By The Risk Dispatch Team
SR 11-7 shaped how U.S. banks governed model risk for fifteen years. In April 2026, it was officially replaced. Understanding what SR 11-7 required, what the new SR 26-2 guidance changed, and — critically — where the AI governance gap now sits is essential for every bank technology and risk leader operating in the current environment.
This guide covers the full landscape: the original SR 11-7 framework, the April 2026 revisions, what the new guidance demands in practice, and the unresolved question that will define model risk management for the next 18 months.
What SR 11-7 Was
Issued by the Federal Reserve on April 4, 2011, SR 11-7 — formally titled Guidance on Model Risk Management — established the supervisory standard for how banks should develop, validate, and govern the quantitative models used across their operations. The OCC issued a companion bulletin (OCC 2011-12) shortly after, making it effectively an interagency standard across all major U.S. bank regulators.
SR 11-7 defined a "model" broadly: any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to transform inputs into quantitative estimates. This definition was intentionally wide, covering credit scoring, stress testing, pricing models, fraud detection, liquidity models, and regulatory capital calculations — anything that produced a number that influenced a business decision.
The guidance established five foundational pillars that remain the basis of model risk management today.
The Five Pillars of SR 11-7
1. Model Inventory
Banks must maintain a comprehensive inventory of all models in use, including models developed internally, acquired from vendors, or received from third parties. The inventory must capture, at minimum: model purpose, owner, users, inputs, outputs, validation status, and risk tier. Regulators treat an incomplete or inaccurate model inventory as a significant deficiency — it is the foundation on which every other control depends. An institution that cannot enumerate its models cannot manage their risk.
2. Model Tiering and Risk Classification
Not all models carry equal risk. SR 11-7 expected institutions to assign models to risk tiers based on materiality (the impact of model error on financial results or regulatory requirements) and complexity. Tier-1 material models — those used for capital calculation, large-scale pricing, or regulatory reporting — attract full lifecycle oversight: rigorous initial validation, periodic full revalidation, and continuous monitoring. Lower-tier models operate under proportionate, lighter controls.
The new SR 26-2 guidance formalizes and strengthens this tiering expectation, making explicit that governance intensity should scale with risk rather than applying uniform requirements to every model regardless of importance.
3. Independent Model Validation
Independent validation is the cornerstone of SR 11-7. Validators must have no reporting relationship to model developers and must possess the authority, expertise, and resources to provide genuine effective challenge — not rubber-stamping. The three components of validation are: conceptual soundness (is the model's theory appropriate for its purpose?), ongoing monitoring (does it perform as expected in production?), and outcomes analysis (do its outputs prove accurate over time?).
Organizational separation is non-negotiable. Examiners specifically look for reporting line independence and the technical competency of the validation function. A validation team that lacks the quantitative depth to challenge a complex model is not providing effective challenge regardless of its organizational chart position.
4. Model Documentation
SR 11-7 requires documentation sufficient to allow an informed third party to understand the model's purpose, methodology, assumptions, limitations, and validation history without relying on the model developers. Documentation must cover: the conceptual framework, data inputs and sources, processing and estimation procedures, validation findings and remediation, and model use limitations.
Documentation quality is consistently one of the top examination findings. The standard is not that documentation exists — it is that the documentation would allow effective challenge by an independent reviewer who was not involved in development.
5. Ongoing Monitoring and Governance
Beyond initial validation, SR 11-7 requires continuous monitoring of model performance: are inputs behaving as expected? Are outputs accurate when compared to realized outcomes? Are assumptions holding? Material deterioration in any of these should trigger model review or redevelopment before the model continues to influence decisions.
Board and senior management oversight is also required: boards must understand the institution's model risk profile, approve material model risk policies, and receive regular reporting on the state of the model inventory and validation program.
What SR 26-2 Changed in April 2026
On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued SR 26-2, formally rescinding SR 11-7 and replacing it with revised interagency guidance. The OCC companion bulletin simultaneously rescinded OCC Bulletin 2011-12.
The core changes:
Risk-based proportionality. SR 26-2 makes proportionality explicit in a way SR 11-7 did not. The revised guidance states directly that model risk practices should be "risk-based, tailored, and commensurate with a banking organization's size, complexity, and extent of model use." The guidance is "expected to be most relevant to banking organizations with over $30 billion in total assets," though smaller institutions with significant model risk exposure remain subject to examination for adherence.
Principles over prescription. SR 26-2 shifts from prescriptive requirements toward principles-based guidance. The five pillars remain — inventory, tiering, validation, documentation, monitoring — but the specific mechanics are left to the institution to determine, consistent with its risk profile.
Vendor model accountability. The revised guidance strengthens expectations around third-party and vendor model governance. Institutions cannot simply accept vendor model documentation at face value — they must conduct their own validation or obtain sufficient evidence that validation has been performed to standards equivalent to their internal requirements.
What did not change. The foundational requirements are unchanged: independent validation, board oversight, comprehensive inventory, tiered risk management, documentation standards. Banks that built strong SR 11-7 programs do not need to rebuild from scratch — they need to recalibrate to a more risk-proportionate approach.
The AI and Agentic AI Gap
The most consequential aspect of SR 26-2 is what it explicitly excludes.
The guidance states: "Generative AI and agentic AI models are novel and rapidly evolving, and as such, they are not within the scope of this guidance."
This is not an oversight. It is a deliberate acknowledgment that traditional model risk management frameworks were designed for statistical and econometric models — not for large language models, generative AI systems, or autonomous agents that take actions in the world. The agencies simultaneously signaled that a separate RFI on AI-specific model risk management is forthcoming.
The practical implication is a governance gap that sits at the center of most banks' current technology strategies. As we covered in detail in our article on Agentic AI and the SR 11-7 gap, institutions that are deploying generative AI or agentic systems — for customer service, operations, credit analysis, compliance monitoring — are operating those systems without a regulatory framework to govern them.
SR 26-2 does not leave this entirely unaddressed. The guidance states that a banking organization's "existing risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document." In practice, this means applying SR 11-7-style thinking — inventory, independent review, documentation, ongoing monitoring — to AI systems, even though the specific mechanics are different and the regulatory expectations are not yet codified.
For institutions building AI governance frameworks ahead of the RFI, the FS AI RMF's 230 control objectives provide the best available blueprint for what regulators will eventually require. The data governance requirements that underpin AI model quality are covered in our bank data governance guide.
What Banks Should Prioritize Right Now
Audit your model inventory for completeness — including AI systems. The model inventory requirement applies regardless of whether SR 26-2 explicitly covers AI. If your institution is using a generative AI model to assist with loan decisioning, compliance review, or customer communication, it belongs in your inventory. FFIEC examiners are already asking for AI model inventories, and institutions that cannot produce them are receiving findings.
Recalibrate validation cycles to the new tiering framework. SR 26-2's explicit proportionality principle gives institutions formal cover to concentrate validation resources on Tier-1 material models and apply lighter controls to lower-risk models. If your validation backlog is driven by applying uniform standards to all models, now is the time to restructure.
Strengthen vendor model documentation. The revised guidance's emphasis on third-party accountability creates examination risk for institutions that rely on vendor certifications without independent assessment. Review your vendor model inventory and identify where your own validation evidence is thin.
Build AI governance into your SR 26-2 transition. The agencies have signaled the AI RFI is coming. Institutions that build AI governance frameworks now — before the RFI is published — will be better positioned to demonstrate proactive compliance. The 12-to-18-month window before formal AI model risk management guidance is issued is the time to build, not to wait.
Key Takeaways
- SR 11-7 was replaced by SR 26-2 on April 17, 2026. The foundational pillars — model inventory, tiering, independent validation, documentation, and monitoring — remain intact under a more principles-based, risk-proportionate framework.
- The $30B threshold makes SR 26-2 most relevant to larger institutions, but smaller banks with significant model risk exposure remain subject to examination expectations.
- Generative and agentic AI are explicitly excluded from SR 26-2 scope. A separate regulatory RFI is forthcoming. This creates a 12–18 month governance window that banks should use proactively.
- Independent validation remains non-negotiable. Organizational separation, technical competency, and genuine effective challenge are examination standards that have not changed.
- FFIEC examiners are already asking for AI model inventories and governance documentation. Banks without these are receiving findings under existing examination authority even before AI-specific guidance is finalized.