Federal banking regulators have issued sweeping model risk management guidance that formally embeds data lineage expectations into bank supervision and signals dedicated rulemaking on AI data provenance-including for lending, risk, and customer-service applications.
Background
On April 17, 2026, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC) jointly issued SR 26-2, replacing the 15-year-old supervisory guidance SR 11-7 that had governed model risk management in U.S. banking since 2011. The OCC said the revision was prompted by supervisory experience, industry feedback, and significant technological advances in model use since the original guidance was adopted.
The prior framework had drawn sustained criticism for being prescriptive and inconsistently enforced across examination teams. The Bank Policy Institute noted in an analysis that regulatory oversight of models was "highly influenced by each individual examiner's interpretation of the scope and substance of the guidance," with enforcement varying materially between the OCC, Federal Reserve, and FDIC.
The update arrives as AI deployment in banking accelerates. According to IBM's Global Banking Outlook cited by industry analysts, 78% of banks are now tactically adopting generative AI, while the global AI-in-banking market is estimated to reach $45.59 billion in 2026.
Details
SR 26-2 introduces a principles-based, risk-tiered framework that moves away from prescriptive annual validation cycles toward governance calibrated to model materiality and institutional complexity. The guidance is primarily directed at banking organizations with over $30 billion in total assets, though it may also apply to smaller institutions with significant model complexity or exposure, according to Federal Reserve supervisory letter SR 26-2.
A central operational implication is the requirement for auditable data lineage across the full model lifecycle. Model risk practitioners note that regulators now expect institutions to trace lineage across every link in the model chain-from development and validation through deployment and monitoring-rather than relying on point-in-time snapshots. SR 26-2 states that the quality of the validation process "depends on the rigor and effectiveness of the review rather than on organizational structure," shifting the compliance standard from structural separation to demonstrable governance quality.
Industry technologists observe that a flat model inventory-such as a spreadsheet-cannot fulfill these expectations. A dependency graph mapping data lineage and risk relationships across the enterprise is now considered the minimum viable approach to demonstrating compliance under examination.
Critically, generative AI and agentic AI are explicitly excluded from SR 26-2's scope, with regulators acknowledging these technologies are "novel and rapidly evolving" and therefore outside the traditional model risk framework. However, the guidance instructs banks to apply their own risk management and governance practices to any system the framework does not cover, meaning institutions deploying AI agents in lending or customer service must self-govern against principles the framework cannot fully codify.
To address this gap, the OCC, Federal Reserve, and FDIC announced plans to issue a separate request for information (RFI) in the near future that addresses model risk management generally and considers, in particular, banks' use of AI, including generative AI and agentic AI and AI-based models. That RFI is expected to cover data provenance, training data documentation, and auditable governance for AI-enabled decisions.
State-level requirements are already moving faster than federal action. Colorado Senate Bill 24-205, effective February 1, 2026, requires financial institutions to disclose how AI-driven lending decisions are made, including the data sources that informed the AI model and how its performance was evaluated. Illinois expanded regulatory oversight of predictive data analytics and AI used to determine consumer creditworthiness, with amendments effective January 1, 2026.
Outlook
The forthcoming federal RFI on AI model governance is expected to set the stage for standardized data provenance requirements covering lending, risk management, and customer-facing AI tooling at scale. Institutions that have not yet built machine-readable model inventories with traceable data lineage face elevated examination risk in the interim. According to NIST, a full initial public draft of its AI cybersecurity risk profile for financial institutions-which complements SR 26-2-is expected later in 2026. Banks deploying AI in high-stakes decision workflows, such as credit underwriting and AML triage, will need to demonstrate governance controls that parallel SR 26-2's expectations even absent formal rules covering generative and agentic systems.
Related coverage: US Regulators Propose Unified AI Governance for Bank Workflow Agents | Regulators Tighten Scrutiny of Multimodal AI in Finance
