U.S. bank regulators just updated the model-risk rulebook.
The AI story is what they left outside it.
On April 17, 2026, the OCC, Federal Reserve and FDIC issued revised interagency guidance on model risk management. The guidance clarifies a risk-based approach, rescinds older model-risk issuances, and says practices should fit a bank’s size, complexity and model use. The OCC release says the update is expected to be most relevant to banking organizations with more than $30 billion in assets, though smaller firms can still be in scope if their model exposure is significant (OCC, OCC Bulletin 2026-13).
Then comes the carve-out.
The bulletin says generative AI and agentic AI models are novel, rapidly evolving, and not within the scope of this guidance. The same release says the three agencies plan a future request for information on model risk management and banks’ use of AI, including generative AI, agentic AI and AI-based models.
That is the actual signal.
The regulators did not say GenAI risk is irrelevant. They said the current model-risk rewrite is not where they are going to settle it.
The Problem
Banks like clean supervisory categories. AI refuses to stay in them.
Traditional model-risk management was built around a familiar problem: a bank uses a quantitative model for credit, capital, pricing, fraud, stress testing, AML, market risk or another controlled function. The model has inputs. It has methodology. It has assumptions. It has validation. It has monitoring. It has governance.
That framework can handle a lot. It can even handle many AI-based models.
But generative and agentic systems are less obedient. A bank chatbot can produce free-form output. A coding assistant can change software. An analyst copilot can summarize confidential material. An agent can call tools, retrieve records, draft customer communications, escalate cases, or trigger workflows. The risk is not only whether a model’s statistical output is valid. It is whether the system’s behavior, authority and context handling remain controlled.
That is why the carve-out matters.
The revised guidance modernizes the traditional model-risk frame while explicitly refusing to pretend that GenAI and agentic systems are solved by it. That is intellectually honest. It also creates a governance gap between what banks are building and what exam guidance has fully specified.
Banks cannot treat that gap as permission.
The Analysis
The first important change is the reset of legacy guidance.
OCC Bulletin 2026-13 rescinds several prior OCC model-risk materials, including OCC Bulletin 2011-12, the OCC’s 2021 BSA/AML interagency statement on model risk for bank systems supporting BSA/AML and OFAC compliance, the 1997 credit-scoring model guidance, and the model-risk booklet of the Comptroller’s Handbook. The FDIC also says the agencies issued revised guidance and rescinded existing model-risk guidance tied to earlier FDIC financial-institution letters (FDIC).
This is not a footnote exercise. The 2011 model-risk architecture shaped how banks documented, validated and governed models for more than a decade. Replacing it with a risk-based approach is a supervisory simplification move, but not a soft landing for weak controls.
The new guidance still talks in the grammar banks know: model development and use, validation and monitoring, governance and controls, and vendor or third-party products. It says appropriate practices vary by risk profile and use case. It also says the guidance is not a prescriptive enforceable standard and non-compliance with it will not itself result in supervisory criticism.
That last sentence will tempt bad readings.
The wrong reading is: model risk got easier.
The better reading is: examiners want risk-based evidence, not ritual compliance. A bank with a low-impact spreadsheet and a bank using complex vendor models in a critical business line should not carry the same process weight. That is sensible.
The second important change is the AI sequence.
By excluding generative and agentic AI from this guidance, the agencies avoided forcing fast-moving systems into a document written mainly for model-risk foundations. But they also made the near-term control question harder for banks. If the guidance does not formally cover GenAI and agentic AI, what should a bank do while the RFI is pending?
The answer is not “wait.”
Banks still have safety-and-soundness obligations, consumer-protection obligations, operational-risk expectations, third-party-risk duties, privacy rules, cybersecurity expectations, fair-lending risk, AML duties and board governance responsibilities. GenAI does not float above those regimes because one model-risk document carved it out.
The practical answer is to build an evidence bridge.
For GenAI, that means documenting use cases, data sources, access controls, output review, human escalation, testing results, monitoring, incident handling and vendor dependencies. For agentic AI, the evidence burden is heavier: tool permissions, action boundaries, approval gates, audit logs, identity mapping and containment controls.
Those are not nice-to-have artifacts. They are what a bank will need when the RFI turns into supervisory expectations.
The third important change is vendor accountability.
The revised guidance discusses vendor and third-party products, including validation considerations. That matters because a large share of bank AI adoption will come through software vendors, cloud services, fraud platforms, compliance tools, customer-service systems and developer environments rather than internally trained models.
The AI gap is therefore not only a bank-lab problem. It is a procurement problem.
A vendor saying “our model is validated” is not enough for agentic workflows. Validated for what? In what environment? With what tool authority? Against what data restrictions? With what audit trail? How are hallucinated outputs handled? How are prompt-injection attempts logged? Can the bank disable autonomous actions without breaking the product?
Traditional model validation can answer only part of that.
The Implications
The useful bank response is to separate three categories now.
First, traditional quantitative models should map directly to the revised model-risk guidance. That is the easy bucket.
Second, AI-based predictive models that behave like traditional models should use the model-risk framework with AI-specific supplements around data lineage, bias, explainability, drift, monitoring and vendor evidence.
Third, generative and agentic systems need a parallel control package until the RFI lands. The package should borrow from model risk, but also include operational resilience, cybersecurity, identity, data governance, third-party risk and business-process controls.
That is the gap regulators created.
It is not a loophole. It is a waiting room with cameras.
For banks, the risk is under-documenting the interim period. When supervisors later ask how GenAI and agentic systems were controlled before dedicated guidance arrived, “we were waiting for the RFI” will not be a strong answer.
For vendors, the commercial bar rises. Bank buyers will need evidence packets, not AI roadmaps. The winning vendor will show scoped authority, logs, review workflows, policy enforcement and incident handling before the model-risk committee asks.
For regulators, the next move matters. The RFI has to decide whether GenAI and agentic AI become an extension of model risk, a separate operational-risk regime, or a hybrid framework that follows the system’s function rather than its technology label.
That last path is probably the only one that works.
In banking, an AI system is not risky because it is fashionable. It is risky because it can affect credit, money movement, fraud detection, customer communications, compliance decisions, software changes or market operations.
The guidance update cleaned up the old model-risk house.
Now regulators have to build the AI wing before the tenants finish moving in.
Discussion
Sign in to join the discussion.
No comments yet. Be the first to share your thoughts.