Federal banking regulators have issued the most significant overhaul of model risk management standards in 15 years, introducing tiered controls that directly govern AI-driven credit decisions - while the healthcare sector faces mounting pressure to close parallel gaps in data provenance and auditability for patient risk tools.
Background
On April 17, 2026, the Federal Reserve, the OCC, and the FDIC jointly issued SR 26-2, "Revised Guidance on Model Risk Management," superseding the SR 11-7 framework that had governed bank model practices since 2011. The update arrives as AI and machine learning systems become increasingly embedded in high-stakes functions including credit underwriting, regulatory capital calculations, and stress testing.
For more than a decade, banks and their technology vendors operated under SR 11-7, a framework that industry practitioners and examiners acknowledged was drafted before the widespread deployment of machine learning and generative AI. The 2026 guidance explicitly notes that generative AI and agentic AI systems are "not within the scope" of the revised framework, with the agencies committing to release a separate request for information on AI-specific model risk management "in the near future." Analysts have described that carve-out as the "GenAI Gap" - a material area of unresolved governance that institutions must address through general risk management practices in the interim.
In the healthcare sector, regulatory momentum has been more incremental. The Health Sector Coordinating Council (HSCC) published AI cybersecurity guidance previews in November 2025, outlining frameworks for managing AI risks across layered vendor supply chains, standardizing procurement and vendor vetting, and requiring model contract clauses for data use, protected health information (PHI) handling, and breach reporting. Separately, FDA guidance on AI-enabled medical devices requires organizations to document data provenance and lineage from raw input through model output, along with traceable audit trails.
Details
The revised interagency banking guidance introduces a material shift in how institutions classify and control quantitative models. Under SR 26-2, banks must transition from a binary "model vs. non-model" classification to a three-tiered assessment framework that segments traditional models, non-model tools, and excluded innovations such as generative AI. The guidance adopts a proportionality principle: models assessed as immaterial require only performance monitoring and identification, while higher-materiality models "warrant more comprehensive and rigorous oversight." The revised framework is expected to be most relevant to banking organizations with over $30 billion in total assets.
Operationally, institutions relying on legacy data infrastructure face significant remediation work. Practitioners note that aligning to the new principles-based framework on traditional technology stacks requires inventory migration, validation template rewrites, new monitoring pipelines, documentation refreshes, and vendor-model onboarding - a workload Databricks analysts estimate at "two to three quarters of sprint work" for large institutions.
The OCC incorporated AI findings in enforcement actions across 17 matters since fiscal year 2020, reinforcing that existing safety and soundness standards apply to AI systems irrespective of new dedicated AI rules. Separately, the CFPB has maintained that AI used in credit decisions must comply with the Equal Credit Opportunity Act, including issuing specific adverse action notices when algorithms deny credit applications.
In healthcare, compliance leaders face a fragmented landscape. Healthcare AI data privacy requirements now extend beyond baseline HIPAA compliance, requiring organizations to ensure responsible management of patient data with particular attention to data provenance, quality, and security. The American Medical Association (AMA) has urged federal entities to act in concert to create "a coordinated and coherent oversight ecosystem," cautioning that fragmented or duplicative rules "slow innovation, confuse clinicians and leave critical gaps unaddressed."
On the standards front, NIST released a concept note on April 7, 2026 for a new AI Risk Management Framework profile titled "Trustworthy AI in Critical Infrastructure," building structured requirements for AI trustworthiness that operators can communicate upstream to their vendors. In parallel, NIST's Center for AI Standards and Innovation (CAISI) launched an AI Agent Standards Initiative in early 2026, issuing a request for information on securing AI agent systems and announcing listening sessions targeting financial services and healthcare sectors.
Industry groups and technology vendors have raised concerns about legacy system compatibility. Organizations commonly struggle with incomplete or fragmented metadata, manual lineage mapping, poor integration across systems, and scalability issues when implementing regulatory data lineage tracking. Healthcare-specific validation adds another layer: organizations must validate AI tools within their specific deployment context - accounting for unique patient populations and clinical workflows - rather than relying on generic vendor validation, a requirement analysts describe as non-negotiable and ongoing.
Outlook
The banking agencies have committed to releasing a dedicated request for information on AI model risk management, including for generative and agentic AI systems, "in the near future." That forthcoming guidance is expected to address data provenance, training data documentation, and auditability standards that SR 26-2 does not yet cover - areas where healthcare regulators and the EU AI Act have already established precedent. For enterprise technology leaders, the compounding regulatory timelines across banking and healthcare signal that unified data lineage infrastructure, tiered model governance, and vendor risk documentation are no longer optional components of AI platform architecture.
Also read: US Regulators Propose Unified AI Governance for Bank Workflow Agents
