On 17 April 2026, the Federal Reserve, OCC, and FDIC jointly issued Supervisory Letter SR 26-2 — Revised Guidance on Model Risk Management. It supersedes SR 11-7, the framework that has defined US bank model risk management for fifteen years. The headlines covered what changed for traditional models. The quieter move was what SR 26-2 carved out — the governance question for tools that amplify your in-house expertise to answer.
What SR 26-2 is
SR 26-2 is the first substantive revision of US bank MRM guidance since SR 11-7 was issued in April 2011. The new letter is interagency — the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corporation issued it together. Two predecessor instruments are formally superseded: SR 11-7 itself and SR 21-8, the April 2021 Interagency Statement on Model Risk Management for BSA/AML compliance. Both supersessions appear on the face of the SR 26-2 letter.
Applicability matters. SR 26-2 is expected to be most relevant to banking organisations with over $30 billion in total assets regulated by the Federal Reserve. Smaller institutions are not the primary audience, and the agencies do not frame them as such. The action urgency comes from the letter already being in force, not from a future deadline.
Three things SR 26-2 changed
The revised guidance text reshapes MRM along three substantive axes.
Materiality-based posture. Governance effort is now calibrated to actual risk rather than applied uniformly. Models that previously sat at equal validation cadence now sort by materiality, and previously-equal documentation expectations now tier. This is not a lighter framework — the sound MRM principles SR 11-7 established remain intact — it is a calibrated one. Banks that had been investing equally across model populations can redirect effort toward the higher-materiality end.
Narrower model definition. Simple arithmetic calculations such as those found within spreadsheets, and deterministic rule-based processes and software, sit outside the new model definition. Many practitioners still use model colloquially for any deterministic calculation; the new boundary matters when scoping the validation universe.
Generative and agentic AI carved out of formal MRM scope. The agencies placed these technologies outside the MRM construct entirely, framing the carve-out as a function of how rapidly the technologies are evolving and assigning responsibility to other risk areas within the organisation. This is the change the law-firm summaries treated as a footnote. It is the change the rest of this piece is about.
One thing SR 26-2 did not change — and one thing it carved out
SR 26-2 did not abandon the sound MRM principles SR 11-7 set out. Effective challenge, independent validation, model inventory, and ongoing monitoring all remain. What changed is the calibration of effort to risk and the definition of which calculations qualify as models.
What it carved out is generative and agentic AI. The carve-out is non-coverage, not prohibition — SR 26-2 placed these technologies outside the formal MRM construct and assigned governance responsibility to other risk areas without prescribing which ones. Hold this distinction: out of MRM scope, not out of every governance function.
The carve-out matters more than its size on the page. AI and machine-learning systems that fit the new statistical, financial, or economic model definition remain in scope under MRM. The exclusion is specific to generative and agentic AI.
Where GenAI now sits in your bank's risk taxonomy
Three governance functions are the natural inheritors. Most banks will land on one — or on a steering committee that combines two.
AI Governance is the obvious owner. Many banks stood up an AI Governance function in 2024–2025, typically reporting to Risk or directly to the Chief Risk Officer. Generative AI lands here naturally — AI usage policy, risk register, employee guidelines, and vendor due diligence are all extensions of work that may already exist in draft form.
Technology and Cyber Risk picks up the AI-enabled threat surface — AI-enhanced cyberattacks, deepfakes used against multi-factor authentication, and AI-enabled social engineering. The NYDFS Industry Letter on cybersecurity risks arising from AI of 16 October 2024 lives in this function's remit; DORA does the same for EU-supervised entities.
Third-Party Risk picks up the procurement angle. Most generative AI in production at a bank is procured rather than built, which puts the AI vendor inside Third-Party Risk's controls catalogue with AI-specific clauses bolted on. Responsible AI Studio (RAIS) builds the toolkit those three functions will be asked to produce — the AI Risk Register, AI Policy Generator, and AI Vendor Assessment.
Where to read the source material
- SR 26-2 — Revised Guidance on Model Risk Management (17 April 2026) — the letter itself.
- SR 26-2 Revised Guidance attachment (PDF) — the substantive guidance text the letter encloses.
- SR 11-7 — Guidance on Model Risk Management (2011) — the superseded predecessor; cite as context only.
Build your FinServ AI risk register → /tools/ai-risk-register/for/financial-services
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.