Model risk management, right-sized · a service line of the AI Security & Cyber Risk practice readiness & advisory  ·  senior-only bench
§ AI Security & Cyber Risk·Model risk·v2026.07

Model risk management, right-sized for the institution you actually are.

You do not need a big-bank model-risk factory. Model Risk Management (Lite) is a proportionate, SR 26-2-aligned readiness and advisory engagement for mid-market banks and larger credit unions: we help you build a model inventory, tier what actually counts as a model, stand up validation-readiness and effective-challenge practices, and draw a clean line between the systems SR 26-2 governs and the generative and agentic AI it deliberately leaves out. The output is a controlled, auditable model risk program you can defend to an examiner — sized to your exposure, not someone else's balance sheet.

Part of the AI Security & Cyber Risk practice · fees fixed in writing after scoping — see engagement models.

§ What this is

This is model risk management advisory and validation-readiness work — not a model validation, an attestation, or a certification. DSE helps you design the program and prepare your models to withstand independent validation and effective challenge; we do not validate, certify, or attest to your models, and no engagement guarantees a supervisory or examination outcome. SR 26-2 is non-binding, principles-based supervisory guidance, and the model risk judgments stay with your institution. We work alongside your model owners, your independent validation function, and your counsel.

§A
The engagement.
Inventory · tiering · readiness.

A proportionate SR 26-2 model risk management program.

SR 26-2 is risk- and materiality-based, so a mid-market program should be too. We stand up the four moving parts that make a model risk program defensible, sized to the models you actually run.

1 · Inventory

A model inventory that names what counts

We build (or tighten) a single model inventory with an owner, a purpose, and a data lineage for each entry — the foundation SR 26-2 still expects. The hard part is drawing the line: what is a true model versus a tool or end-user computing (EUC) spreadsheet, and what is a generative or agentic system that sits outside model-risk scope entirely.

2 · Risk tiering

Materiality-based risk tiering

We tier each model by materiality and exposure so the depth of governance tracks the risk — a proportionate posture, not uniform machinery sized for an institution many times larger. High-materiality credit, pricing, fraud, and BSA/AML models earn rigorous treatment; low-blast-radius models earn a lighter touch that is still inventoried and owned.

3 · Validation readiness

Validation-readiness, not validation

We prepare your models to withstand independent validation on a risk-based cadence: conceptual soundness, assumptions, data quality, limitations, and outcomes analysis, documented so a validator — internal or external — can do the work efficiently. We ready the evidence; the independent validation itself is performed by an appropriately independent party.

4 · Effective challenge

Effective-challenge and monitoring design

We help you design the effective-challenge function — critical review by parties independent of model development — and the ongoing monitoring, thresholds, and change controls that keep a model in bounds after deployment. The goal is an operating rhythm your team owns, so models stay controlled and auditable before anyone asks.

§B
The boundary.
What SR 26-2 governs — and doesn't.

The line SR 26-2 draws — and the gap it leaves.

The single most consequential change from SR 11-7 to SR 26-2 is a scope boundary. Getting it right is the difference between a defensible program and a governance blind spot.

Inside SR 26-2 model-risk scope

Traditional models & basic AI applications

  • Statistical and machine-learning models that estimate, score, or predict — credit and underwriting scorecards, pricing and capital models, fraud and BSA/AML monitoring models.
  • The "traditional models and basic AI applications" SR 26-2 keeps in scope, governed by the familiar pillars: sound development, independent validation, ongoing monitoring, and documented governance.
  • Vendor and third-party models you rely on but did not build — SR 26-2 gives more room to their due diligence, contracting, and ongoing monitoring than SR 11-7 did.
Outside SR 26-2 model-risk scope

Generative & agentic AI

  • SR 26-2 explicitly excludes generative AI and agentic AI from its model-risk scope, characterizing them as novel and rapidly evolving and leaving them to other risk-management practices.
  • LLM copilots and assistants, agents that take multi-step actions, and foundation models used for drafting or summarization are not governed by the model-risk guidance — a bank cannot rely on SR 26-2 as its authority for them.
  • That carve-out is a gap your institution owns: these systems still need an owner, a risk classification, testing, and monitoring — just under a different framework. We govern them as AI-governance items, applying SR 26-2 principles by analogy plus the NIST AI RMF.
§C
The lens.
Current guidance, precisely cited.

SR 26-2 is the current guidance — SR 11-7 is not.

If your model risk program was built on SR 11-7, almost all of that doctrine survives. What changes is the boundary around it, the proportionality of how it applies, and where model risk management meets generative AI in banking.

§ SR 11-7 vs SR 26-2·what we anchor the program to

We frame every finding against the guidance that actually governs you today, cited precisely:

For the full read, see our guide on SR 26-2 vs SR 11-7. We map to this guidance as reference; the engagement is readiness and advisory and does not certify compliance with it.

§D
The deliverable.
A readiness read and a roadmap.

A readiness assessment your risk committee can act on.

The engagement ends in artifacts your model risk officer, your CRO, and your examiners can use — structured, prioritized, and owned. Not a binder.

§ You receive

A defensible, right-sized model risk management posture your program can operate the day the engagement closes:

  • A model inventory and risk-tiering register — every model and basic AI application classified by materiality, with an owner, a purpose, and the governance depth its tier calls for, and the tools, EUCs, and generative/agentic systems flagged and routed out of model-risk scope.
  • A validation-readiness assessment — gaps in conceptual soundness, documentation, data quality, and outcomes analysis ranked by severity, so your models are ready for independent validation on a risk-based cadence.
  • An effective-challenge and monitoring blueprint — how challenge, thresholds, change control, and monitoring should run at your size, plus a starting operating rhythm rather than a one-time snapshot.
  • A prioritized remediation roadmap and a one-page brief for the board and the examiner: what you govern as models, where the generative and agentic AI lives, and what you are doing about the gaps.
§E
Who it's for.
The desk that answers for the models.

Built for the institution SR 26-2 didn't size itself for.

If you own model risk at a bank under the $30 billion mark, or at a larger credit union with no NCUA equivalent to SR 26-2, this engagement is scoped for you.

Model risk

Model Risk Officer

You own the model inventory and the validation calendar and answer for both. You need a proportionate program that maps to SR 26-2's risk-based posture without standing up machinery built for a bank many times your size.

Validation

Model Validation lead

You run — or are standing up — the independent validation and effective-challenge function. You need the inventory tiered, the readiness gaps surfaced, and the evidence organized so validation is efficient and defensible.

Executive risk

Chief Risk Officer

At a sub-$30 billion bank or a larger credit union, model risk often rolls up to you. You need proportionate model risk management you can defend to a board and an examiner — and a clear account of where generative and agentic AI is governed.

Start free · client-side

Start with our free Model Risk Tiering Calculator.

Before you scope an engagement, tier a model. Our free, 100% browser-local Model Risk Tiering Calculator gives a materiality-based read on whether an AI system is a model in scope of SR 26-2 at all — and if so, a structured tier with the validation and monitoring that follow. Nothing you enter leaves your browser. Bring the output to a scoping call and we pick up from there.

What does it cost? The fee is fixed in writing after we scope the engagement together — it scales with the number of models and basic AI applications in scope and the state of your existing inventory, not your headcount. See the non-binding market-estimate ranges for this and every DSE engagement on the pricing page.

See engagement models
§F
Questions.
Straight answers.

Common questions.

What model risk and validation leaders ask before they scope a proportionate SR 26-2 engagement.

SR 11-7 vs SR 26-2 — what changed?+

SR 26-2, "Revised Guidance on Model Risk Management," was issued by the Federal Reserve on April 17, 2026 and supersedes SR 11-7 (and the SR 21-8 BSA/AML model-risk statement), with a parallel OCC Bulletin 2026-13 and an FDIC statement. It keeps the three-pillar spine SR 11-7 established — development and use, independent validation and monitoring, and governance — but adds a clearer scope boundary ("traditional models and basic AI applications"), a risk-based and proportional posture most relevant to banking organizations over $30 billion in assets, expanded treatment of vendor and third-party model risk, and an explicitly non-binding, principles-based framing. It is an evolution of SR 11-7, not a repudiation. Our SR 26-2 vs SR 11-7 guide walks through it in full.

Does SR 26-2 cover model risk management for generative AI in banking?+

No. SR 26-2 explicitly excludes generative AI and agentic AI from its model-risk scope, characterizing them as novel and rapidly evolving and leaving them to other risk-management practices. A bank cannot rely on SR 26-2 as its governance authority for an LLM copilot or an agent. We do not claim the guidance validates those systems; we apply its principles by analogy and organize their governance under the NIST AI RMF — inventory, risk tiering, testing, and monitoring — so the generative and agentic AI the model-risk guidance sets aside still has a defensible home. Existing consumer-protection, fair-lending, and third-party-risk expectations still apply to those systems regardless.

What does proportionate model risk management for credit unions look like?+

There is no NCUA model-risk rule equivalent to SR 26-2, so a credit union is not formally in its scope. But larger credit unions running credit, pricing, fraud, and BSA/AML models carry real model risk, and boards and examiners increasingly expect sound practices. We help you adopt proportionate, SR 26-2-informed model risk management sized to your exposure — a model inventory, materiality-based tiering, validation readiness, and effective challenge — without importing a large-bank program you do not need. The same proportionality applies to community and mid-market banks below the $30 billion mark.

Do you validate or certify our models?+

No. This is model risk management advisory and validation-readiness work, deliberately named so. DSE helps you build the inventory, tier the models, design the effective-challenge and monitoring practices, and prepare your models to withstand independent validation. We do not validate, certify, or attest to your models, and we do not guarantee any supervisory or examination outcome. Independent validation itself is performed by an appropriately independent party — internal or external — and the model risk judgments stay with your institution. We work alongside your model owners and your counsel.

We already ran a credible SR 11-7 program. Do we need this?+

If your program was built on SR 11-7, you are well-positioned — almost everything it does still applies to the traditional models and basic AI applications that remain in scope. The work is reconciliation, not reconstruction: re-read the scope boundary against your own portfolio, confirm your validation cadence is risk-based rather than uniform, tighten the vendor and third-party model coverage SR 26-2 expands, and stand up governance for the generative and agentic systems the guidance now carves out. A focused readiness pass surfaces exactly where those gaps sit.

How much does the engagement cost?+

The fee is fixed in writing after a short scoping call and scales with the number of models and basic AI applications in scope and the maturity of your existing inventory, not your company size. We publish non-binding market-estimate ranges for every engagement, including this one, on the engagement models page.

Last reviewed: 2026-07-03 · Initial release. Model Risk Management (Lite) is a service line of the AI Security & Cyber Risk practice. All work is readiness and advisory — not a model validation, attestation, or certification. SR 26-2 (issued April 17, 2026; supersedes SR 11-7 and SR 21-8) is non-binding, principles-based supervisory guidance and explicitly excludes generative and agentic AI from its model-risk scope; regulatory framings are verified against primary sources and re-checked quarterly.