Skip to content
RiskTemplates · The Daily Brief Thursday, July 9, 2026
Wire CFPB's New Enforcement Principles: What the Bilt Case Tells You About How the Bureau Intends to Police Consumer Finance JUN 22

Feature AI Risk

Agentic AI in Financial Services 2026: The Governance Framework Your Board Doesn't Know It Needs

SR 26-2 carved agentic AI out of model risk scope in April 2026. That didn't make the risk disappear — it moved the governance burden entirely onto you. Here's what a functional agentic AI governance framework looks like and why you need one before your next exam.

By Rebecca Leung · July 6, 2026 ·
Table of Contents

On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2 — the first overhaul of model risk guidance in fifteen years. The headline was what it covered. The story that matters for risk teams is what it didn’t cover.

TL;DR

  • SR 26-2 (April 2026) explicitly excludes generative AI and agentic AI from model risk scope — calling them “novel and rapidly evolving”
  • The exclusion shifts governance responsibility entirely to the institution, with no regulatory template
  • NYDFS Part 500 + May 2026 frontier AI guidance creates real compliance obligations for NY-regulated entities using AI agents
  • The Financial Stability Board is signaling what supervisors globally expect: agent identifiers, restricted external access, and transaction controls

Agentic AI — systems that autonomously plan and execute multi-step tasks without human approval at each step — is no longer a lab experiment. It’s in production at financial institutions right now: running compliance checks, drafting regulatory filings, executing multi-step data queries, and interacting with external APIs. And as of April 2026, the regulatory guidance framework explicitly has nothing to say about how to govern it.

“Outside the framework is not outside the risk perimeter.” That line comes from an analysis of SR 26-2’s AI exclusion, and it’s the most important thing compliance and risk teams need to internalize.

What SR 26-2 Actually Says About Agentic AI

SR 26-2 replaced SR 11-7, which had governed model risk management for fifteen years. The new guidance is intentionally principles-based and voluntary — a significant departure from SR 11-7’s de facto mandatory standards.

On AI, the guidance makes a critical distinction: traditional statistical and quantitative models remain fully in scope. Generative AI (LLMs, diffusion models) and agentic AI are explicitly excluded. The rationale is honest: these systems are novel, rapidly evolving, and the core validation concepts from SR 11-7 — conceptual soundness, outcomes analysis, ongoing monitoring — don’t translate cleanly to systems whose outputs are generative or whose behavior emerges from chains of autonomous decisions.

The agencies have promised a separate AI-specific Request for Information. As of July 2026, it has not been published.

The nuance that matters: If an AI agent accesses or utilizes a traditional statistical model — a credit scoring model, a fraud detection model, an AML transaction monitoring model — that underlying model remains fully in scope under SR 26-2. The exclusion applies to the agent layer itself, not to the models it invokes. This means your governance program needs to track which traditional models are being called by agents, and make sure those models are still getting proper validation regardless of how they’re being accessed.

For a deeper look at what SR 26-2 actually changed (and what examiners will still test), see our post on SR 26-2 and the GenAI governance gap.

What NYDFS Expects Right Now

While the federal model risk framework punted on agentic AI, NYDFS hasn’t been quiet.

NYDFS Part 500’s 2023 amendments already require covered financial institutions to include AI systems within their cybersecurity programs — risk assessments, access controls, and audit trails for any AI system processing customer data. An AI agent that touches customer data, accesses internal systems, or interfaces with third parties is squarely within the scope of what Part 500 requires you to have assessed and documented.

In May 2026, NYDFS amplified this with frontier AI guidance warning that frontier AI models amplify the speed and scale at which vulnerabilities are discovered and exploited. The guidance directed covered entities to strengthen vulnerability management, third-party coordination, secure programming practices, and monitoring and reporting specifically in the context of AI deployment.

If you’re NYDFS-supervised and using AI agents — even off-the-shelf agents from vendors — and you haven’t updated your Part 500 risk assessment to address those agents explicitly, you have a gap. Our post on the NYDFS May 2026 frontier AI cybersecurity guidance walks through the specific requirements.

The RAISE Act: What Your AI Vendors Now Owe You

New York’s Responsible AI Safety and Education Act (RAISE Act) was signed by Governor Hochul on March 27, 2026 and takes effect January 1, 2027. It doesn’t apply to most financial institutions directly — it targets AI developers with $500M+ in annual revenue operating frontier models trained using 10^26+ FLOPs with $100M+ compute costs. OpenAI, Google DeepMind, Anthropic — those developers.

But for financial institutions using those developers’ models and agents, the RAISE Act creates indirect compliance obligations through your vendor relationships. Under the Act, covered developers must:

  • Publish safety and security protocols
  • Report incidents to NYDFS within 72 hours of determining one occurred
  • File disclosure statements with NYDFS
  • Potentially undergo annual independent audits

Penalties start at $1 million for an initial violation and reach $3 million for subsequent violations. NYDFS has broad rulemaking and enforcement authority under the amended Act.

What this means practically: your third-party AI vendor due diligence now needs a RAISE Act component. You should know whether your key AI vendors are covered developers, what their safety protocols say, and whether they have incident reporting obligations that would affect your SLA and notification requirements if an AI system fails.

The Governor Hochul’s signing announcement includes the key provisions worth reviewing with your vendor management and legal teams.

What the FSB’s Framework Tells You About Where Global Supervisors Are Heading

Regulatory guidance tends to lag deployment by 18-24 months. But the Financial Stability Board’s work on AI agents gives you a preview of where supervisory expectations are heading globally — and therefore what your governance program should be building toward now.

The FSB’s recommended controls for AI agents in financial services include:

  • Individual agent identifiers: Every AI agent should have a traceable identity so its actions can be attributed, audited, and reconstructed. Not “our AI system did this” — the specific agent instance, with its version, configuration, and access scope.
  • Human approval gates for external system interactions: Agents that can interact with external systems — APIs, external databases, third-party services — should require explicit human approval or have technical controls preventing autonomous external actions beyond defined parameters.
  • Transaction-level controls: Any AI agent that can execute financial transactions — even internal ones — needs hard limits and human-in-the-loop checkpoints. An agent that can approve a wire, move a balance, or modify a credit decision is a fundamentally different risk profile than one that can only read data.

These aren’t requirements yet. They’re the baseline that will become requirements once the AI-specific RFI closes and guidance gets issued. Build toward them now and you’re ahead of the curve; ignore them and your next exam cycle after guidance drops will be expensive.

Building a Governance Framework for Agentic AI

The core problem with agentic AI governance is that the validation playbook from SR 11-7/SR 26-2 doesn’t transfer cleanly. You can’t backtest an agent the way you backtest a credit model. You can’t evaluate “conceptual soundness” for a system that’s autonomously reasoning through multi-step tasks.

What you can do is establish governance around the conditions under which agents operate:

1. Agent Inventory and Risk Tiering

Extend your AI use case inventory to specifically capture agentic systems. For each agent:

  • What is it authorized to do? (read data vs. execute actions vs. make decisions vs. communicate externally)
  • What data can it access?
  • What is the maximum impact of an autonomous decision it makes?
  • Is there a human-in-the-loop checkpoint before consequential actions?

Risk-tier agents by their autonomy level and potential impact. A read-only research agent is materially different from an agent that can draft customer communications, execute trades, or modify account settings.

2. Pre-Deployment Review

Before any agent goes to production, document:

  • The agent’s permission architecture — what it can and cannot access
  • The audit trail design — how every action is logged, attributed, and reviewable
  • The rollback plan — if the agent produces a bad output or takes an unintended action, how do you detect it and reverse it?
  • The human escalation path — what triggers a human review, and who?

This doesn’t need to be the full SR 26-2 validation framework. It needs to be documented, reviewed by risk and compliance, and approved before deployment. That evidence trail matters at exam time.

3. Ongoing Behavioral Monitoring

Agentic systems built on LLMs can change behavior as underlying models are updated. A vendor that updates their model may change how your agent reasons through tasks without telling you. Your monitoring program needs to include:

  • Periodic behavioral benchmarking — does the agent still do what it was approved to do?
  • Output sampling and review — especially for agents that communicate externally or produce documents
  • Drift detection — statistical or qualitative signals that the agent’s behavior has shifted

See our post on SR 26-2 proportionality for community and regional banks for how to scale monitoring requirements to your institution’s size.

4. Third-Party AI Due Diligence

If you’re using an agent built by a vendor — and most institutions are — your TPRM program needs an AI-specific supplement that covers:

  • What model is the agent built on? What version? How do model updates get disclosed?
  • What data does the agent retain? How long? Where?
  • What permission architecture does the vendor’s platform enforce?
  • How does the vendor handle incidents involving their AI systems?
  • For NYDFS-supervised institutions: are they a covered developer under the RAISE Act?

Standard TPRM templates don’t ask these questions. Your vendor questionnaires need updating.

5. Incident Response for AI Agent Failures

An AI agent failure is different from a system outage. The failure mode might be subtle — an agent producing consistently biased outputs, an agent gradually expanding its own access permissions, an agent taking an action that was technically within its permission scope but clearly unintended.

Your incident response plan needs a playbook specifically for AI agent incidents:

  • Detection: how do you know the agent failed?
  • Isolation: can you suspend the agent without taking down the systems it connects to?
  • Rollback: can you reverse the actions it took?
  • Notification: do you need to notify NYDFS or other regulators? (Under Part 500, a cybersecurity event involving an AI system may trigger notification requirements)
  • Documentation: what evidence do you preserve for the regulatory file?

The Compliance Reality in Q3 2026

Let’s be direct about where this lands. There is no prescriptive regulatory framework for agentic AI governance at U.S.-regulated financial institutions as of today. SR 26-2 explicitly excluded it. The AI-specific RFI hasn’t landed. The RAISE Act doesn’t take effect until 2027.

But Freshfields analysis of AI in financial services captures the examiner posture correctly: regulatory expectations for AI governance are rising even ahead of formal guidance. Examiners are asking about AI in every examination regardless of whether specific AI guidance exists. “We don’t have formal AI governance because there’s no specific rule requiring it” is not a satisfying answer.

What examiners are looking for right now: evidence that you’ve thought about the risk, documented what you’re doing, and have controls around the areas of highest potential impact. A thoughtful internal framework — even an imperfect one — is dramatically better than a blank page.

So What?

Agentic AI is in your institution right now, or it will be within the next 12 months. The regulatory framework that should govern it deliberately punted. That means the governance gap is yours to fill before examiners start asking about it — and they will.

Three things to do in Q3 2026:

  1. Inventory your agentic AI systems — what agents are you running, what can they do, what data can they access?
  2. Review your NYDFS Part 500 risk assessment — does it explicitly address AI agents and their cybersecurity risk profile?
  3. Update your TPRM vendor questionnaires to add AI-specific fields, including RAISE Act coverage for your key AI model vendors

The AI Risk Assessment Template & Guide includes an AI use case inventory with auto-tiering, pre-deployment checklists, third-party AI vendor questionnaire, and worked examples across 8 AI use cases — built for the 2026 regulatory landscape including SR 26-2 and NYDFS expectations.


Sources:

◆ Need the working template?

Start with the source guide.

These answer-first guides summarize the required fields, evidence, and implementation steps behind the templates practitioners search for.

◆ Immaterial Findings · Weekly

Sharp risk & compliance insights. No fluff.

◆ FAQ

Frequently asked questions.

Did SR 26-2 create a compliance gap for agentic AI?
Yes — intentionally. SR 26-2 (issued April 17, 2026 by the Federal Reserve, OCC, and FDIC) explicitly excludes generative AI and agentic AI from its scope, citing these technologies as 'novel and rapidly evolving.' The agencies plan to issue a separate AI-specific RFI before issuing prescriptive guidance. In the meantime, the bank owns governance for agentic AI with no regulatory template to follow — which means internal governance frameworks carry more weight than usual.
What is agentic AI and why is it different from standard machine learning models?
Agentic AI refers to AI systems that can autonomously plan and execute multi-step tasks — browsing the web, calling APIs, writing and running code, and making sequential decisions — without human approval at each step. Unlike traditional ML models that make a single prediction, an agent can take a chain of actions to complete a goal. This creates fundamentally different risk profiles: an agent's output is a sequence of actions, not a number, which makes validation, auditability, and rollback considerably harder than for a traditional model.
Does NYDFS Part 500 cover agentic AI?
Yes, in meaningful ways. NYDFS Part 500's 2023 amendments require covered financial institutions to include AI systems within their cybersecurity programs — risk assessments, access controls, and audit trails for any AI system processing customer data. In May 2026, NYDFS issued additional guidance warning that frontier AI models amplify the speed and scale of vulnerability discovery, directing institutions to strengthen vulnerability management, third-party coordination, and monitoring practices specifically in the AI context.
What does New York's RAISE Act require of AI developers that financial institutions use?
The RAISE Act (signed March 27, 2026; effective January 1, 2027) applies to developers with $500M+ revenue that develop or operate frontier AI models — defined as systems trained using 10^26+ FLOPs with $100M+ compute costs. Requirements include safety and security protocols, 72-hour incident reporting to NYDFS, disclosure statements, and potentially annual independent audits. Penalties start at $1 million for initial violations, up to $3 million for subsequent violations. For financial institutions, this matters because your AI vendor relationships now carry RAISE Act compliance expectations.
What controls does the Financial Stability Board recommend for AI agents?
The FSB's framework for AI agents includes: assigning individual identifiers to each AI agent (so its actions can be traced); restricting agents' ability to interact with external systems without human approval; and placing explicit controls on the execution of financial transactions by agents. These aren't regulatory requirements yet, but they're the risk management baseline that supervisors globally are converging toward.
What should a financial institution's agentic AI governance framework include?
A functional framework needs at minimum: (1) an AI use case inventory that includes agentic systems with their risk tier and approval status; (2) pre-deployment review for each agent covering autonomy level, data access scope, human-in-the-loop checkpoints, and audit trail design; (3) access controls limiting what systems and data an agent can reach; (4) ongoing monitoring for behavioral drift — agentic systems can produce different outputs over time as underlying models change; (5) incident response procedures specific to autonomous agent failures; and (6) third-party AI vendor due diligence that goes beyond standard TPRM to include model provenance, training data, and agent permission architecture.
Rebecca Leung

Author

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

◆ Related framework

AI Risk Assessment Template & Guide

Comprehensive AI model governance and risk assessment templates for financial services teams.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.