Table of Contents
Summarize and analyze this article with
Chat GPT
Perplexity
Grok
Google AI
Claude
What SR 26-2 changed (and why it's a buying decision now)
For over a decade, SR 11-7 was the reference for model risk management. In April 2026 the Federal Reserve issued SR 26-2, with parallel issuances from the OCC and FDIC. The headline points: a $30B asset threshold framing proportionality, the same risk-based pillars carried forward, and most consequentially generative AI and agentic AI explicitly carved out of scope while separate guidance is developed.
For a bank, this is a buying trigger because three things now have a deadline: re-baselining the model inventory, demonstrating proportional governance, and closing the carve-out gap with controls the letter does not specify. The question for most CROs is not ‘what is SR 26-2’ but ‘do we build this readiness in-house or bring in help, and if we bring in help, whom?’
The four pillars still apply
SR 26-2 is evolution, not reinvention. Any advisor you hire should be fluent in all four pillars and able to right-size them:
- Model development and use sound design, documentation, fit-for-purpose application.
- Validation and monitoring independent validation proportional to risk; ongoing drift monitoring.
- Governance and controls ownership, policy, a maintained inventory, board and risk-committee reporting.
- Third-party and vendor models the same expectations extend to bought or rented models.
When to bring in help vs. handle it in-house
Not every bank needs an external advisor. Use this decision guide.
| Situation | In-house may suffice | Bring in help |
|---|---|---|
| Existing MRM maturity | Credible inventory, validation cadence, monitoring already in place | No defensible inventory; validation ad hoc; examiner findings open |
| GenAI / agentic use | No customer-facing or material GenAI in production | GenAI or agentic systems live, or planned within 12 months |
| Capacity | Dedicated MRM function with bandwidth | MRM is a part-time role stretched across other duties |
| Examination timing | No exam imminent; time to mature gradually | Exam on the calendar; need examiner-ready evidence fast |
How to evaluate an SR 26-2 / model risk advisor
Score candidates on the criteria below. The differentiators are implementation depth and a credible carve-out plan most firms can quote the supervisory letter; far fewer can operationalize it.
| Criterion | What ‘good’ looks like |
|---|---|
| SR 26-2 fluency | Can explain the $30B threshold, proportionality, and the carve-out precisely |
| Implementation depth | Builds the inventory and validation workflow, not just a policy document |
| Carve-out plan | Concrete GenAI/agentic controls beyond traditional MRM |
| Data-layer competence | Understands that model oversight depends on governed data and lineage |
| Proportionality | Right-sizes governance to your assets; no top-25-bank overhead for a community bank |
| Explainability for credit AI | Connects model outputs to adverse-action reasons under CFPB Circular 2022-03 |
| Examiner-ready evidence | Produces inventory, tiering logic, and validation evidence on demand |
RFP questions to ask any SR 26-2 advisor
- Show an engagement where you re-baselined a model inventory and the bank cleared an examiner finding as a result.
- What specific controls do you add for the GenAI and agentic carve-out that traditional MRM does not cover?
- How do you right-size validation cadence and board reporting for a bank our size?
- How do you handle vendor and third-party models, including documentation gaps?
- How do you connect credit-AI outputs to adverse-action reason codes under CFPB Circular 2022-03?
The carve-out: the part most advisors cannot yet address
The single most important line in SR 26-2 is what it leaves out. Generative and agentic AI are excluded from scope while separate guidance is developed a governance gap the bank owns in the interim. Traditional MRM controls, designed for statistical and ML models, do not reach prompt usage, sensitive-data exposure, hallucination, the need for human review of material outputs, output logging, or for agentic AI which actions an autonomous agent may take without approval.
This is where advisors separate. Ask any candidate for their concrete carve-out controls. The capable answer covers, for GenAI: use-case intake and approval gates, prompt-usage and sensitive-data controls, hallucination detection, mandatory human review of material outputs, output logging, and vendor-dependency review. For agentic AI: defining permitted decisions and actions, mandatory human-approval points, activity logging, and exception escalation. PiTech’s AI Governance Framework for Banking is built around exactly this operating model, on the governed Data Solutions layer it depends on.
A 60-day SR 26-2 readiness scope (what good engagements deliver)
- Re-baseline the model and AI inventory across traditional, ML, vendor, GenAI, and agentic systems — owner, purpose, inputs, risk tier, validation status, monitoring.
- Risk-tier by impact: customer impact, regulatory exposure, decision autonomy, explainability, data sensitivity, vendor dependency, financial impact, operational criticality, control maturity.
- Map controls to tiers; document the proportionality judgment for your asset size.
- Close the carve-out with the GenAI/agentic controls above.
- Package examiner-ready evidence: inventory, tiering logic, validation results. The practitioner’s view is in AI Risk Management in Banking.
How PiTech delivers SR 26-2 readiness
The lowest bid usually excludes the integration and data-foundation work — the 80% that determines whether the program reaches production. Compare total cost of ownership over three years, including the run-rate to keep evidence examiner-ready, and weigh it against the cost of inaction: analyst hours lost to false positives, slow closes, and examination findings. A partner who is transparent about all four cost buckets is signaling competence, not expense.
How PiTech screens against its own scorecard
Frequently Asked Questions (FAQs)
What does an SR 26-2 model risk consultant do?
An SR 26-2 consultant helps a bank build the operating model the April 2026 supervisory letter expects: a defensible model and AI inventory, risk-tiering proportional to the bank’s profile, validation and monitoring workflows, and third-party model oversight. The strongest engagements also close the GenAI and agentic AI carve-out with controls traditional model risk management does not reach, and package examiner-ready evidence — not just author a policy document.
How do you evaluate an SR 26-2 advisor?
Screen for SR 26-2 fluency (the $30B threshold, proportionality, and the carve-out), implementation depth rather than frameworks alone, a concrete GenAI and agentic carve-out plan, data-layer competence, proportional governance sized to your assets, explainability for credit AI under CFPB Circular 2022-03, and the ability to produce examiner-ready evidence on demand. Ask for an engagement where the bank cleared an examiner finding as a result of the work.
Does a bank under $30B need SR 26-2 consulting?
Possibly, but proportionally. The $30B threshold marks where the most formal expectations concentrate, not an exemption. A bank with a credible existing inventory, validation cadence, and monitoring may handle re-baselining in-house. A bank with no defensible inventory, ad hoc validation, open examiner findings, or live GenAI/agentic systems usually benefits from help sized to its risk profile, not to a top-25-bank standard.
What is the SR 26-2 GenAI and agentic AI carve-out?
SR 26-2 explicitly excludes generative and agentic AI from scope while separate guidance is developed, leaving banks to govern those systems with their own controls. For GenAI that means use-case approval gates, prompt-usage and sensitive-data controls, hallucination detection, mandatory human review of material outputs, output logging, and vendor-dependency review. For agentic AI it means defining permitted actions, mandatory human-approval points, activity logging, and exception escalation.
How long does SR 26-2 readiness take?
A focused readiness scope runs roughly 60 days: re-baselining the model and AI inventory, risk-tiering by impact, mapping controls to tiers with a documented proportionality judgment, closing the GenAI/agentic carve-out, and packaging examiner-ready evidence. Timeline depends on existing maturity and the number of vendor and AI models in use; banks with live GenAI or agentic systems should prioritize the carve-out controls first.