Ask any model risk officer how many AI tools are actively running inside their institution right now, and the honest answer is usually: more than the inventory shows. Not because anyone is hiding anything. Because the tools arrived faster than the governance process built to track them.
That gap, between deployment and oversight, is what SR 26-2 was written to address.
On 17 April, the Federal Reserve, the OCC, and the FDIC updated the framework banks use to govern quantitative models, from credit underwriting to stress testing to fraud detection, for the first time in fifteen years. SR 26-2 replaces SR 11-7 as the primary model risk management standard. The headline most institutions will take from it is that generative and agentic AI are excluded from formal scope. The headline that matters more is that the guidance does not reduce expectations. It changes what “meeting” them requires.
SR 11-7 fought the risk of using bad models. SR 26-2 acknowledges the risk of not using models.
That distinction is not subtle, and it's the lens through which the rest of this guidance should be read.
A framework built for models that held still
SR 11-7 was designed for models with defined inputs, stable methodologies, and predictable outputs. A credit model takes defined inputs, applies a documented methodology, and produces a quantitative estimate. That process can be validated before deployment, because the model's behavior can be fully understood in advance.
The systems transforming banking today do not remain still. Fraud detection models evolve with emerging threats. Cybersecurity tools adapt continuously. Generative AI systems are updated by third-party providers on their own schedule, often in ways their own developers didn't fully anticipate.
Pre-deployment validation cannot govern a system that changes after deployment. That's not a gap in execution. It is a structural mismatch between the framework and the technology, and it's the mismatch SR 26-2 is built to address.
What the guidance actually says
SR 26-2 is direct about its own boundary:
| "Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Nonetheless, a banking organization's risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document.”1 |
|---|
Read that boundary carefully, because it's the one most institutions will misread. The exclusion isn't a reprieve from governance. It is a statement that the technology is moving too fast for a fixed framework to keep pace with it, and an instruction to build governance anyway, using sound judgment rather than a checklist. More guidance is coming. In the meantime, the principles of model risk management still apply, and the institutions that treat the carve-out as permission to do less will find that an examiner reading the same footnote reached a different conclusion.
Related reading: Regulators drive new standards for AI model risk management.
Risk doesn't end at the model
Even where SR 26-2 draws a formal line, the data doesn't honor it. Consider a chain many institutions already operate: a generative AI tool spreads a borrower's financial statements. That output feeds a credit model. The credit model produces a risk rating. The risk rating informs the CECL reserve, one of the most consequential estimates on a bank's financial statements.
The spreading tool sits outside SR 26-2's formal scope. The credit model and the CECL reserve do not. A systematic error at the start of that chain doesn't stay there. It travels: into the credit model as a data quality problem, into the risk rating as a judgment that looks sound but rests on a compromised input, and into the reserve as a misstatement whose origin is three steps removed from where anyone is looking. Auditors and examiners will follow that chain to its end regardless of where the AI exclusion begins.
What adaptive governance requires
SR 26-2 doesn't prescribe a fixed methodology, and that's deliberate. What it asks for instead is harder: understand the risk a given model or tool actually carries, track where its outputs travel once they leave the model, and name who is accountable for the judgment applied along the way.
That requires governance to extend beyond the model itself, into how outputs are used, who is qualified to challenge them, and what happens when a qualified expert gets the call wrong. It also requires the functions that used to operate in sequence, model risk, compliance, technology, audit, to operate as one connected view of risk rather than a series of handoffs where context gets lost at every boundary.
Forward progress is the standard that holds up here. It's defensible when it's measured against the institution's own prior state, not against an abstract notion of completeness, and when the pace of governance improvement matches the pace at which the institution's AI footprint is growing. An institution whose AI adoption is accelerating faster than its governance is improving isn't making forward progress in any sense an examiner will accept. The examiner isn't looking for a perfect record. They're looking for an institution that knows where it is, knows where it's going, and can show the work between those two points.
The institutions that read SR 26-2's flexibility as license to slow down will be building governance for a regulatory environment that no longer exists. The institutions that read it correctly will use this window to build something that compounds: a first line genuinely capable of challenging what it uses, and a governance program that demonstrably gets better as the technology does.
Find the person in your institution who already understands the difference between using a model's output and understanding it. Make sure they have the standing to act on that difference before your next exam does it for you.
For more on how AI is reshaping governance expectations, see Model Risk Management in the Age of AI.
How we help
Moody's supports financial institutions in identifying, assessing, and mitigating model risk across the enterprise as regulatory expectations evolve. To find out how we can help your organization strengthen its risk culture and resilience, get in touch today.
References
1. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency, “Supervisory guidance on model risk management,” p. 3, April 17, 2026.
LEARN MORE
Moody’s Banking Solutions
Bringing together data, experience, and best practice capabilities, with our specialized and agile intelligence, Moody’s banking solutions empower banks to adapt confident and efficient decision making, to ultimately drive growth and meet strategic goals.