In April 2026, federal banking regulators issued their first major overhaul of model risk management rules since 2011 — and in the same breath, carved out the AI systems banks are most actively deploying. SR 26-2 explicitly excludes generative and agentic AI from its scope. That gap is not a green light; it is a governance problem every bank technology and compliance leader needs to solve now.
This article maps what SR 26-2 covers, where it stops, and how to build an AI governance structure that satisfies examiners across the full stack — traditional models, large language models, and autonomous agents alike.
What SR 26-2 Actually Says (and Doesn't)
On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued revised supervisory guidance on model risk management, formally superseding SR 11-7 (2011) and OCC Bulletin 2011-12. The new guidance — designated SR 26-2 — modernizes validation standards, strengthens documentation requirements, and clarifies board-level accountability for model risk. It applies to banking organizations above $30 billion in total assets, though smaller institutions should treat it as the emerging standard for examiner expectations across the industry.
The critical carve-out: generative AI and agentic AI are explicitly excluded from SR 26-2's scope because regulators deemed these technologies "novel and rapidly evolving." The guidance directs banks to apply their broader risk management and governance practices to these systems while the agencies develop additional, targeted guidance — for which an RFI is expected "in the near future."
What this means operationally: a credit-scoring model built on gradient boosting is covered by SR 26-2 and subject to formal model validation. A GPT-based loan officer assistant or an autonomous compliance workflow agent is not — but is also not exempt from regulatory scrutiny. It sits in a gray zone that examiners can and will probe under general safety-and-soundness authority.
The Three-Layer AI Governance Architecture
Because a single regulatory framework no longer covers the full AI stack, banks need a layered governance architecture that maps each AI system type to the appropriate control regime. The following structure aligns with what examiners are currently looking for:
Layer 1: Traditional and Non-Generative AI Models (SR 26-2 Scope)
These systems — statistical models, classical ML classifiers, regression-based credit risk models — fall squarely under SR 26-2. Your Model Risk Management (MRM) function must maintain a formal model inventory, conduct independent validation before deployment, and document assumptions, limitations, and performance monitoring thresholds. The three-lines-of-defense structure must be explicitly articulated: first-line business owners own day-to-day monitoring; second-line risk and compliance performs independent challenge and periodic revalidation; internal audit provides assurance. Examiners will assess the independence and quality of challenge, not just whether the paperwork exists.
Layer 2: Generative and Agentic AI (Governance Gray Zone)
Large language models, retrieval-augmented generation systems, and autonomous agents require a governance framework that SR 26-2 doesn't prescribe but regulators will still evaluate. The practical approach is to apply SR 26-2's conceptual rigor — inventory, risk tiering, independent review, performance monitoring — while adapting the methodology for AI-specific risks: hallucination, prompt injection, emergent behavior, and decision opacity.
Concretely, each generative or agentic AI system should have a designated owner, a use-case risk assessment, defined acceptable-use boundaries, output monitoring with human-in-the-loop escalation paths, and a documented decommissioning process. This is not optional risk hygiene — it is the evidentiary foundation your team will need when examiners ask how you govern AI systems outside the SR 26-2 perimeter. For a deeper look at agentic AI-specific controls, see Agentic AI in Banking: Applying the SR 11-7 Framework.
Layer 3: NYDFS Part 500 Overlay (New York-Licensed Institutions)
For banks and financial services firms licensed in New York, NYDFS Part 500's final cybersecurity requirements — effective November 1, 2025, with first compliance certifications due April 15, 2026 — add a mandatory AI-specific obligation. The October 2024 NYDFS industry letter confirmed that covered entities must incorporate AI risks into every component of their cybersecurity program: risk assessment, access controls, audit trails, third-party vendor management, and incident response.
Practically, this means AI systems that access nonpublic personal information (NPI) must be included in your asset inventory, subjected to vendor risk assessments if hosted by third parties, and covered by your incident response plan. The expanded MFA requirements that took effect November 2025 apply to all individuals accessing systems — including AI-integrated workflows where human users authenticate into pipelines that trigger model inference.
Five Governance Actions Examiners Will Look For
Regardless of your asset size or primary regulator, the following five controls represent the minimum viable AI governance posture for 2026:
1. A unified AI inventory that spans all system types. SR 26-2 requires a model inventory for covered models. Best practice — and emerging examiner expectation — is to extend that inventory to generative and agentic AI systems using a consistent taxonomy. Each entry should capture system purpose, data inputs, output type, decision impact (advisory vs. automated), owner, and last review date.
2. Risk-tiered validation standards. Not every AI system warrants a full SR 26-2-style validation. Apply a risk-tiering methodology: systems with direct customer impact, regulatory reporting implications, or credit/AML decisions get the highest scrutiny. Internal productivity tools get lighter-touch review. Document the tiering criteria so examiners can follow your logic.
3. Independent second-line challenge for high-risk AI. The MRM or AI Risk function must be able to demonstrate it has independently reviewed and challenged high-risk AI deployments — not just signed off on first-line documentation. This means actual technical review capability (in-house or contracted), not just policy ownership.
4. Ongoing performance monitoring with defined thresholds. SR 26-2 strengthens ongoing monitoring expectations. Apply the same principle to generative AI: define what "working as intended" means for each system, instrument it, and establish escalation thresholds. For LLMs, this includes hallucination rate monitoring, output sampling, and user feedback loops.
5. Board and senior management reporting. AI governance must be visible at the board level — not just as a technology update but as a risk exposure. A quarterly AI risk report to the board or risk committee, covering inventory changes, validation findings, emerging regulatory developments (including the anticipated SR 26-2 AI supplement), and any incidents, demonstrates the governance maturity examiners now expect.
The Regulatory Road Ahead
SR 26-2 is a starting point, not a finish line. The agencies have signaled that an RFI specifically addressing AI — including generative and agentic AI — is forthcoming. When that guidance lands, banks that have already built governance infrastructure around their full AI inventory will be in a materially stronger position than those that deferred until the rules were finalized.
The OCC's revised model risk bulletin (OCC Bulletin 2026-13) is the authoritative source for current SR 26-2 requirements. Monitoring the Federal Reserve's SR letter page for the forthcoming AI-specific RFI should be a standing item on your regulatory calendar.
Grant Thornton's analysis notes that Treasury guidance in early 2026 has brought renewed urgency to AI governance across financial services — particularly around third-party AI risk and model transparency. Banks that have historically treated AI governance as a model risk sub-function are now being asked by examiners to demonstrate enterprise-level AI risk management that cuts across technology, compliance, legal, and the business lines.
For institutions building their AI governance program from scratch or stress-testing an existing one, the 90-day implementation roadmap in FS AI RMF for Bank Technology Leaders: A 90-Day Plan provides a practical sequencing of foundational controls.
Key Takeaways
- SR 26-2 (April 2026) supersedes SR 11-7 for traditional and non-generative AI models but explicitly excludes generative and agentic AI — creating a governance gap banks must bridge using general risk management principles.
- Build a three-layer AI governance architecture: SR 26-2 controls for covered models; adapted AI-specific governance for generative/agentic systems; NYDFS Part 500 cybersecurity overlay for New York-licensed institutions.
- Maintain a unified AI inventory spanning all system types, not just SR 26-2-covered models — this is the foundational artifact examiners will request.
- Apply risk-tiering to validation standards so your MRM and AI Risk resources focus on highest-impact systems first.
- Ensure board-level AI risk reporting is in place before examiner requests surface the gap — the governance maturity bar has risen significantly in 2026.
- Prepare for forthcoming AI-specific regulatory guidance; banks with documented governance programs for generative and agentic AI will face materially less friction during the transition.