You do not need a big-bank model-risk factory. Model Risk Management (Lite) is a proportionate, SR 26-2-aligned readiness and advisory engagement for mid-market banks and larger credit unions: we help you build a model inventory, tier what actually counts as a model, stand up validation-readiness and effective-challenge practices, and draw a clean line between the systems SR 26-2 governs and the generative and agentic AI it deliberately leaves out. The output is a controlled, auditable model risk program you can defend to an examiner — sized to your exposure, not someone else's balance sheet.
Part of the AI Security & Cyber Risk practice · fees fixed in writing after scoping — see engagement models.
This is model risk management advisory and validation-readiness work — not a model validation, an attestation, or a certification. DSE helps you design the program and prepare your models to withstand independent validation and effective challenge; we do not validate, certify, or attest to your models, and no engagement guarantees a supervisory or examination outcome. SR 26-2 is non-binding, principles-based supervisory guidance, and the model risk judgments stay with your institution. We work alongside your model owners, your independent validation function, and your counsel.
SR 26-2 is risk- and materiality-based, so a mid-market program should be too. We stand up the four moving parts that make a model risk program defensible, sized to the models you actually run.
We build (or tighten) a single model inventory with an owner, a purpose, and a data lineage for each entry — the foundation SR 26-2 still expects. The hard part is drawing the line: what is a true model versus a tool or end-user computing (EUC) spreadsheet, and what is a generative or agentic system that sits outside model-risk scope entirely.
We tier each model by materiality and exposure so the depth of governance tracks the risk — a proportionate posture, not uniform machinery sized for an institution many times larger. High-materiality credit, pricing, fraud, and BSA/AML models earn rigorous treatment; low-blast-radius models earn a lighter touch that is still inventoried and owned.
We prepare your models to withstand independent validation on a risk-based cadence: conceptual soundness, assumptions, data quality, limitations, and outcomes analysis, documented so a validator — internal or external — can do the work efficiently. We ready the evidence; the independent validation itself is performed by an appropriately independent party.
We help you design the effective-challenge function — critical review by parties independent of model development — and the ongoing monitoring, thresholds, and change controls that keep a model in bounds after deployment. The goal is an operating rhythm your team owns, so models stay controlled and auditable before anyone asks.
The single most consequential change from SR 11-7 to SR 26-2 is a scope boundary. Getting it right is the difference between a defensible program and a governance blind spot.
If your model risk program was built on SR 11-7, almost all of that doctrine survives. What changes is the boundary around it, the proportionality of how it applies, and where model risk management meets generative AI in banking.
We frame every finding against the guidance that actually governs you today, cited precisely:
For the full read, see our guide on SR 26-2 vs SR 11-7. We map to this guidance as reference; the engagement is readiness and advisory and does not certify compliance with it.
The engagement ends in artifacts your model risk officer, your CRO, and your examiners can use — structured, prioritized, and owned. Not a binder.
A defensible, right-sized model risk management posture your program can operate the day the engagement closes:
If you own model risk at a bank under the $30 billion mark, or at a larger credit union with no NCUA equivalent to SR 26-2, this engagement is scoped for you.
You own the model inventory and the validation calendar and answer for both. You need a proportionate program that maps to SR 26-2's risk-based posture without standing up machinery built for a bank many times your size.
You run — or are standing up — the independent validation and effective-challenge function. You need the inventory tiered, the readiness gaps surfaced, and the evidence organized so validation is efficient and defensible.
At a sub-$30 billion bank or a larger credit union, model risk often rolls up to you. You need proportionate model risk management you can defend to a board and an examiner — and a clear account of where generative and agentic AI is governed.
Before you scope an engagement, tier a model. Our free, 100% browser-local Model Risk Tiering Calculator gives a materiality-based read on whether an AI system is a model in scope of SR 26-2 at all — and if so, a structured tier with the validation and monitoring that follow. Nothing you enter leaves your browser. Bring the output to a scoping call and we pick up from there.
What does it cost? The fee is fixed in writing after we scope the engagement together — it scales with the number of models and basic AI applications in scope and the state of your existing inventory, not your headcount. See the non-binding market-estimate ranges for this and every DSE engagement on the pricing page.
See engagement models →What model risk and validation leaders ask before they scope a proportionate SR 26-2 engagement.
SR 26-2, "Revised Guidance on Model Risk Management," was issued by the Federal Reserve on April 17, 2026 and supersedes SR 11-7 (and the SR 21-8 BSA/AML model-risk statement), with a parallel OCC Bulletin 2026-13 and an FDIC statement. It keeps the three-pillar spine SR 11-7 established — development and use, independent validation and monitoring, and governance — but adds a clearer scope boundary ("traditional models and basic AI applications"), a risk-based and proportional posture most relevant to banking organizations over $30 billion in assets, expanded treatment of vendor and third-party model risk, and an explicitly non-binding, principles-based framing. It is an evolution of SR 11-7, not a repudiation. Our SR 26-2 vs SR 11-7 guide walks through it in full.
No. SR 26-2 explicitly excludes generative AI and agentic AI from its model-risk scope, characterizing them as novel and rapidly evolving and leaving them to other risk-management practices. A bank cannot rely on SR 26-2 as its governance authority for an LLM copilot or an agent. We do not claim the guidance validates those systems; we apply its principles by analogy and organize their governance under the NIST AI RMF — inventory, risk tiering, testing, and monitoring — so the generative and agentic AI the model-risk guidance sets aside still has a defensible home. Existing consumer-protection, fair-lending, and third-party-risk expectations still apply to those systems regardless.
There is no NCUA model-risk rule equivalent to SR 26-2, so a credit union is not formally in its scope. But larger credit unions running credit, pricing, fraud, and BSA/AML models carry real model risk, and boards and examiners increasingly expect sound practices. We help you adopt proportionate, SR 26-2-informed model risk management sized to your exposure — a model inventory, materiality-based tiering, validation readiness, and effective challenge — without importing a large-bank program you do not need. The same proportionality applies to community and mid-market banks below the $30 billion mark.
No. This is model risk management advisory and validation-readiness work, deliberately named so. DSE helps you build the inventory, tier the models, design the effective-challenge and monitoring practices, and prepare your models to withstand independent validation. We do not validate, certify, or attest to your models, and we do not guarantee any supervisory or examination outcome. Independent validation itself is performed by an appropriately independent party — internal or external — and the model risk judgments stay with your institution. We work alongside your model owners and your counsel.
If your program was built on SR 11-7, you are well-positioned — almost everything it does still applies to the traditional models and basic AI applications that remain in scope. The work is reconciliation, not reconstruction: re-read the scope boundary against your own portfolio, confirm your validation cadence is risk-based rather than uniform, tighten the vendor and third-party model coverage SR 26-2 expands, and stand up governance for the generative and agentic systems the guidance now carves out. A focused readiness pass surfaces exactly where those gaps sit.
The fee is fixed in writing after a short scoping call and scales with the number of models and basic AI applications in scope and the maturity of your existing inventory, not your company size. We publish non-binding market-estimate ranges for every engagement, including this one, on the engagement models page.
Last reviewed: 2026-07-03 · Initial release. Model Risk Management (Lite) is a service line of the AI Security & Cyber Risk practice. All work is readiness and advisory — not a model validation, attestation, or certification. SR 26-2 (issued April 17, 2026; supersedes SR 11-7 and SR 21-8) is non-binding, principles-based supervisory guidance and explicitly excludes generative and agentic AI from its model-risk scope; regulatory framings are verified against primary sources and re-checked quarterly.