Buried in the OCC's Spring 2026 Semiannual Risk Perspective is a sentence most AI governance teams have not yet acted on: the OCC, Federal Reserve, and FDIC are planning to issue a formal request for information on banks' use of AI — including generative and agentic models. That RFI will shape the next round of supervisory expectations.
This is not a routine disclosure. Read alongside the April 2026 model risk guidance update — which explicitly excluded generative and agentic AI from the revised SR 11-7 framework — it is a deliberate regulatory sequence: update the traditional model risk rules, flag that AI sits outside their scope, then formally initiate AI-specific guidance through the RFI process. Institutions that have built agentic AI governance frameworks will have the most credible responses to submit and the most defensible examination posture when attention arrives.
What the Spring 2026 Report Actually Says
The Spring 2026 Semiannual Risk Perspective frames AI as simultaneously a threat vector and a defensive capability — a distinction with direct implications for how banks are evaluated.
On the threat side, the OCC finds that AI has "reshaped the cybersecurity environment by making it easier for bad actors to launch attacks and enabling faster, more complex intrusions." AI-enabled fraud is a specific concern: lower barriers to entry for threat actors, higher attack sophistication, and compounding pressure on BSA/AML compliance systems from ongoing geopolitical tensions. On the defensive side, the report is unambiguous — banks deploying AI for vulnerability monitoring and threat detection will be better positioned than those that are not. The OCC is not cautioning against AI. It is drawing a line between institutions that use it defensively and those that do not.
The governance warning is equally direct. The report identifies "lack of explainability, data privacy and data poisoning issues, cybersecurity threats, and validation challenges" as significant risks of advanced AI, and states that "appropriate governance and risk management are essential for risk mitigation." Essential, not recommended. That word choice signals that AI governance will be an examination issue — not a future one.
Why the RFI Is a Timeline Signal
Requests for information are how U.S. regulators build the evidentiary record before issuing binding guidance. Comment periods typically run 60–90 days; guidance development follows. Two implications matter for technology and risk leaders.
Institutions that want to shape the guidance need to engage in the comment process — which requires documented practices and governance experience before the RFI opens, not after. Banks that have built agentic AI governance frameworks will have substantive input to offer. Banks that have not will be commenting on a framework they had no part in shaping.
The RFI also closes the window on governance gaps. The April 2026 model risk update created a documented gap between what SR 11-7 covers and what banks are actually deploying — a gap we covered in detail in our piece on why SR 11-7 isn't enough for agentic AI. Once AI-specific guidance is finalized, institutions without documented agentic AI governance will face remediation against a published standard, on the examiner's timeline. The institutions in the strongest position are those building governance now.
Connecting the OCC Findings to Existing Programs
The Spring 2026 report's AI findings map directly onto three governance programs most banks already have underway.
AI governance and model risk. The OCC's "appropriate governance" language reinforces the urgency of the FS AI RMF 90-day action plan outlined by Treasury in February 2026. The RFI comment period is an opportunity to demonstrate governance maturity — but only if that maturity exists before it opens.
Cybersecurity and zero trust. The finding that AI lowers barriers for cyber threat actors reinforces the case for identity-centric security controls. The OCC's recommendations for MFA and timely patch management align with Phase 1 of the zero trust roadmap we outlined in our piece on zero trust architecture for banks in 2026. These are not separate programs — they are the same operational security posture viewed from different angles.
NYDFS-regulated institutions. The OCC's framing of AI as a cybersecurity risk reinforces the October 2024 NYDFS Industry Letter's application of Part 500 to AI systems. State-level enforcement is already active; the federal posture is converging.
The Preparation Window Is Open Now
The interval between this announcement and the RFI's publication is the highest-value preparation period available. Three actions taken now produce outsized returns later.
Complete your agentic AI system inventory. The RFI will ask what generative and agentic systems are in production, what governance controls are in place, and how you are managing the risks the OCC identified. You cannot answer credibly without a documented inventory. Document your governance approach — even a preliminary framework gives you a defensible starting point for the comment process and a foundation for examination readiness. And assign an AI Risk Owner. The OCC's "essential" framing means "we're still developing our approach" is no longer an adequate answer. Someone needs to own AI risk with the same accountability structure that applies to credit or operational risk. If that role does not exist, this announcement is the forcing function to create it.
Key Takeaways
- The OCC's Spring 2026 Semiannual Risk Perspective (May 7, 2026) announced that the OCC, Federal Reserve, and FDIC will issue a formal RFI on banks' use of AI, including generative and agentic models.
- The report frames AI as both a growing threat vector and a defensive capability — the OCC is distinguishing between institutions that deploy AI for security and those that do not.
- The RFI is a timeline signal: institutions building agentic AI governance now will have substantive input to the comment process and a compliance head start when guidance follows.
- The Spring 2026 findings connect AI governance directly to cybersecurity risk, reinforcing integrated programs across model risk, zero trust, and AI governance.
- The window between announcement and publication is the most valuable preparation period available — use it to complete your AI inventory, document governance, and assign an AI Risk Owner.
The Risk Dispatch covers the regulatory and technology developments that matter most to financial services technology leaders. For the foundational context behind this development, see our coverage of the FS AI RMF 90-day action plan, why SR 11-7 isn't enough for agentic AI, NYDFS Part 500 and AI compliance, and zero trust architecture for banks in 2026.