May 2026 | Intelligence for financial services technology leaders
This week: the OCC signals AI model risk guidance is coming, the SR 11-7 governance gap grows, and we have the implementation roadmaps you need.
This Week's Intelligence
There is a regulatory sequence underway that every bank technology leader needs to have mapped. Here is the short version.
In April 2026, the OCC, Federal Reserve, and FDIC updated the model risk management framework — and explicitly excluded generative and agentic AI from its scope. Then, on May 7, the OCC's Spring 2026 Semiannual Risk Perspective announced that the agencies plan to issue a formal request for information on banks' use of AI, including those generative and agentic systems. The guidance that fills the gap is coming. The window to influence it — and build ahead of it — is open right now.
That is what this week's coverage is built around.
Featured This Week
The OCC Just Signaled That AI Model Risk Guidance Is Coming. Here's What Banks Need to Know.
The Spring 2026 OCC Semiannual Risk Perspective contains two findings that deserve your immediate attention: AI is actively reshaping the cyber threat landscape, and the agencies are formally initiating the guidance process for AI model risk. The RFI that will precede that guidance is coming. Here is how to prepare.
Read time: 8 minutes — Read the full piece →
Agentic AI in Banking: Why Your SR 11-7 Framework Isn't Enough Anymore
The April 2026 guidance update created a documented governance gap at every bank deploying AI. SR 11-7's core assumptions — defined inputs and outputs, model ownership clarity, validation reproducibility — do not hold for agentic systems. Here is what a parallel governance track should look like.
Read time: 8 minutes — Read the full piece →
NYDFS 23 NYCRR 500 and AI: The Compliance Gap Most Banks Are Ignoring
The NYDFS October 2024 industry letter applied Part 500 cybersecurity requirements to AI systems. It has been in effect for over a year. Most NY-regulated institutions have not formally assessed their AI deployments against Part 500 obligations. The annual CEO/CISO certification creates direct personal accountability for that gap.
Read time: 7 minutes — Read the full piece →
Also in This Issue
Zero Trust Architecture for Banks: The 2026 Implementation Roadmap
The FFIEC CAT is retired. NIST CSF 2.0 is the new examiner standard. Here is the five-pillar implementation sequence — and why most banks should start with identity, not network segmentation. Read →
AI Productivity Tools for Bank Operations: Real ROI Numbers from Early Adopters
JPMorgan ($1.5B annual value), Goldman Sachs (12,000 developers on GitHub Copilot), Citizens Bank (20% productivity gains). Here is where the documented returns are concentrated — and why 77% of institutions are still stuck in pilot mode. Read →
The FS AI RMF Is Here: What Bank Technology Leaders Need to Do in the Next 90 Days
Treasury's 230-control-objective AI governance framework is what examiners will increasingly use as a baseline standard. If you have not yet mapped your AI program against it, here is the sprint. Read →
The Week in One Paragraph
The OCC confirmed on May 7 what regulatory watchers have anticipated: formal AI model risk guidance for banks is coming, and it will cover generative and agentic systems. The Spring 2026 Semiannual Risk Perspective makes the stakes clear — AI is both transforming the attack surface against banks and enabling new defensive capabilities for those who deploy it strategically. The institutions that will have the most defensible posture when formal guidance arrives are those building AI governance, zero trust security, and documentation infrastructure now. The gap between early movers and the rest of the market is widening every quarter.
What We Are Watching
- OCC/Fed/FDIC AI RFI — The formal publication of the request for information on AI use at banks. Comment period will be 60–90 days.
- FFIEC AI examination guidance — The FFIEC has signaled examination-specific AI guidance is in development. Watch for draft publication.
- NYDFS enforcement actions — The department's active enforcement posture on Part 500 makes AI-related violations increasingly likely as examination teams catch up to deployment reality.
The Risk Dispatch is published weekly for technology leaders at U.S. banks, credit unions, and fintech companies. Forward this to a colleague who should be reading it.
— The Risk Dispatch Team