Our Take
Regulators are not stepping back from AI oversight; they are admitting the technology moves faster than fixed frameworks can follow, which means your governance must adapt in real time or you inherit higher risk, not lower.
Why it matters
Banks are deploying generative AI and agentic systems in production without traditional validation cycles, while adversaries do the same against you. The new SR 26-2 guidance signals regulators expect you to manage these tools under first-principles risk frameworks, not regulatory permission slips.
Do this week
Model risk leads: audit where generative AI outputs feed into decisions (especially CECL reserves, credit underwriting, fraud detection) and document the governance gaps between vendor contracts and actual deployment control before your next exam cycle.
The Fed rewrote the rulebook. It still doesn't mention generative AI.
On April 17, the Federal Reserve, OCC, and FDIC issued SR 26-2, replacing SR 11-7, the model risk management guidance that has governed quantitative models—credit underwriting, stress testing, capital calculations, fraud detection—for 15 years. The new guidance explicitly excludes generative and agentic AI models from its formal scope.
This omission has been widely read as regulatory retreat. It is not. The language in SR 26-2 is direct: "Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Nonetheless, a banking organization's risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document."
Translation: regulators are not exempting generative AI from governance. They are acknowledging that the technology changes too fast for any fixed framework to stay relevant. The principles of SR 11-7—know your model, validate before deployment, track outputs downstream—still apply. The footnote is not a reprieve. It is a challenge to adapt faster than the rules can be written.
Traditional validation was designed for static models. Today's AI is not static.
SR 11-7 governed a simpler problem. A credit model takes defined inputs, applies documented logic, produces a quantitative output. You can validate it fully before it goes live because its behavior is knowable in advance.
Generative AI and agentic systems are a different breed. Their pattern recognition adapts as threats evolve. Vendors update frontier models continuously. These tools can be applied to problems their developers never anticipated. You cannot fully validate a model whose behavior changes after deployment, whose inputs shift with operational context, and whose applications are determined by the ingenuity of the people using it.
This creates a governance paradox. Many banks have moved quickly to establish enterprise relationships with model providers and signed contracts that provide architectural protections. But a contract protects your data; it does not govern how the technology gets used or where its outputs travel before reaching a customer or informing a decision.
Financial institutions are among the most heavily targeted by bad actors, and the pace of AI adoption in adversarial contexts has already outrun traditional governance frameworks. A financial institution that cannot deploy defensive AI tools because its validation framework was designed for CECL models is not operating in a lower-risk environment. It is operating in a higher-risk environment with fewer tools.
Build your program around the risk, not the footnote.
Three things are happening in your institution right now. Someone is using a personal AI tool on their work laptop without IT or compliance approval. Someone else deployed the board-approved enterprise tool and assumed the hard governance work was done. A third person is doing the hard work: questioning outputs, noting deficiencies, understanding how each output shapes decisions before it reaches a customer.
The distance between the first two and the third is the governance gap every bank faces. Close it by adopting first-principles risk management. Know what you are holding. Know where the output goes. Know who is accountable. Audit the data chain that runs from generative AI tools through your credit models and into your CECL reserves. Extend that audit to fraud detection, cybersecurity, and any system whose outputs shape customer decisions or institutional risk.
Your auditors are already following these threads. Your examiners will be too. More specific guidance on generative AI is coming, but waiting for it is a choice to operate under older rules while the threat landscape accelerates. The firms that adapt fastest will have defensible governance and fewer surprises in the exam room. The ones that wait for perfect rules will not.