Governing GenAI and Agentic AI Under SR 26-2: The 2026 Carve-Out Control Library

Table of Contents

Summarize and analyze this article with
ChatGPT

Chat GPT

ChatGPT

Perplexity

 
ChatGPT

Grok

 
ChatGPT

Google AI

ChatGPT

Claude

 

What the SR 26-2 carve-out actually says (and doesn't)

SR 26-2 refreshed model risk management for U.S. banking in April 2026, replacing SR 11-7 with proportionality framed by a $30B asset threshold. Most consequentially, it explicitly carves generative AI and agentic AI out of scope while separate guidance is developed. The carve-out is not a free pass  the same supervisory expectations of safe deployment, customer protection, and operational risk management still apply. What it means in practice is that banks deploying GenAI or agentic AI now must build controls the supervisory letter does not specify.
This is where AI governance programs separate. A program that documents the carve-out and waits for further guidance is exposed. A program that builds concrete controls  sized to the bank’s risk profile, integrated into the operating model, and packaged into examiner-ready evidence  survives examination and lets new use cases reach production.

Control library — GenAI

1. Use-case intake & approval gates

Every proposed GenAI use case enters a standing intake process before any production deployment. The intake captures purpose, customers affected, data accessed, vendor or in-house model used, regulatory exposure, decision autonomy (advisory vs. material vs. customer-impacting), and proposed human-review points. Intake approval gates the next step; no gate, no deployment.

2. Prompt usage & sensitive-data controls

Prompts that may carry sensitive customer data, MNPI, or regulated information get redaction, filtering, or routing rules. Prompt activity is logged; prompt content is retained per the bank’s records policy. Vendor GenAI services receive the same scrutiny as any data-processing third party.

3. Hallucination detection & confidence thresholds

For material outputs, hallucination detection uses techniques appropriate to the use case  grounded prompting, retrieval references, confidence scoring, or independent verification. Below the threshold, the output is escalated for human review or refused. The threshold is documented and validated.

4. Mandatory human review of material outputs

Material outputs  customer-impacting communications, credit decisions, suspicious-activity narratives, regulatory submissions  require human review before action. The reviewer’s identity, decision, and rationale are logged.

5. Output logging & retention

GenAI outputs and their associated prompts, contexts, model versions, and reviewer decisions are logged consistent with model-risk evidence expectations. The log is queryable for analysts, auditors, and examiners on demand.

6. Vendor-dependency review

GenAI hosted by third parties introduces dependencies  model versioning, prompt behaviors, output stability, data residency, retention  that the bank reviews periodically, not only at onboarding. Exit paths are documented; vendor model changes trigger re-review.

Control library — agentic AI

1. Permitted actions defined narrowly

Agents are authorized for a specific, enumerated set of actions and decisions  read-only queries, narrow updates, advisory outputs  and refuse or escalate anything else. The action set is reviewed periodically as agent capabilities evolve.

2. Mandatory human-approval points

Material or customer-impacting actions require human approval before execution. The approval points are defined per use case and tested before deployment.

3. Activity logging & replay

Every agent decision, action, and exception is logged with model version, input context, decision rationale (where the model produces one), and outcome. The log supports replay for analyst and examiner review.

4. Exception escalation paths

Exceptions refused actions, low-confidence outputs, anomalous inputs escalate to named human reviewers with defined SLAs. Repeated exception patterns trigger control review.

5. Periodic recertification

Permitted-action sets are recertified at defined intervals as agent capabilities and risk understanding evolve. Recertification is documented and signed.

Partner-screening lens specific to GenAI / agentic controls

  1. Concrete control library. Does the partner have a documented, banking-specific GenAI and agentic control library  or only references to NIST/ISO frameworks?
  2. Operating-model integration. Do the controls integrate into the bank’s existing model-risk operating model, intake processes, and validation cadence?
  3. Examiner-ready evidence. Can the partner show evidence packaging from a peer-bank engagement where GenAI or agentic AI was in production?
  4. Senior staffing. Named senior practitioners in the working sessions, not juniors with an escalation path?
  5. Data-layer competence. Does the partner understand that GenAI and agentic controls only work on governed data?

Anti-patterns that stall GenAI governance programs

  • Policy without controls. Documenting that GenAI must be governed without specifying how. Examiners now ask for the controls themselves.
  • Vendor sign-off as governance. Treating a GenAI vendor’s security questionnaire as the bank’s control. The vendor’s controls protect the vendor; the bank’s controls protect customers and regulators.
  • Use-case intake without teeth. An intake form that does not gate deployment is a paperwork exercise.
  • Human review on paper only. Without logged reviewer identity, decision, and rationale, human review is not evidence.
  • No exit path. GenAI vendor models change; without an exit path the bank is exposed to vendor decisions outside its control.

How PiTech builds GenAI and agentic controls

PiTech builds GenAI and agentic AI controls into the bank’s existing model-risk operating model rather than as a separate program. The control library is documented per use case, integrated with intake and validation cadence, evidence-packaged as a by-product, and reviewed at defined intervals. Anchored in ISO/IEC 42001 and the NIST AI Risk Management Framework. Senior practitioners deliver under CMMI Level 3 and ISO 27001/9001/42001 discipline.

Frequently Asked Questions (FAQs)

What is the SR 26-2 GenAI and agentic AI carve-out?

SR 26-2 (April 17, 2026) explicitly carves generative AI and agentic AI out of scope while separate guidance is developed. The carve-out is not a free pass  the same supervisory expectations of safe deployment, customer protection, and operational risk management still apply. In practice, banks deploying GenAI or agentic AI must build controls the supervisory letter does not specify, sized to the bank’s risk profile and integrated into the operating model.
Six controls: use-case intake and approval gates before any production deployment, prompt usage and sensitive-data controls with monitoring and redaction, hallucination detection with confidence thresholds for material outputs, mandatory human review of material outputs with logged reviewer identity and rationale, output logging and retention consistent with model-risk evidence expectations, and vendor-dependency review for third-party GenAI services.

Five controls: permitted actions defined narrowly with an enumerated action set, mandatory human-approval points before material or customer-impacting actions, activity logging and replay of every agent decision and action, exception escalation paths with named reviewers and SLAs, and periodic recertification of permitted-action sets as agent capabilities evolve. Without these controls, agentic AI is operationally exposed even if individual decisions look safe.

No, not fully. Traditional MRM was designed for statistical and ML models with stable inputs, defined outputs, and validation methodologies. It does not reach prompt usage, sensitive-data exposure, hallucination, human review of material outputs, output logging, or vendor-model dependencies. The carve-out under SR 26-2 acknowledges this gap; the bank builds controls into the operating model rather than waiting for further guidance.

Screen for a concrete, documented, banking-specific GenAI and agentic control library not only NIST and ISO references; operating-model integration into the bank’s existing model-risk processes; examiner-ready evidence packaging from a peer-bank engagement where GenAI or agentic AI was in production; named senior staffing; and data-layer competence (the controls only work on governed data). Most firms can quote the supervisory letter; far fewer can operationalize the carve-out.
A material output is one that, if wrong, could affect a customer, a regulatory submission, a credit or compliance decision, an operational action, or the bank’s reputation. Customer communications, suspicious-activity narratives, credit decisions, regulatory submissions, fraud determinations, and complaint responses are typically material. Informational summaries, internal drafting aids, and exploratory queries usually are not  but the boundary is risk-tiered and reviewed periodically.

No. A GenAI vendor’s security questionnaire or SOC 2 report describes the vendor’s controls, not the bank’s. The bank still owns the use case, the prompt design, the human-review process, the output logging, and the customer impact. Vendor sign-off is a necessary input to vendor-dependency review, not a substitute for the bank’s own control library.

The intake captures purpose, customers affected, data accessed, vendor or in-house model used, regulatory exposure, decision autonomy (advisory vs. material vs. customer-impacting), and proposed human-review points. Intake approval gates the next step; no gate, no deployment. The intake is owned by a named function (typically MRM or compliance) and decisions are logged for examiner review.

Periodic review on a documented cadence  typically quarterly for high-risk use cases, semi-annually for medium-risk, annually for low-risk  and on-event for material vendor model changes, customer complaints related to the use case, or detected control failures. The review covers control effectiveness, exception patterns, vendor stability, and emerging supervisory guidance.

For a focused scope  one to three production GenAI use cases  the control library and operating-model integration can be built and packaged for examiner evidence in roughly 60–90 days. Broader scopes scale linearly with use-case count. Banks with live GenAI or agentic systems should prioritize this work; banks planning future deployment can build the control library first and apply it to new use cases as they enter intake.