# Revised Guidance on Model Risk Management (2026) | Comma Compliance

SR 11-7 has been superseded. The OCC, Federal Reserve, and FDIC issued revised model risk guidance in April 2026. What changed, how the guidance applies, and what its AI scope means for banks.

Source: https://commacompliance.com/regulations/model-risk-management-2026
Last updated: 2026-07-15

---
On April 17, 2026, the OCC, Federal Reserve, and FDIC jointly issued new guidance on model risk management. The guidance replaces, rather than revises, the long-standing [SR 11-7](/key-compliance-terms#gloss-S) framework. It rescinds four prior documents: OCC Bulletin 2011-12, FDIC FIL-22-2017, the 2021 interagency BSA/AML model risk statement, and related guidance dating back to 1997. Instead of prescribing detailed expectations, it introduces a principles-based framework built around six high-level concepts that scale according to a model's materiality and risk.

The guidance explicitly excludes generative AI and agentic AI from its scope. Instead, the agencies announced a separate request for information (RFI) focused on AI model risk. Until that process produces new guidance, there is no dedicated model risk framework for AI. Banks using AI in regulated workflows still must follow existing communications and recordkeeping rules. Those obligations are already in effect and do not depend on the outcome of the RFI.

## At a Glance

| Revised Guidance on Model Risk Management | Information                                                                                                                                         |
| ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
| Full name                                 | Revised Guidance on Model Risk Management (2026)                                                                                                    |
| Issued by                                 | OCC, Federal Reserve, and FDIC (joint)                                                                                                              |
| Issued                                    | April 17, 2026                                                                                                                                      |
| Replaces                                  | SR 11-7 and related Federal Reserve, OCC, and FDIC guidance; some rescissions are agency-specific                                                   |
| Who it applies to                         | Most relevant to banking organizations over $30 billion in total assets; may also be relevant to smaller banks with significant model-risk exposure |
| Approach                                  | Principles-based, proportionate to materiality and inherent risk                                                                                    |
| Generative AI and agentic AI in scope?    | Explicitly excluded; existing governance practices should guide controls outside the guidance                                                       |
| Key shift from SR 11-7                    | Less prescriptive, risk-based guidance that emphasizes materiality, sound practices, and bank-specific judgment                                     |

## Who It Applies To

The guidance is expected to be most relevant to banking organizations with more than $30 billion in total assets. It may also be relevant to smaller institutions with significant model-risk exposure because of the prevalence or complexity of their models, or because they operate outside traditional community banking.

The agencies' tailoring point is important: not every bank needs the same governance structure or level of rigor for every model.

## What Changed: From SR 11-7 to the 2026 Guidance

SR 11-7 and its companion bulletins established the de facto US model risk management framework for over a decade. Banks built validation programs, governance structures, and internal audit expectations around its prescriptions.

Rather than prescribing how banks should meet those expectations, the agencies describe what outcomes they expect. The guidance is organized around six broad principles:

The guidance does not set enforceable standards or fixed validation cycles. It instead describes sound practices and expects banks to decide the appropriate approach based on their models and risk profile.

## What Changed in Practice

The 2011 framework was often applied as a detailed operating model. The 2026 guidance is less prescriptive, but it retains substantive discussion of model testing, conceptual soundness, outcomes analysis, monitoring, effective challenge, governance, documentation, and vendor validation.

Institutions should review policies that cite SR 11-7 as a current requirement. They should not assume that practices carried forward from the earlier framework are unnecessary: many remain identified as sound practices in the new guidance and may continue to be appropriate for the institution.

## The Materiality Framework

The guidance gives materiality a clear role: model exposure and purpose determine materiality, while inherent risk and materiality together inform the overall magnitude of model risk. A bank may deem some models immaterial based on exposure and purpose, but it should identify them and monitor the conditions under which they could become material.

This creates an opportunity to reassess model inventories. The guidance excludes simple arithmetic calculations, including those in spreadsheets, and deterministic rule-based processes or software that do not apply statistical, economic, or financial theories. Banks should document the basis for their inventory and materiality decisions.

Monitoring frequency and scope should reflect the model's purpose, data, methodology, changes, and materiality.

## Third-Party and Vendor Models

Model risk management still applies to vendor models. This holds true even if a bank can't fully validate the vendor's model or get the information it requests from the developer. Where a bank customizes a vendor model for its particular needs, the validation process should include documenting, justifying, and evaluating those adjustments.

This is relevant to third-party AI platforms where direct access to model internals is limited. It does not, however, bring generative or agentic AI into the scope of this guidance; banks should use their broader governance practices to determine appropriate controls for those systems.

## What the AI Scope Exclusion Means

The guidance explicitly excludes generative AI and agentic AI models from scope. The agencies say they plan to issue a future RFI addressing model risk management generally and banks' use of AI, including generative AI, agentic AI, and AI-based models.

That leaves a gap. Banks are deploying AI for regulated work: drafting client communications, supporting investment decisions, executing actions through agent-driven pipelines. None of it is governed by a dedicated model risk framework. The actions their AI takes and the records those deployments generate are subject to existing obligations under [SEC Rule 17a-4](/regulations/sec-17a-4), [FINRA Rule 4511](/regulations/finra-rule-4511), and [Investment Advisers Act Rule 204-2](/regulations/investment-advisers-act-rule-204-2). Those obligations apply now, not when the RFI concludes.

Separate books-and-records obligations may apply to firms that are also broker-dealers or investment advisers. Whether an AI-assisted communication or action is a required record depends on the regulated entity, the activity, and the content. Firms should apply their record-classification policies and obtain counsel where the scope is unclear.

## Practical Next Steps

Most institutions are likely to view the 2026 guidance as a baseline rather than a complete replacement for existing model risk practices. Large and complex banks with mature SR 11-7 programs will likely continue using independent validation, formal governance structures, and other established controls because those practices remain valuable even if they are no longer explicitly required. Smaller institutions may have more flexibility to scale their model risk programs based on the materiality and risk of the models they use.

Three practical steps are:

## Where Capture Can Support Governance

Existing recordkeeping obligations apply to AI-assisted business activity regardless of how future AI model risk guidance develops. When AI is used in a regulated workflow, the activity it supports may become part of the firm's supervisory and recordkeeping obligations. An AI-generated client communication is still a business communication. An AI-driven action still creates a record of activity that regulators may expect firms to explain and reproduce.

**AI activity retention for regulated firms.** Comma captures the full AI execution record: prompts, responses, [tool calls](/ai/are-llm-tool-calls-business-records), agent actions, and the execution context that determined what the AI was permitted to do. This is the reconstruction context a regulated firm needs to produce on demand, demonstrate governance, and respond to examiner requests.

**Scope matters.** Arc Relay is an MCP control plane. It does not automatically capture an upstream model prompt, system prompt, model identity, or agent context unless that information is sent through the captured request path. Direct model-API capture and broader integrations should be discussed with Comma based on the system being evaluated.

**Use in a control process.** Captured activity can be evaluated alongside the firm's own model inventory, access controls, change-management evidence, and recordkeeping policy. The appropriate review process remains the firm's responsibility.

For enterprise connectors, cross-channel search, legal hold, and review workflows, confirm the currently available integration and record coverage with Comma before relying on them in a control design.

**Capability summary:**

- MCP tool-call capture — Available now via [Arc Relay](https://commacompliance.ai)
- Direct model-API, enterprise, and self-hosted AI capture — Discuss current availability and coverage with Comma
- Retention, legal hold, search, and review workflows — Confirm against the firm's requirements and the current product scope
