There’s No Guidance for AI in Banking… Yet.

SR 26-2, issued April 17, 2026 by the Federal Reserve, OCC, and FDIC, is the first rewrite of model risk management guidance in fifteen years, replacing the SR 11-7 guidance banks have used since 2011. It is a real improvement: risk-based, tailored to size and complexity, clearer through the model lifecycle. And it puts generative AI and agentic AI explicitly out of scope, calling them “novel and rapidly evolving.” The guidance you would have reached for to govern your AI officially does not apply to it. 

Out of Scope Is Not Out of Bounds 

Here is the part that matters more than the gap itself. AI being excluded from the guidance does not mean AI is ungoverned. In the same breath that the agencies omitted generative and agentic AI from the guidance, they said existing risk management and governance practices should determine the appropriate governance and controls for any tool not covered. Out of scope is not out of bounds. It is a redirect, back to the program you already run. 

That redirect applies no matter your charter or your size. A community bank examined by the FDIC and a credit union under the NCUA are not governed by the same documents, but they land in the same place: govern the tool under the risk program you already have. The same board-prescribed risk appetite, vendor oversight standards, documentation, and accountability structures that govern your model inventory govern your AI tools right now. 

You are not doing it without help. Voluntary frameworks built for exactly this already exist, including the NIST AI Risk Management Framework and the Cyber Risk Institute’s Financial Services AI Risk Management Framework, both designed to guide AI risk management and governance.  

A formal request for information is coming. The agencies confirmed they plan to issue one “in the near future” addressing risk management and, in particular, banks’ use of AI, including generative AI, agentic AI, and AI-based models. As of mid-June 2026, it has not been issued, and when it does, it opens a comment period before anything binds you. Safety and soundness does not pause for that gap. The obligation to identify and manage the risk is the one you have always carried, pointed at a new category of tool. Written guidance or not, the second line owns the governance of AI today. 

Regulators Have Already Told You Where AI Belongs 

The absence of formal AI guidance does not mean regulators have stayed quiet on AI. In cybersecurity, they have been specific and affirmative. 

The OCC’s Spring 2026 Semiannual Risk Perspective, released May 7, states that “artificial intelligence is significantly transforming the cyber threat landscape, while also providing new capabilities to manage cyber-related risks.” The report is direct about the asymmetry. Threat actors are already using AI to lower the barrier to entry for attacks, increase their speed and scale, automate reconnaissance, and build malware that evades traditional defenses. Then the OCC turns to the defensive case: “A sound understanding of the potential benefits and possible risks associated with increasingly advanced AI tools coming onto the market that can assist with cybersecurity functions can be important for cyber risk management.” 

That is supervisory language telling you AI-powered threat detection and monitoring sits inside sound cyber risk management. It also reframes the wait-and-see posture. When the offense is already using AI at scale and your regulator has named AI-assisted defense as part of managing the risk, choosing to wait is itself a risk management decision. It is not the conservative one. 

What to Do Before the RFI Lands 

You do not need a new program. You need to point the one you have at AI. For most community banks and credit unions, that looks like: 

• Inventory the AI tools in use. Include the ones riding inside third-party products you have already bought, and the fourth-party models sitting behind those vendors. Build it the way you build a model inventory. You cannot govern what you have not named. 

• Document each tool’s purpose, scope, and known limitations. This is the record an examiner will ask to see, and the one that forces an honest look at where the tool can fail. 

• Assign accountability. Name who owns each AI application, how its performance is monitored, and what guardrails are in place. Ownership is the difference between governance and a tool sprawl nobody can explain. 

• Require human-in-the-loop review for any AI output that drives a material decision. The person who acts on the output owns the output. AI informs the decision, it does not make it, and the name attached to the call is still a human’s. 

• Ensure explainability. Whoever relies on an AI output has to be able to explain how the tool reached it, because the second line is going to challenge it. You cannot defend, or credibly challenge, a black box. 

• Hold AI vendors to your existing third-party standards. And press on the AI embedded in tools you do not think of as “AI vendors,” which is where the real blind spots live. 

• Get ahead of shadow AI. Your people are already using it, with or without approval. The question is whether they are doing it through sanctioned tools with guardrails, or pasting customer and member data into a consumer chatbot on their lunch break. 

None of that requires waiting for the RFI. All of it is your existing risk program, applied to a new tool. That is how safety and soundness has always worked. 

Where DefenseStorm Fits 

DefenseStorm uses AI across threat detection and monitoring, paired with human expertise, to help banks and credit unions identify and respond to threats faster. Our AI is Built for Banking, and we govern it the same way we are telling you to govern yours: inventoried, documented, accountable, with a human owning every decision that matters. That is the measured posture the OCC described, AI doing the scale and speed work, people owning the judgment and the accountability. If you want to talk through how AI-powered monitoring fits your institution’s risk management posture, and how to be ready to speak to it when the examiner asks, we are glad to have that conversation. 

The AI RFI will set the table. The question before it arrives is the one worth sitting with: if an examiner asked today how your institution governs the AI it already uses, what would you be able to show them? 

Frequently Asked Questions 

Is there regulatory guidance governing generative AI in banking right now? 

No dedicated guidance. The agencies have announced plans for a request for information on AI and model risk management but have not issued it as of mid-June 2026. In the interim, regulators have directed institutions to govern AI under their existing risk management and governance practices. 

If generative and agentic AI are excluded from SR 26-2, do we still have to govern them? 

Yes. The guidance is explicit that existing risk management and governance practices should determine the appropriate controls for tools not covered, including generative and agentic AI. Exclusion from scope is not exemption from responsibility. 

Does SR 26-2 apply to community banks and credit unions? 

It is expected to be most relevant to banking organizations over $30 billion in total assets, though the OCC states it applies to all community banks subject to the limitations in the guidance. Credit unions are supervised by the NCUA, so SR 26-2 does not bind them; the NCUA directs credit unions to the NIST AI Risk Management Framework and emphasizes the same governance expectations. 

What is the AI RFI, and has it been issued? 

The agencies announced plans to issue a request for information addressing risk management and, in particular, banks’ use of AI, including generative AI, agentic AI, and AI-based models. As of mid-June 2026, it has not been issued. When it is, it will open a comment period that shapes future formal guidance. 

What did the OCC say about using AI in cybersecurity? 

The OCC’s Spring 2026 Semiannual Risk Perspective describes AI as both a growing offensive threat and a defensive capability, and states that understanding the benefits and risks of AI tools that assist with cybersecurity functions can be important for cyber risk management. Appropriate governance and accountability still apply to any AI deployment. 

How should we govern AI before formal guidance arrives? 

Apply your existing risk management principles: inventory your AI tools, document purpose and limitations, assign accountability for oversight, require human review for material decisions, demand explainability, and hold AI vendors to your existing third-party standards. 

Sources 

SR 26-2, Revised Guidance on Model Risk Management, Federal Reserve / OCC / FDIC (April 17, 2026). federalreserve.gov/supervisionreg/srletters/SR2602.htm 

OCC Bulletin 2026-13, Model Risk Management: Revised Guidance (April 17, 2026). occ.gov/news-issuances/bulletins/2026/bulletin-2026-13.html 

OCC Semiannual Risk Perspective, Spring 2026, News Release 2026-35 (May 7, 2026). 

NCUA, Artificial Intelligence (AI) resource hub and 2026 Supervisory Priorities. ncua.gov 

Cyber Risk Institute, Financial Services AI Risk Management Framework (FS AI RMF). cyberriskinstitute.org