On April 17, 2026, the Federal Reserve, the FDIC, and the OCC (collectively, "the agencies") issued SR Letter 26-2, which replaces prior model risk management guidance, the SR 11-7 issued in 2011. This update refines supervisory expectations regarding how banking organizations should calibrate their model risk management frameworks. The guidance is most directly applicable to institutions with total assets exceeding $30 billion, though smaller institutions with complex modeling activities are advised to consider its principles.
Scope and Applicability
The guidance formally excludes simple arithmetic calculations, deterministic rule-based processes, and notably, generative artificial intelligence and agentic artificial intelligence models from the definition of a model. However, the agencies explicitly state that traditional statistical, quantitative, and non-generative artificial intelligence models remain within scope. The primary audience is organizations with over $30 billion in assets, reflecting a tailored supervisory approach that recognizes the lower inherent risk profiles of most community banking institutions.
What Is Covered and What Is Not
SR 26-2 draws a clean line between two categories of artificial intelligence. On one side, traditional statistical models and non-generative, non-agentic AI models are fully within scope. This includes logistic regression for credit scoring, random forests for fraud detection, gradient boosting for loss forecasting, and any probabilistic model that applies statistical, economic, or financial theories to produce quantitative estimates. On the other side, generative AI such as ChatGPT-style models and agentic AI that makes autonomous decisions are explicitly excluded from the guidance.
The agencies state these technologies are novel and rapidly evolving, so they are not covered here. Simple spreadsheet arithmetic and deterministic rule-based processes with no statistical underpinning are also excluded. For practitioners, this means the bank existing credit risk, market risk, and stress testing models remain subject to the full model risk management framework, while the internal productivity chatbots do not.
How to Treat Probabilistic and AI Models in Practice
For probabilistic models and non-generative AI, the guidance applies the same materiality-based framework as any other quantitative model. U.S. banks under scope must assess each model using two dimensions: exposure (portfolio size and financial impact) and purpose (regulatory significance or critical risk decisions). A machine learning fraud detection model affecting $50 million in transactions may require less rigor than a smaller logistic regression model used for regulatory capital calculations, if the latter serves a more critical purpose. The key operational change is that validators of AI models must now have organizational standing to effect change, not just technical expertise.
For probabilistic models with inherent uncertainty, banks must document assumptions explicitly and monitor performance drift continuously, not annually. Vendor-supplied AI models receive no lighter treatment; proprietary black-box constraints do not excuse banks from validating conceptual soundness. If a vendor will not provide transparency into model design, development data, or assumptions, banks must either conduct independent back-testing using the internal own data or limit the model to immaterial use cases.
Main Changes and Technical Nuances
The most significant departure from prior guidance is the formal introduction of a materiality-driven framework. Rather than applying uniform rigor to all models, the agencies now require banking organizations to evaluate model risk through two distinct lenses:
Model Exposure: The quantitative significance of a model's output to business decisions, typically measured by portfolio size or financial impact.
Model Purpose: A qualitative assessment of whether the model supports regulatory requirements or manages critical financial risk exposures.
The interaction of exposure and purpose determines model materiality, which then dictates the depth of validation, monitoring, and governance required. Immaterial models require only identification and periodic monitoring for changes in conditions that could elevate their status. Conversely, higher materiality models warrant comprehensive and rigorous oversight throughout the lifecycle.
The guidance also introduces a more explicit expectation regarding aggregate model risk. Institutions must assess risk not only at the individual model level but also across portfolios of models. This includes evaluating dependencies, common assumptions, shared data sources, and correlated methodologies that could cause simultaneous failures. A single point of weakness in a shared data pipeline, for example, could manifest as aggregate risk across multiple high-stakes models.
Effective Challenge and Independence
The agencies reinforce the concept of effective challenge as a non-negotiable component of sound governance. Effective challenge is defined as critical analysis performed by objective experts who possess the technical competence to evaluate model risk, sufficient independence to maintain objectivity, and the organizational standing to compel changes. This elevates the requirement beyond mere peer review to a governance mechanism with teeth. Validation functions must be structured to avoid conflicts of interest, particularly misalignment of incentives between model development and validation reporting lines.
Vendor and Third-Party Products
A critical clarification addresses vendor and third-party models. The guidance states that the use of proprietary products, including those where underlying code or methodology is inaccessible, does not diminish the banking organization's risk management responsibilities. Validation of vendor models must include an assessment of conceptual soundness, design, development data, and ongoing performance. Customizations made to vendor models for specific business needs must be documented, justified, and evaluated as part of validation. The inability to inspect proprietary elements is not an acceptable basis for reducing validation rigor.
Model Development, Validation, and Monitoring
The guidance formalizes three components of validation:
Conceptual Soundness: Assessing model design, assumptions, qualitative judgments, and data selection.
Outcomes Analysis: Comparing model outputs to real-world results, including back-testing and outlier analysis.
Ongoing Monitoring: Evaluating performance against changing products, exposures, data relevance, and market conditions.
Notably, the guidance permits limited circumstances where a model may be used prior to completion of validation, such as an urgent business need. In such cases, the institution must apply heightened attention to model limitations, inform relevant stakeholders, and implement compensating controls including usage limits and closer performance monitoring.
Governance and Documentation
The agencies expect a comprehensive model inventory that supports risk management at both individual and aggregate levels. Documentation must be adequate to ensure continuity of operations, track recommendations and exceptions, and support remediation efforts. Internal audit functions are expected to evaluate the effectiveness of model risk management practices rather than duplicate validation activities.
Enforceability Context
While the guidance explicitly states that non-compliance will not result in supervisory criticism standing alone, the agencies preserve their authority to take action for any violations of law or unsafe or unsound practices stemming from insufficient management of model risk. Practically, this means the guidance defines the supervisory baseline. Deviations from its principles will be cited as evidence of inadequate risk management in the event of a model failure or material loss.
Implications for GRC Professionals
The 2026 guidance signals a maturation of model risk management from a technical validation exercise to an integrated governance discipline. GRC professionals should prioritize three actions: first, implementing a tiered inventory that clearly distinguishes material from immaterial models; second, assessing aggregate risk across model portfolios, particularly where shared assumptions or data sources exist; and third, reviewing vendor management agreements to ensure that contractual terms do not impede the validation and ongoing monitoring required by the agencies. The exclusion of generative and agentic artificial intelligence is temporary; the principles articulated in this guidance will likely inform future supervisory expectations as those technologies evolve.
Critical Implications of the Revised Model Risk Management Guidance (SR 26-2)
Four Critical Changes for Risk Managers
1. Redesign Model Tiering Using Dual-Axis Materiality Assessment
Risk managers must now classify all AI predictive models using both exposure (quantitative portfolio impact) and purpose (qualitative regulatory or risk significance), replacing single-dimension risk ratings. This materiality-based framework means a fraud detection AI model affecting $50M in transactions may warrant less rigor than a $10M credit decisioning model if the latter supports regulatory capital calculations. Organizations must rebuild model inventories to document both dimensions, as immaterial models by exposure may still be material by purpose. The tiering directly determines validation depth, monitoring frequency, and governance escalation pathways for each AI risk model.
2. Establish Effective Challenge with Organizational Authority
Validators of AI predictive models must now possess not only technical expertise but demonstrable organizational standing and influence to effect change, moving beyond advisory roles. Risk managers must restructure validation teams to ensure challengers can delay model deployment, escalate concerns to executive committees, and mandate remediation with teeth. This represents a fundamental shift from validation as documentation exercise to validation as governance gate, particularly critical for complex AI models where technical reviewers previously lacked business authority. Second-line model risk functions must now be empowered to override first-line deployment timelines when AI model risks are inadequately addressed.
3. Implement Rigorous Vendor Risk Model Governance
Third-party AI models for credit scoring, fraud detection, or risk forecasting no longer receive lighter treatment despite proprietary limitations, requiring the same conceptual soundness validation as internal models. Risk managers must negotiate with vendors for sufficient transparency into model design, development data, assumptions, and performance metrics to conduct meaningful validation, even when source code is unavailable. Ongoing monitoring and outcomes analysis are now explicitly required for vendor AI models, including documentation of any overlays or adjustments made to customize outputs. Where vendors cannot provide adequate validation evidence, risk managers must either conduct independent testing using the bank's own data or limit the model's application to lower-materiality use cases.
4. Deploy Continuous Model Monitoring Infrastructure
Ongoing monitoring is elevated from periodic review to continuous evaluation, requiring risk managers to implement real-time performance tracking for material AI predictive models across changing data distributions and market conditions. Monitoring frameworks must now explicitly assess whether AI models remain fit-for-purpose as products, client bases, or economic environments shift, with predefined thresholds triggering recalibration or redevelopment. Risk managers must establish outcomes analysis comparing AI model predictions to actual results (back-testing) as a standard validation component, not an optional add-on, particularly for models relying on expert judgment or alternative data. The guidance mandates documentation of model deterioration triggers and response procedures, forcing proactive governance rather than reactive remediation when AI risk models fail.
Priority Actions for SR 26-2 Compliance
1. Materiality Triage
Large U.S. banks should redesign model inventories around purpose and exposure, not a single generic risk score. The guidance is explicit that model materiality depends on the business importance of the use case and the significance of the output to decisions, including regulatory and financial risk use. For predictive AI models, credit loss, fraud, liquidity, and capital-related use cases should be tiered above internal analytics or convenience models. Common practice still overweights model complexity and underweights business consequence; that should be corrected.
2. Challenge Authority
Banks should formalize effective challenge as a control with authority, not as a review function. The guidance requires challengers to have sufficient expertise, independence, organizational standing, and influence to effect change throughout the model lifecycle. That means validation functions need documented rights to delay launch, require remediation, and escalate unresolved issues to executive governance forums. Common advice tends to treat validation as commentary; that is not defensible under this guidance.
3. Continuous Monitoring
Scoped banks should move material predictive AI models to ongoing monitoring with explicit deterioration triggers. The guidance requires monitoring for changes in products, exposures, activities, clients, data relevance, and market conditions, and it states that material deterioration may warrant overlays, adjustment, or redevelopment. Monitoring should therefore include pre-defined thresholds for drift, performance decay, and segmentation instability, not just periodic reporting. Common practice often relies on quarterly review cycles; that is too slow for models embedded in live decisioning flows.
4. Third-Party Validation
Banks should validate vendor and other third-party predictive models to the same conceptual standard applied to internally developed models. The guidance states that proprietary constraints do not remove the need to understand design, development data, assumptions, and performance. Where source code is unavailable, banks need compensating controls such as benchmarking, documented customization review, independent testing, and ongoing outcomes analysis. Common advice often treats SOC reports or vendor attestations as sufficient coverage; they are not.
5. Use Expansion Gate
Banks should treat any extension of model use as a new risk event requiring formal review. The guidance states that using a model beyond its intended purpose introduces additional uncertainty and requires additional analysis of limitations and controls. That means a predictive model approved for one portfolio, channel, or decision layer should not be repurposed without re-validation and governance sign-off. Common practice often extends models through informal business requests; that is a control weakness, not agility.
6. Aggregate Risk Map
The banks under scope should maintain a live inventory that maps individual and aggregate model risk, including shared data, assumptions, and dependencies. The guidance specifically calls out aggregate risk arising from interactions among models and from common methodologies or inputs that can fail simultaneously. For predictive AI models, that inventory should also identify upstream data feeds, shared calibration logic, and correlated override points. Common advice tends to validate models in isolation; that misses the concentration risk the guidance now makes explicit.
About the Author:
Hernan Huwyler is a risk and compliance executive who advises financial institutions on model risk management, AI governance, and control frameworks. He has led validation functions for global banks and regularly writes on the intersection of quantitative risk and regulatory compliance.
#ModelRiskManagement, #SR262, #SR117, #ModelValidation, #EffectiveChallenge, #AIModels, #RiskGovernance, #ModelRisk, #VendorRiskManagement, #FinancialRegulation, #FederalReserve, #FDIC, #OCC, #GRC, #Compliance, #RiskManagement, #AIGovernance, #ModelMateriality, #SecondLineOfDefense, #BankingRegulation