SR 26-2 Just Created a Governance Gap Banks Can't Ignore

On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly retired SR 11-7, the 15-year-old framework that defined model risk management for every major U.S. bank, and replaced it with SR 26-2.

The financial press framed this as a modernization. More flexible, principles-based, less prescriptive. That framing misses the real story.

SR 26-2 does something much more consequential than update old rules. It explicitly carves generative AI and agentic AI out of scope and signals that a separate regulatory framework is coming. The institutions reading this as regulatory relief are reading it backwards. The carveout is the spend signal.

What SR 26-2 Actually Does

The new guidance applies primarily to banking organizations above $30 billion in assets. Every G-SIB and large regional bank. Three changes matter most.

1. Three-tier classification replaces the old model vs. non-model binary. Banks now operate across Traditional Models (full MRM rigor), Non-Model Tools (lighter governance), and Excluded Innovations: generative and agentic AI, deliberately set apart with the expectation of a separate forthcoming regime.

2. Materiality-based oversight replaces annual revalidation. Validation cadence is now driven by risk assessment rather than a fixed calendar.

3. A forthcoming AI Request for Information. The interagency explicitly previewed an RFI that will address generative AI, agentic AI, and AI-based models. The timeline is unknown. The shape is unknown. What is known is that U.S. banks are currently in a regulatory waiting room with no concrete AI governance framework.

The Real Impact. A Governance Gap That Didn’t Exist on April 16

For a CRO at a G-SIB, the shift is stark. Three weeks ago, generative AI deployments were governed under an informal extension of SR 11-7. Today, those same deployments sit outside any specific regulatory framework. The bank must now construct its own AI governance architecture while waiting for the RFI and the eventual guidance that follows.

This is not theoretical. Banks above $30 billion in assets will be examined against SR 26-2’s three-tier expectations. Those without a defensible AI governance framework mapped to the forthcoming RFI, AIGF v2.0, EU AI Act, OSFI E-23, and DORA will face a difficult conversation with their audit committee and board.

This is the operational consequence of the same architectural gap the Agent Sprawl piece documented last week. 97% of enterprises run AI agents. Only 12% have centralized control. SR 26-2 converts that 88-point gap into a regulator-relevant exam finding for U.S. banks above the $30 billion threshold.

The $2.5B Spend Signal

Institutional research has been forecasting a $2.5 billion 2026 AI governance spend wave in regulated industries for two quarters. SR 26-2 is the document that converts that forecast into mandatory budget.

The institutions that started building enterprise AI governance frameworks ahead of SR 26-2, mapped to AIGF v2.0 and the EU AI Act, will be positioned to respond meaningfully to the RFI. Their governance architecture becomes input to the regulator’s framework. Banks that waited will be responding defensively, then facing an 18-month implementation cycle from a blank sheet.

The architectural pattern is the same one the Open RegTech piece three weeks ago laid out. Open standards (CDM, Morphir, DRR, AIGF v2.0) plus managed infrastructure to run them under SLA. SR 26-2 confirms why that pattern is the answer. The same evidence pipeline has to satisfy the forthcoming RFI, AIGF v2.0, OSFI E-23, the EU AI Act, and DORA. One build. Five regimes.

What Banks Should Build Now

Five capabilities, built on shared infrastructure, satisfy SR 26-2, the forthcoming RFI, AIGF v2.0, third-party AI risk, OSFI E-23, EU AI Act high-risk, and DORA simultaneously.

A continuously updated inventory of every model and AI system, scored on materiality. Identity and authorization for every non-human actor: models, agents, tools. Authoritative policy decisions in the operational path of every model and tool invocation. Evidence collection as a byproduct of operation, tamper-resistant, identity-attributed, mapped to regulatory clauses. Cross-domain consistency so the same evidence pipeline works for model risk, AI governance, trade reporting, and any regulated workflow.

These five together are the architectural answer to SR 26-2, the forthcoming RFI, AIGF v2.0, the EU AI Act high-risk obligations, OSFI E-23, and DORA, simultaneously. They are not separate projects. They are one infrastructure problem.

The Bottom Line

The Federal Reserve, OCC, and FDIC just rewrote fifteen years of bank model risk management and deliberately left AI for a separate framework that does not exist yet. The institutions that treat the carveout as relief rather than a budget signal will be 12 to 18 months behind the institutions that already have evidence architecture in place.

The framework just got rewritten. The carveout is where the next wave of regulated AI governance spend lands. The architectural answer is the same regardless of what the RFI eventually specifies. The institutions that built for it already are the ones positioned for what comes next.

The carveout is where the next wave of regulated AI governance spend lands. The architecture is the same regardless of when the RFI lands.

Paul Goldman is CEO of iTmethods and architect of Reign and Forge. The Trust Layer for Enterprise AI. He has spent 21 years building managed infrastructure for regulated enterprises and writes weekly on AI governance in the agentic era.

Reign is the AI Governance Platform. AI Gateway, Model Risk Validation, Audit Ledger (CAVR), Assurance Packs. Mapped to the FINOS AIGF v2.0. Forge is the managed runtime layer underneath. Reign for Life Sciences extends the same evidence model to regulated life sciences workflows. Enterprise AI. Governed. Learn more at itmethods.com.

Sources

• Federal Reserve. SR 26-2 Letter (April 17, 2026)
• OCC. Bulletin 2026-13
• OCC. News Release 2026-29
• OSFI. Guideline E-23 Final, effective May 1, 2027
• FINOS AI Governance Framework v2.0. Addressing Agentic AI Risks

Previously in this series: Agent Sprawl Is the New Shadow IT · EU AI Act Delay Doesn’t Change What to Build · Vendor AI Data Governance Problem · Why the AI Governance Stack Was Built for the Wrong Problem