A head of model risk at a $40B bank opened a recent working session with a question that had no clean answer for fifteen years and now has a partial one. “We have been governing our customer-service LLM as a model under SR 11-7. Do we still?” For most of the last decade the honest reply was that the agencies had never said, so prudent programs treated decision-influencing AI as in scope and documented the discomfort. As of April 17, 2026, the answer changed. The agencies revised the guidance, and the new text draws a line the old one never did. The thesis of this piece is simple: SR 26-2 is an evolution of SR 11-7, not a repudiation of it, and the single most consequential change is a scope boundary that pulls generative and agentic AI out of model risk guidance entirely.
What SR 26-2 is and why it matters
SR 26-2, “Revised Guidance on Model Risk Management,” was issued by the Federal Reserve on April 17, 2026. It is an interagency issuance: the Federal Reserve published SR 26-2, the Office of the Comptroller of the Currency published OCC Bulletin 2026-13, and the FDIC issued a parallel statement. The three agencies acted together, and the substance is the same across all three, with each agency’s version applying to the institutions it supervises. SR 26-2 applies to state member banks under Fed supervision, OCC Bulletin 2026-13 applies to nationally chartered banks, and the FDIC issuance applies to state non-member banks. One point worth stating plainly because it is easy to assume otherwise: the Consumer Financial Protection Bureau is not a party to this interagency guidance. It is a Fed, OCC, and FDIC issuance.
SR 26-2 replaces and rescinds SR 11-7, the supervisory guidance on model risk management that had been the backbone of the discipline since 2011. The rescission is broad on the OCC side: the new bulletin replaces OCC Bulletin 2011-12, OCC Bulletin 2021-19, OCC Bulletin 1997-24, and the “Model Risk Management” booklet of the Comptroller’s Handbook. For a bank that built its model risk program against the SR 11-7 framework, this is the first guidance update in a generation, and it arrives precisely as boards are asking how AI fits the model risk perimeter. That timing is why the document matters more than a routine refresh would.
It matters for a second reason that the language makes explicit. SR 26-2 is non-binding supervisory guidance. In the OCC Bulletin 2026-13 framing, it “does not set forth enforceable standards or prescriptive requirements, and non-compliance will not result in supervisory criticism.” SR 11-7 established supervisory expectations rather than enforceable rules, and SR 26-2 continues in that tradition while saying so more directly than its predecessor. This is principles-based guidance that establishes supervisory expectations; it is not a regulation, and it does not mandate specific artifacts. Reading it as a rulebook misreads what it is. That said, non-binding does not mean optional in practice. Examiners assess whether institutions have adopted sound risk management practices aligned with the guidance’s principles, and a program that ignores those principles entirely may draw questions about the adequacy of its model risk management. The stronger-than-usual “non-compliance will not result in supervisory criticism” language is notable, but the practical expectation is still that well-run institutions understand and apply the principles to their own circumstances.
What changed from SR 11-7
Four changes define the move from SR 11-7 to SR 26-2, and they are best read as refinements of a durable framework rather than a rewrite.
The first is a clearer scope boundary. SR 26-2 states that it applies to “traditional models and basic AI applications.” That phrase is reflected in the interagency materials as how the agencies characterized the scope in their public communications, and it is doing real work. SR 11-7 defined a model broadly and left the application to AI to interpretation, which is why banks spent years arguing internally about whether an LLM was a model under it. SR 26-2 narrows the field of application and names what is in: traditional models and basic AI applications. The systems that gave model risk teams the most trouble, generative and agentic AI, are handled separately, which we cover in the next section. One caveat worth noting: the guidance does not draw a bright-line definition distinguishing “basic AI applications” from generative or agentic AI, and banks will need to apply judgment in classifying systems near the boundary — a logistic regression scorecard is clearly inside, a large language model clearly outside, and some intermediate AI tools will require a deliberate classification decision with documented rationale.
The second is proportionality. SR 26-2 is risk-based in its application rather than uniform across every institution. The guidance is expected to be most relevant to banking organizations with over $30B in total assets, with proportional application to smaller banks where model risk exposure is significant. This is a meaningful shift in posture. SR 11-7 was applied broadly and a small bank could feel obligated to stand up machinery sized for an institution many times larger. The proportional framing says the depth of a program should track the materiality of the model risk it manages, which gives smaller institutions room to scale their effort to their exposure.
The third is an expanded treatment of vendor and third-party model risk. Most models a bank relies on today are not built in-house, and the guidance gives more room to the due diligence, contracting, and ongoing monitoring of externally sourced models than the 2011 text did. A provider that updates a model you did not build has changed a model you depend on, and the revised guidance reflects that the supply chain is now a first-class source of model risk rather than a footnote.
The fourth is the explicitly non-binding, principles-based framing already described. SR 26-2 re-articulates the core model risk principles with a clearer structure and states, in the OCC version, that it sets no enforceable standards and that non-compliance will not draw supervisory criticism. The principles are familiar; the framing around them is more candid about what supervisory guidance is and is not. If your program treats much of AI model risk management under SR 11-7 as settled doctrine, almost all of that doctrine survives — what changes is the boundary around it and the proportionality of how it applies.
The generative AI and agentic AI carve-out
The single most important thing for a bank to absorb is the scope carve-out, because it is the change most likely to be misread. SR 26-2 explicitly excludes generative AI and agentic AI from its scope. The guidance characterizes these systems as “novel and rapidly evolving” and states that other risk-management practices will govern them rather than this model risk guidance.
Governor Bowman confirmed the boundary in a personal speech on May 1, 2026 (Governor Bowman’s speeches represent her own views and are not official Board positions, though they are informative about supervisory thinking): “we recently amended our model risk management guidance to clarify that it does not apply to generative or agentic AI … The revised guidance now applies narrowly to traditional models and basic AI applications.” That is as direct a statement of scope as a bank will get. The model risk guidance applies narrowly to traditional models and basic AI applications, and generative and agentic systems sit outside it.
Why does this matter so much in practice? Because a bank cannot rely on SR 26-2 as its governance authority for a generative or agentic AI deployment. If your customer-service assistant is an LLM, if you are piloting an agent that takes multi-step actions, if you are using foundation models for drafting or summarization, SR 26-2 is not the framework that governs those systems. They are out of scope by design. The discomfort that model risk teams felt for years, trying to validate a non-deterministic system with a playbook built for inspectable, reproducible models, was a real signal: the agencies have now agreed that this class of system needs a different treatment.
The carve-out also signals where the agencies are going. The Fed, OCC, and FDIC have announced their intent to issue a request for information specifically addressing AI, including generative AI, agentic AI, and AI-based models, as a future issuance — it had not been formally published as of the date of this article. That RFI is the channel through which dedicated AI guidance is expected to develop. One critical point: the carve-out is not a regulatory safe harbor. SR 26-2 does not apply to generative and agentic AI, but that does not mean those systems are unregulated or that examiners have no basis for questioning their governance. Banks still face examination exposure through existing consumer protection rules, fair lending laws, and third-party risk guidance, none of which have a generative AI exclusion. The practical consequence is a governance gap that banks own: generative and agentic AI must be governed somewhere, and SR 26-2 says that somewhere is not model risk guidance. A bank that quietly assumes its LLM is covered by the model risk program because it used to debate that internally is now governing a system the primary guidance has explicitly set aside — and is also leaving itself without a documented framework when an examiner asks which governance authority applies.
What stayed the same
It would be a mistake to read SR 26-2 as a clean break. The core of model risk management is preserved. The discipline still rests on the same pillars SR 11-7 established: sound model development and use, independent validation and ongoing monitoring, and governance, policies, and controls. SR 26-2 re-articulates these with a clearer structure, but the substance a model risk officer recognizes is intact. Effective challenge, a model inventory, validation that tests conceptual soundness and runs outcomes analysis, ongoing monitoring, and documented governance all carry forward.
This continuity is the good news for institutions that did the work. A bank running a credible SR 11-7 program is well-positioned under SR 26-2, because the program it built around development, validation, and governance maps directly onto the revised principles. The work is reconciliation against a clearer scope and a proportional posture, not reconstruction. The systems that were always genuine models under SR 11-7 are traditional models under SR 26-2, and the governance you operate for them still applies. What you are adding is a clearer line at the edge of the perimeter and an honest accounting of what now sits outside it.
What banks need to do now
The first move is to re-read the scope definition against your own portfolio rather than against your memory of SR 11-7. The phrase that matters is “traditional models and basic AI applications,” and the question for each system is which side of that line it falls on. This is a deliberate inventory exercise, not a judgment call made once in a committee.
Second, assess your AI inventory against the boundary. For every AI system in production or in pilot, classify it as a traditional model or basic AI application that remains inside SR 26-2, or as a generative or agentic system that the guidance has carved out. Be conservative and specific. An LLM that drafts customer communications, an agent that executes multi-step workflows, and a foundation model used for summarization sit on the carve-out side. A logistic-regression scorecard, a statistical fraud model, and a deterministic decision rule sit inside. The line is clearer than it was, but applying it to a real estate of systems still takes work.
Third, make sure your generative and agentic AI governance lives somewhere outside SR 26-2. This is the gap the carve-out creates and the one most likely to be missed. If a system is out of scope for model risk guidance, it still needs an owner, a risk classification, testing, and monitoring under some framework. Most banks build that on a structure they already understand, mapping these systems to a recognized governance framework and reusing the controls they operate for security and compliance. An AI governance checklist is a fast way to see whether your generative AI systems have the inventory, tiering, and evidence that an examiner or a board will expect, regardless of which guidance formally applies. For institutions standing up that structure deliberately, our banking AI governance work is built to reconcile an existing model risk program with the systems that now fall outside it.
Fourth, note the coming RFI and do not wait for it to act. The agencies have signaled that dedicated AI guidance is in development, but a bank cannot leave a generative or agentic system ungoverned in the interim because the formal text is not yet written. The defensible posture is to govern those systems now under a credible framework and adjust when the RFI and any resulting guidance land. An AI governance readiness assessment is the fastest way to find the systems that have slipped outside both the model risk perimeter and any formal AI governance, which is exactly where the carve-out leaves the most exposure.
What this guide is / What it is not
What it is: A practitioner read on the move from SR 11-7 to SR 26-2 for model risk and AI governance leaders. It explains the April 2026 interagency issuance, the scope boundary between traditional models and basic AI applications versus generative and agentic AI, the proportional and non-binding framing, and the practical steps a bank takes to reconcile an existing model risk program with the new guidance. It is meant to give a Head of Model Risk, a CDO, or a CRO a clear picture of what changed and where the governance gaps now sit.
What it is not: It is not legal or regulatory advice, and it is not a certification or a guarantee of any exam or audit outcome. SR 26-2 is non-binding supervisory guidance that establishes supervisory expectations and principles; it does not set enforceable standards, it does not mandate specific artifacts, and non-compliance will not, in the OCC framing, result in supervisory criticism. SR 26-2 does not apply to generative or agentic AI. DSE prepares organizations for examination and strengthens the governance posture behind your models and your AI systems. We do not certify, and we do not guarantee any exam or audit result. Any vendor promising guaranteed regulatory approval is selling certainty that does not exist.
FAQ
What is SR 26-2 and what did it replace?
SR 26-2, the Revised Guidance on Model Risk Management, was issued by the Federal Reserve on April 17, 2026 as an interagency issuance alongside OCC Bulletin 2026-13 and a parallel FDIC statement. It replaces and rescinds SR 11-7 as the primary interagency model risk guidance, and on the OCC side it also rescinds OCC Bulletin 2011-12, OCC Bulletin 2021-19, OCC Bulletin 1997-24, and the Model Risk Management booklet of the Comptroller’s Handbook. It is non-binding supervisory guidance that establishes supervisory expectations, not a regulation.
Does SR 26-2 apply to generative AI and agentic AI?
No. SR 26-2 explicitly excludes generative AI and agentic AI from its scope, characterizing them as novel and rapidly evolving and stating that other risk-management practices will govern them. The guidance applies to traditional models and basic AI applications. Governor Bowman confirmed on May 1, 2026 that the revised guidance does not apply to generative or agentic AI and now applies narrowly to traditional models and basic AI applications. Banks cannot rely on SR 26-2 to govern their generative or agentic AI systems.
How is SR 26-2 different from SR 11-7?
SR 26-2 keeps the core model risk pillars of development and use, validation and monitoring, and governance and controls, but makes four changes: a clearer scope boundary that names traditional models and basic AI applications as in scope, a risk-based and proportional application most relevant to banking organizations over $30B in total assets with proportional application to smaller banks where model risk exposure is significant, an expanded treatment of vendor and third-party model risk, and an explicitly non-binding, principles-based framing. It is an evolution of SR 11-7, not a repudiation of it.
What should a bank do now that SR 26-2 has replaced SR 11-7?
Re-read the scope definition against your own portfolio, then assess every AI system against the boundary between traditional models and basic AI applications versus generative and agentic AI. Make sure your generative and agentic AI governance lives outside SR 26-2 under a credible framework, since the guidance carves those systems out. Note that the Fed, OCC, and FDIC plan a separate request for information addressing AI, including generative AI and agentic AI, and govern those systems now rather than waiting for it.
The Bottom Line
SR 26-2 did not tear down the model risk discipline banks spent fifteen years building. It revised the guidance, kept the three-pillar spine of development, validation, and governance, and added a proportional, risk-based posture that lets institutions size their effort to their exposure. A bank running a credible SR 11-7 program is well-positioned, because almost everything that program does still applies to the traditional models and basic AI applications that remain in scope.
The change that demands attention is the scope boundary. Generative AI and agentic AI are explicitly out of scope under SR 26-2, governed instead by other risk-management practices the agencies have signaled they will develop through a forthcoming RFI. That carve-out is honest about a real difficulty, but it creates a gap that each bank now owns: those systems still need an inventory, a risk classification, testing, monitoring, and an owner, just not under model risk guidance. The practical work is to reconcile your existing program against the clearer scope, classify every AI system against the line, and stand up governance for the generative and agentic systems that have just been set outside the model risk perimeter. Done deliberately, that is a reconciliation exercise, not a rebuild, and it leaves you with a defensible posture for both your models and the AI the guidance no longer covers.
If your model risk program was built on SR 11-7 and you are mapping to SR 26-2, DSE’s banking AI governance practice helps banks reconcile existing governance with the new guidance and establish what belongs outside SR 26-2 for generative and agentic AI. The AI governance readiness assessment delivers a risk register and audit-ready evidence package at a fixed fee. Scope the engagement →
Key facts
- SR 26-2 (April 17, 2026) replaces SR 11-7 as the primary interagency model risk guidance
- Generative AI and agentic AI are explicitly out of scope under SR 26-2
- The Fed, OCC, and FDIC plan a separate RFI addressing AI including GenAI and agentic AI
- Non-binding supervisory guidance — does not set enforceable standards or prescriptive requirements