoption stage
- User Guidebook — practical implementation guidance
- Control Objective Reference Guide — crosswalk to NIST AI RMF, ISO 42001, and other standards
The 230 control objectives cover seven risk domains: governance, data, model development, validation, monitoring, third-party risk, and consumer protection.
The framework is voluntary — Treasury’s endorsement gives it political weight, but it doesn’t create a regulatory obligation. What it does create is a documented reference point: if your firm is using the FS AI RMF as your GenAI governance framework, you have an answer when examiners ask what standard you’re applying.
The FS AI RMF also provides what SR 26-2 / OCC 2026-13 explicitly left out: a financial-services-specific vocabulary and control structure for generative AI and agentic AI governance. The forthcoming AI RFI from the banking agencies will likely build on it.
What State Regulators Aren’t Waiting For
If you’re tempted to treat the guidance gap as an invitation to defer GenAI governance until binding federal rules arrive, state regulators have different timelines.
NYDFS incorporated AI governance questions into its examination process and issued Frontier AI Cybersecurity Guidance in May 2026 specifically addressing large language models used in financial services. New York-regulated institutions face examination pressure on AI governance today, not after the AI RFI.
Colorado’s SB 26-189 — covering automated decision-making for consequential decisions including credit — takes effect January 1, 2027 for institutions doing business in Colorado. The CFPB’s Reg B changes effective July 21, 2026 reshape fair lending obligations for AI credit models from a consumer protection direction that SR 26-2 doesn’t address.
The voluntary nature of the federal banking guidance doesn’t neutralize state-level AI governance obligations.
The FSB Is Watching Too
The Financial Stability Board published a consultation report on sound practices for responsible AI adoption on June 10, 2026 — open for comment until July 22, 2026. The FSB’s 12 sound practices address: organization-wide AI governance, risk management through development and deployment stages, and cyber/ICT/third-party risk for AI.
On agentic AI specifically, the FSB consultation acknowledges that continuous human monitoring of individual agent decisions becomes impractical as systems multiply — recommending “human-in-command” oversight with AI monitoring other AI at scale. A final FSB report is expected October 2026, which may shape subsequent US regulatory action.
So What? A 90-Day Action Plan for MRM Teams
Days 1–30: Gap assessment Map your AI/ML model inventory to the new SR 26-2 / OCC 2026-13 framework. Which models are within scope of the revised guidance — traditional statistical models? Which are in the GenAI/agentic exclusion zone? For each GenAI tool in production, document: who owns it, what’s the use case, what data it touches, and what controls currently exist.
Days 31–60: GenAI governance documentation For each GenAI tool in production: pre-deployment review documented? Post-deployment monitoring in place? Third-party vendor assessment completed? This doesn’t require full SR 11-7–style validation — it requires demonstrating that governance exists and is proportionate to the use case’s risk. The AI Risk Assessment Template & Guide covers the pre-deployment checklist, vendor questionnaire, and AI use case inventory for this documentation work.
Days 61–90: FS AI RMF mapping Use the Treasury FS AI RMF to assess your control coverage against its 230 control objectives for your highest-risk GenAI use cases. This positions your firm to respond to the forthcoming AI RFI with a documented framework — and gives examiners a concrete reference point when they ask what standard you’re using to govern GenAI.
The three validation components SR 26-2 retained — conceptual soundness, outcomes analysis, ongoing monitoring — need to be adapted for generative AI even without binding guidance. MRM teams that start building that translation now will be better positioned than those waiting for the AI RFI to land.
The shadow AI inventory is step one. You can’t govern GenAI tools you don’t know about.
The irony of April 17, 2026: the day the agencies released the most significant model risk governance update in 15 years, they also confirmed that the models regulators most want to talk about — LLMs, AI agents, generative tools — aren’t covered yet. The regulatory calendar has a gap. What fills it, in the meantime, is documented governance — not waiting.
◆ Need the working template?
Start with the source guide.
These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.
◆ Related template
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
◆ Immaterial Findings · Weekly
Sharp risk & compliance insights. No fluff.
◆ FAQ
Frequently asked questions.
What did SR 26-2 and OCC 2026-13 change from SR 11-7?
Does SR 26-2 / OCC 2026-13 apply to AI and machine learning models?
Why did the agencies exclude generative AI from the new model risk guidance?
What is the Treasury FS AI RMF and does it replace SR 11-7 for AI?
Do community banks still need to validate models under the new guidance?
What will examiners test for AI governance even without binding AI model risk guidance?
Author
Rebecca Leung
Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.
◆ Related framework
AI Risk Assessment Template & Guide
Comprehensive AI model governance and risk assessment templates for financial services teams.
◆ Keep reading
Related posts.
AI Risk
Agentic AI in Financial Services 2026: The Governance Framework Your Board Doesn't Know It Needs
SR 26-2 carved agentic AI out of model risk scope in April 2026. That didn't make the risk disappear — it moved the governance burden entirely onto you. Here's what a functional agentic AI governance framework looks like and why you need one before your next exam.
Jul 6, 2026
AI Risk
SR 26-2 for Community and Regional Banks: What the Proportionality Principle Actually Requires
SR 26-2 and OCC 2026-13 replaced SR 11-7 on April 17, 2026 — and the proportionality principle changes what model risk management looks like for banks under $100 billion. Here's what's actually required, what's still expected, and how to calibrate your program.
Jul 3, 2026
AI Risk
EU AI Act August 2, 2026: Your 32-Day Compliance Checklist — What's Still Required After the Omnibus Deferral
The Digital Omnibus pushed Annex III high-risk AI to December 2027 — but August 2, 2026 still brings Article 50 transparency requirements and full GPAI enforcement powers. Here's your verified 32-day checklist.
Jun 30, 2026