SR 26-2 and AI governance
Last reviewed: June 18, 2026 by Grant Holloway.
SR 26-2 Model Risk Management: What Replaces SR 11-7 in 2026
SR 26-2 / OCC Bulletin 2026-13 gives banks a current model risk management anchor for AI-enabled, machine learning, and vendor-provided models. It does not erase SR 11-7 work; it updates the evidence banks should be able to produce for modern model use. This guide translates the shift into practical governance evidence: inventory, ownership, validation, monitoring, change control, third-party oversight, and board reporting.
Free resource
Get the free SR 26-2 AI governance checklist
Send yourself a practical checklist for SR 26-2 documentation, AI model inventory, validation evidence, vendor models, monitoring, and board reporting.
We'll email the requested resource and may send governance updates. Unsubscribe any time. See our privacy policy and terms.
What replaced SR 11-7 for AI model risk management?
SR 26-2 / OCC Bulletin 2026-13 is the current model risk language banks should use for AI governance and modern model oversight. SR 11-7 still provides the durable baseline for inventory, validation, monitoring, controls, documentation, and effective challenge, but SR 26-2 updates how those concepts apply to AI-enabled tools, embedded vendor models, rapid model iteration, third-party dependencies, and board-visible governance evidence.
- SR 11-7 continuity: inventory, validation, monitoring, controls, documentation, and effective challenge remain central.
- SR 26-2 emphasis: AI-enabled and vendor-provided models need clearer ownership, use-case classification, lifecycle evidence, third-party oversight, and management reporting.
- Practical takeaway: do not discard legacy SR 11-7 workpapers. Map them to current SR 26-2 AI and vendor model governance expectations.
- Board implication: directors and risk committees should see which material AI models exist, how they are governed, and which gaps remain open.
What SR 26-2 evidence should banks maintain in 2026?
For AI governance work, the practical question is whether the institution can produce evidence that each material AI or model-related use case is owned, inventoried, approved, validated or reviewed, monitored, controlled, and reported. The AegisAI assessment focuses on that evidence trail. It does not provide legal advice or determine compliance.
- AI model and vendor model inventory with business purpose, owner, risk tier, customer-impact flag, and approval status.
- Model development or vendor documentation covering intended use, assumptions, limitations, data inputs, and performance expectations.
- Independent validation, challenge, or review evidence scaled to materiality and model risk.
- Ongoing monitoring evidence for performance, drift, fairness, explainability, exceptions, incidents, and remediation.
- Change-control records showing model updates, vendor changes, retraining events, and approval decisions.
- Board and management reporting that summarizes material AI exposure, open model risk issues, and remediation status.
- SR 11-7 continuity mapping for legacy policies, validation templates, audit workpapers, and committee materials.
How to update legacy SR 11-7 materials for SR 26-2
Many banks, credit unions, and fintech partners still have SR 11-7 language in model risk policies, validation procedures, audit programs, and board materials. Continuity mapping helps teams update current model risk language without losing institutional context. Start by adding AI-specific fields to the model inventory, identifying vendor-managed models, documenting material change triggers, and showing how AI risk is reported to management and the board.
- Add AI system ID, vendor ID, model owner, business owner, risk tier, customer-impact flag, and approval status.
- Document whether the model is internally developed, vendor supplied, embedded in a third-party platform, or employee-operated through an approved tool.
- Tie monitoring evidence to business impact: performance, drift, fairness, explainability, exceptions, incidents, and remediation.
- Update committee and board reporting templates so AI model risk appears as a standing governance topic, not an ad hoc technology update.
- Label older SR 11-7 references as continuity mapping where current materials should use SR 26-2 / OCC Bulletin 2026-13 language.
Vendor AI and third-party model risk under SR 26-2
Vendor AI is one of the fastest places for model risk to become invisible. A third-party product may include scoring, classification, fraud detection, document processing, customer communication, or decision-support logic that the institution did not build. SR 26-2 work should connect vendor management and model risk instead of treating them as separate files.
- Require vendors to describe where AI, machine learning, automated decisioning, or model-driven logic appears in the product.
- Collect evidence on data use, model purpose, performance monitoring, explainability, incident handling, change notification, and audit rights.
- Identify which vendor AI tools affect customers, members, credit decisions, fraud decisions, compliance outcomes, or critical operations.
- Escalate high-impact vendor models to model risk, compliance, legal, information security, privacy, and affected business owners.
- Track contract gaps such as missing AI change notices, limited validation evidence, weak audit rights, or unclear data-use restrictions.
A practical SR 26-2 remediation sequence
A small institution does not need to solve every model risk issue at once. The highest-value first move is to make AI exposure visible, assign ownership, and separate critical customer-impacting models from lower-risk productivity or analytics uses. From there, teams can turn missing evidence into a sequenced remediation plan.
- Week 1: inventory known internal AI, vendor AI, embedded AI features, and employee-use tools.
- Week 2: assign owners, risk tiers, customer-impact flags, and approval status for each use case.
- Week 3: collect core evidence for high-risk and customer-impacting models first.
- Week 4: map gaps to owners, due dates, board reporting needs, and vendor follow-up requests.
- Month 2: update model risk policy, AI usage policy, vendor questionnaires, and reporting templates for SR 26-2 language.
Need an Excel workbook to organize SR 26-2 evidence?
Download the free AI risk assessment Excel template structure to organize AI use cases, ownership, 0-5 risk scoring, evidence gaps, and remediation tracking before audit, exam, or board review.
- Use the template structure to connect AI inventory fields to SR 26-2 evidence needs.
- Turn missing model, vendor, data, and monitoring evidence into accountable remediation work.
Where the AegisAI templates fit
The AegisAI templates are designed to turn the SR 26-2 evidence list into working artifacts: policy language, vendor diligence, control mapping, evidence tracking, incident response, and board reporting. Teams can use the free readiness assessment to identify gaps, then use the Starter Kit or Board-Ready Report to document remediation.
- Use the AI Governance Starter Kit to create policy, inventory, vendor, evidence, incident, and board-reporting artifacts.
- Use the Board-Ready AI Governance Report to summarize assessment gaps for executive or committee review.
- Use the methodology page to explain how readiness scoring maps to governance domains.
- Use the AI vendor risk assessment template to turn third-party AI questions into reviewable evidence.
- Use the model risk checklist to convert SR 26-2 expectations into concrete inventory, validation, monitoring, and reporting questions.
Find My Top Governance Gaps
Take the free assessment to turn this topic into a readiness score, domain-level results, and prioritized gap summary.
Get My Free AI Governance ScoreRelated SR 26-2 resources
FAQ
What is SR 26-2?
SR 26-2 is current model risk management guidance used by federal banking supervisors to frame expectations for model governance, validation, monitoring, documentation, and oversight. For AI governance work, it helps institutions translate model risk expectations into evidence for AI-enabled and vendor-provided models.
Does SR 26-2 apply to AI models?
Yes, when an AI system or vendor tool functions as a model or materially supports decisions, controls, reporting, fraud detection, compliance monitoring, or other risk-relevant processes. The practical focus is whether the institution can inventory, approve, validate or review, monitor, document, and report the model.
What documentation does SR 26-2 require?
Useful documentation includes a model or AI inventory, ownership records, intended use and limitations, risk tiering, validation or review evidence, monitoring metrics, change-control history, vendor documentation, open issues, remediation status, and management or board reporting.
When does SR 26-2 take effect for community banks?
Applicability depends on the institution and supervisory context. Community banks should treat SR 26-2 as a current reference point for model risk language, while confirming specific obligations with qualified legal, compliance, audit, and supervisory advisors.
Does SR 26-2 replace SR 11-7 for AI model risk management?
No. SR 11-7 remains an important model risk management baseline. SR 26-2 / OCC Bulletin 2026-13 should be treated as current model risk governance language that extends legacy practices to AI-enabled, vendor-managed, and rapidly changing model environments.
What is the first SR 26-2 action for a small bank or credit union?
Start with inventory and ownership. Identify AI-enabled internal models, vendor models, employee-use AI tools, business owners, approval status, customer impact, risk tier, and the evidence available for validation, monitoring, and board reporting.
How should vendor AI models be handled?
Vendor AI should be inventoried and reviewed through third-party risk and model risk processes. Teams should document AI use, data handling, model change notifications, monitoring evidence, contractual protections, incident handling, and whether customer-impacting outputs require human review.
What should management report to the board under SR 26-2?
Board and committee reporting should summarize material AI and model exposure, high-risk use cases, validation or review status, vendor model dependencies, open findings, incidents, remediation owners, and key decisions requiring oversight.
Can templates prove SR 26-2 compliance?
No. Templates can help organize governance evidence and remediation work, but they do not establish legal, regulatory, audit, or supervisory compliance. Institutions should adapt them to their facts and review them with qualified advisors where needed.
Important limitation
SR 26-2 Model Risk Management: What Replaces SR 11-7 in 2026 is an informational planning resource for regulated financial institutions. It does not determine legal compliance, regulatory sufficiency, audit conclusions, supervisory outcomes, model validation status, privacy compliance, security adequacy, or control effectiveness. Institutions should adapt the guidance to their use cases, vendors, data, governance structure, and risk profile with qualified legal, compliance, audit, security, privacy, and model risk advisors.
Last reviewed: June 18, 2026 by Grant Holloway. Review scope: regulatory currency, practical applicability for financial institutions, and alignment with the AegisAI governance methodology.