SR 26-2 is the April 2026 interagency guidance that replaces SR 11-7 as the primary federal standard for model risk management at U.S. banks. Issued jointly by the Federal Reserve, OCC, and FDIC, SR 26-2 shifts from a prescriptive, checklist-driven approach to a principles-based, materiality-first framework — eliminating mandatory annual revalidation cycles and requiring banks to apply risk-proportionate governance across all models, including AI and ML. Key changes: (1) validation frequency is driven by materiality and change velocity, not calendar schedules; (2) aggregate model risk thinking replaces model-by-model compliance; (3) AI and ML models receive explicit governance requirements; (4) the model definition threshold is widened.
On April 17, 2026, the Federal Reserve, OCC, and FDIC quietly retired the rulebook that has governed bank model risk management for 15 years. SR 11-7 is gone — replaced by SR 26-2 — and every technology and compliance leader at a U.S. bank needs to understand what changed before their next examination cycle.
SR 26-2 is not a cosmetic update. The interagency guidance replaces the prescriptive, checklist-driven framework that most MRM programs were built around with a principles-based, materiality-first approach. Annual revalidation cycles are out. Rigid organizational structures are out. In their place: judgment, risk-proportionate governance, and aggregate model risk thinking. For banks that built compliance programs around the SR 11-7 playbook, this shift requires a genuine reassessment — not a find-and-replace of document headers.
What SR 26-2 Changes — and What It Keeps
| Dimension | SR 11-7 (retired) | SR 26-2 (effective 2026) |
|---|---|---|
| Revalidation schedule | Annual cycle implied across all model tiers | Risk-proportionate; tied to materiality and change velocity |
| Governance approach | Prescriptive, checklist-driven | Principles-based; judgment-led |
| Scope unit | Model-by-model compliance | Aggregate model risk across portfolio |
| AI / ML models | Not explicitly addressed | Explicit governance requirements; GenAI noted as evolving |
| Model definition | Narrower threshold | Widened — more systems qualify as models |
| Validation independence | Structural independence required | Independence preserved; flexible structures permitted |
| Third-party models | Vendor models covered; limited guidance | Strengthened expectations; banks own risk regardless of source |
The Risk Dispatch — weekly briefing
Get weekly AI risk management and compliance intelligence for financial institutions. Free, no spam.
Subscribe free →The new guidance preserves the core pillars of sound model risk management: model development and implementation, independent validation, and governance. Regulators did not throw out the architecture — they changed how rigorously each pillar must be applied, and to which models.
What's gone: The de facto annual revalidation cycle that SR 11-7 implied across all model tiers is explicitly retired. Under SR 26-2, validation frequency is a function of materiality, change velocity, and data availability — with specific triggers for re-review rather than a calendar-based default. Banks that conducted perfunctory annual reviews on low-risk models to stay "compliant" can redirect that effort toward models that actually warrant it.
What's new: SR 26-2 introduces a formal materiality construct. Model materiality is defined as the combination of model exposure (the dollar significance of decisions the model drives) and model purpose (whether it serves a regulatory or internal decision-support function), modulated by inherent risk. High-materiality models — think regulatory capital, DFAST stress testing, BSA/AML transaction monitoring — receive intensive governance. Low-materiality models are maintained in inventory with lightweight controls, provided the bank has a mechanism to detect when materiality changes.
What's narrowed: The definition of "model" itself is tightened. SR 26-2 explicitly excludes simple arithmetic calculations, spreadsheets, and deterministic rule-based processes. The definition now requires the system to apply statistical, economic, or financial theory to qualify as a model. This is operationally significant: many institutions have been managing spreadsheet-based tools and basic rules engines under full SR 11-7 governance overhead. That overhead can now be formally reduced.
Model Inventory and Tiering: The Immediate Work
The first practical implication of SR 26-2 is a re-tiering exercise. The guidance expects a comprehensive model inventory that supports risk management at both the individual and aggregate level — and that inventory must now be organized around materiality rather than model type or business line.
Industry analysis suggests that banks running a full re-tiering exercise should expect 10 to 30 percent of legacy models to shift tier, mostly downward, with upward adjustments concentrated in regulatory reporting, BSA/AML, and AI/ML models used in credit decisioning. BSA/AML models — transaction monitoring, sanctions screening, and customer due diligence systems — are now explicitly inventoried and tiered alongside all other models under SR 26-2, absorbing the prior BSA/AML interagency statement that is also superseded.
For technology leaders, this creates a concrete near-term action: audit your model inventory against the new materiality framework. Models that previously warranted annual validation cycles may now qualify for lighter-touch ongoing monitoring. Models powering credit, capital, or regulatory outputs need to be stress-tested against the new aggregate risk requirements.
Aggregate Model Risk: The Requirement Most Banks Are Unprepared For
The most operationally demanding addition in SR 26-2 is the explicit mandate for aggregate risk assessment. Banks are now required to evaluate dependencies and common assumptions across multiple models simultaneously — not just validate each model in isolation.
This matters most in three scenarios: when multiple models share the same upstream data feed, when models in a chain feed outputs into subsequent models, and when correlated override logic creates compound failure modes. A credit scoring model and a fraud detection model that both depend on the same bureau data, for example, carry correlated risk that individual validation would miss entirely.
Building aggregate risk visibility typically requires governance tooling that links models in inventory, maps shared dependencies, and surfaces correlated assumptions. Most MRM programs built under SR 11-7 do not have this infrastructure. SR 26-2 makes it a supervisory expectation.
AI and Generative AI: What SR 26-2 Does and Does Not Cover
SR 26-2 applies to AI and machine learning models that meet the updated model definition — and for predictive AI, the inventory requirements are more demanding. The guidance expects banks to identify upstream data feeds, shared calibration logic, and correlated override points for AI models specifically, acknowledging that these systems create dependency structures that traditional statistical models do not.
Generative AI and agentic AI systems are explicitly placed outside the scope of SR 26-2, with regulators noting that additional guidance is forthcoming. This does not mean those systems are unregulated — the guidance instructs banks to apply existing model risk management principles consistent with the underlying risk. In practice, this means institutions deploying LLMs or agentic AI workflows in customer-facing or decision-support contexts should be building governance frameworks now, before formal guidance arrives. For context on how SR 11-7's principles apply to agentic systems, see Agentic AI in Banking: Applying the SR 11-7 Framework.
What Supervisory Scrutiny Actually Looks Like Under SR 26-2
SR 26-2 is non-binding on its face — it does not set enforceable standards, and non-compliance will not on its own result in supervisory criticism. But that framing understates the real stakes. Examiners and auditors treat the guidance as the standard for sound practice. When weak model risk management contributes to unsafe or unsound outcomes — a credit loss, a regulatory capital miscalculation, a BSA/AML failure — the absence of SR 26-2-aligned governance will be cited.
The shift from prescriptive to principles-based also changes the examination dynamic in a way compliance teams need to understand. Under SR 11-7, a bank could point to a completed annual validation checklist and demonstrate compliance. Under SR 26-2, examiners will ask how the bank determined what level of validation was appropriate — and whether that judgment was defensible given the model's materiality. The burden shifts from documentation to reasoning.
The guidance is expected to be most directly applied to banking organizations with more than $30 billion in assets regulated by the Federal Reserve, OCC, or FDIC. Mid-size and regional institutions should expect the principles to inform examinations proportionately, with supervisory expectations calibrated to their model risk profile.
Three Actions MRM Leaders Should Take Now
1. Conduct a materiality re-tiering of your model inventory. Map every model against the new materiality construct — exposure, purpose, and inherent risk. Expect 10 to 30 percent of your inventory to shift tier. Document the reasoning. This is the foundation SR 26-2 governance is built on, and it is what examiners will ask to see first.
2. Build aggregate risk visibility into your governance infrastructure. Identify models that share upstream data, feed into each other's outputs, or carry correlated assumption sets. If your current tooling treats every model as an island, SR 26-2's aggregate risk requirement is an immediate gap. The investment in dependency mapping pays dividends beyond compliance — it reduces operational risk in model changes and infrastructure migrations.
3. Audit your validation frequency and triggers against the new framework. Replace calendar-based review schedules with risk-based triggers tied to materiality, change velocity, and data drift. High-materiality models should have defined re-review triggers — significant performance degradation, input data changes, underlying assumptions invalidated by market events. Low-materiality models should have monitoring that detects when materiality changes. If you need a broader implementation timeline framework, the 90-day AI RMF roadmap for bank technology leaders offers a practical sequencing approach that maps directly to these priorities.
Key Takeaways
- SR 11-7 was officially replaced by SR 26-2 on April 17, 2026 — a joint Federal Reserve, OCC, and FDIC issuance that fundamentally changes the model risk management framework for U.S. banks.
- Annual revalidation cycles are eliminated. Validation frequency is now determined by model materiality, change velocity, and data availability — not the calendar.
- SR 26-2 introduces a formal materiality construct combining model exposure and model purpose; governance rigor must be calibrated to materiality tier, not applied uniformly.
- Aggregate model risk assessment is a new explicit requirement — banks must evaluate dependencies and correlated assumptions across models, not just validate in isolation.
- Generative AI and agentic AI are out of scope for SR 26-2, but banks are instructed to apply model risk principles to those systems while formal guidance is developed.
- The burden of proof under SR 26-2 shifts from checklist documentation to defensible judgment — examiners will ask why a governance level was chosen, not just whether a box was checked.
Related Reading
For the broader context on AI governance gaps created by SR 26-2, see our AI governance for banks: navigating the SR 26-2 regulatory gap — and for practical implementation steps, the MRM framework compliance guide.
Frequently Asked Questions: SR 26-2
What is SR 26-2?
SR 26-2 is the April 2026 interagency guidance issued by the Federal Reserve, OCC, and FDIC that replaces SR 11-7. It adopts a principles-based, materiality-first framework and explicitly addresses AI and ML models.
What are the key differences between SR 11-7 and SR 26-2?
SR 26-2 eliminates implied annual revalidation cycles, replaces prescriptive checklists with principles-based governance, shifts to aggregate model risk thinking, widens the model definition, and adds explicit AI/ML requirements.
When did SR 26-2 take effect?
SR 26-2 was issued April 17, 2026, immediately replacing SR 11-7. Banks are expected to align through their normal examination cycle.
Does SR 26-2 cover AI and generative AI?
Yes — SR 26-2 includes explicit AI/ML governance requirements. Generative AI and agentic AI are noted as outside current scope, signalling forthcoming dedicated guidance.
What do banks need to do to comply with SR 26-2?
Reassess your model inventory against the widened definition, replace calendar-based revalidation with materiality-driven schedules, develop aggregate model risk views, and document AI/ML governance. See our MRM framework compliance guide for a full implementation roadmap.