Compliance · SR 26-2 · Agentic AI
SR 26-2 scoped agentic AI out. The obligation to prove what it did stayed in.
SR 26-2, the 2026 interagency model-risk guidance that supersedes SR 11-7, excluded generative and agentic AI from its model-risk scope and pointed institutions toward broader risk governance. The carve-out moved the rulebook, not the liability. The first time an agent influences a real client decision, the question is what it did, on whose authority, and whether you can prove it.
§ 01 The carve-out
No checklist. A broader-governance burden of proof.
SR 11-7 governed models with a validation lifecycle banks knew how to evidence. SR 26-2 supersedes it and, in scoping generative and agentic AI out, removes the prescriptive frame for exactly the systems banks are now putting into production. What replaces it is a direction toward broader risk governance, defined by the institution rather than the guidance.
That is harder, not easier. A carve-out is not an exemption from accountability. When an agentic workflow touches underwriting, onboarding, or client servicing, the institution still owns the outcome, and the evidence it can produce is the difference between an answer and an argument.
The rulebook stopped naming the system. The obligation to prove what the system did did not stop.
§ 02 The evidence
What broader governance asks for, by construction.
The substrate makes the record a property of the action. Every agent action is attributed to a specific agent under a specific policy you write, and hash-chained into a tamper-evident audit chain that an examiner can interrogate after the fact, kept inside your boundary.
This material is informational, not legal or regulatory advice. The substrate produces the record; it does not by itself make an institution compliant. Assess your specific obligations with qualified counsel.
§ 03 Questions
SR 26-2 and agentic AI, answered.
Does SR 26-2 cover agentic AI?
No. SR 26-2, the 2026 interagency model-risk guidance that supersedes SR 11-7, scopes generative and agentic AI out of its model-risk framework and directs institutions to apply broader risk-governance practices to those systems. The obligation to govern agentic AI did not disappear with the carve-out; it moved to a broader governance footing that the model-risk rulebook does not itself specify.
If SR 26-2 excluded agentic AI, why does it matter for banks deploying agents?
Because the liability did not move. A bank is still accountable for the decisions its AI agents influence for real clients, and an examiner can still ask what an agent did, on whose authority, and whether it can be proven. The carve-out means there is no prescriptive checklist; the bank has to demonstrate broader governance on its own evidence.
What does the substrate produce against SR 26-2's broader-governance direction?
Every agent action is attributed to a specific agent under a specific policy you write, and hash-chained into a tamper-evident audit chain that is interrogable after the fact and retained inside your boundary. That is the attributable, reconstructable record broader governance assumes, produced by construction rather than reconstructed under deadline.
Is this legal or regulatory advice?
No. This material is informational. The substrate produces the record; it does not by itself make an institution compliant. Assess your specific obligations under SR 26-2 and related guidance with qualified counsel.