Pillar of the week
This week's pillar lands in financial services. Fed SR 26-2 modernised US bank model risk management on 17 April 2026 — and explicitly placed generative and agentic AI outside formal MRM scope. The model-risk function inherited a cleaner toolkit; AI governance inherited a question.
The carve-out is non-coverage, not prohibition. AI systems that fit the new statistical, financial, or economic model definition stay in scope under MRM; generative and agentic AI route to a parallel governance track. Three governance functions are the natural inheritors — AI Governance, Technology and Cyber Risk, Third-Party Risk — and the pillar walks five practitioner moves to land a defensible position before the next supervisory exam.
Out of MRM scope, not out of every governance function.
Three to watch
- Fed SR 26-2 in force since 17 April 2026 — Federal Reserve, OCC, and FDIC interagency revised guidance supersedes SR 11-7 (2011) and SR 21-8 (2021). Expected to be most relevant to banking organisations over $30 billion in total assets regulated by the Federal Reserve. Source: federalreserve.gov
- NYDFS AI cybersecurity guidance — The 16 October 2024 Industry Letter clarifies how 23 NYCRR Part 500 applies to AI-cyber risks. Operationally specific: NYDFS Covered Entities directed to avoid SMS, voice, and video as the sole second factor for high-risk transactions due to deepfake exposure. Source: dfs.ny.gov
- DORA Article 28 third-party arrangements — Regulation (EU) 2022/2554 covers ICT and third-party arrangements for EU financial entities since 17 January 2025. AI cloud-model providers, inference-API vendors, and agentic-AI orchestrators are ICT third parties under Article 28. Source: eur-lex.europa.eu
Sample of the week
This week's sample is the AI Policy Generator — sample output for the financial-services industry cell shows the 10-section AI usage policy with citations to SR 26-2, the EU AI Act, NIST AI RMF, and ISO/IEC 42001 mapped to your jurisdictions in scope. Free .docx download, email-gated.
Practitioner takeaway
The SR 26-2 GenAI carve-out is not a void — it is a non-coverage assignment that pushes governance to other functions without prescribing which ones. The internal organisational design question is now load-bearing for what an exam looks like. Three governance functions are the natural inheritors, and most banks land on one or a steering committee combining two. The standing risk is treating GenAI as "out of every governance function" rather than "out of MRM, in everywhere else." A short charter refresh that names the inheritor function — and a one-page memo to the audit committee citing SR 26-2's carve-out language — is usually the smallest move that prevents the worst supervisory read.
This week's starting point
If you are updating ICT vendor contracts for AI-specific terms, start with the AI Vendor Assessment ($29) — a 30-question scored workbook aligned to ISO 42001 / NIST AI RMF with auto-summing category totals, pass / conditional / reject thresholds, and the AI-specific clauses already drafted (training-data provenance, inference-data handling, model-versioning notice).