For fifteen years, every compliance officer at a U.S. bank had the same document on their desk: SR 11-7. The Federal Reserve's 2011 "Supervisory Guidance on Model Risk Management" — later adopted by the OCC and FDIC — defined what a model was, how it had to be validated, and what examiners would ask about when they showed up. Banks built entire governance functions around it.
On April 17, 2026, those agencies quietly retired SR 11-7 and replaced it with OCC Bulletin 2026-13. The new framework is narrower, more principles-based, and more honest about where regulators actually are on artificial intelligence. Which is: not ready.
That's the gap your bank needs to govern right now.
What Changed — and What Got Left Out
The revised guidance does several things the banking industry had been asking for: it narrows the definition of "model" (simple calculations and deterministic rule-based tools are no longer automatically in scope), it introduces a $30 billion asset threshold for full applicability, and it replaces the 2011 guidance's prescriptive annual validation requirements with a principles-based approach that gives banks more flexibility.
What it does not do is tell banks what to do with ChatGPT, Claude, Gemini, or Copilot — the AI tools their employees are already using.
The OCC's press release says it directly: "generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance."
That sounds like good news. It isn't.
"Not in Scope" Is Not the Same as "Off the Hook"
The agencies were careful here. Sullivan & Cromwell's analysis of the Revised Guidance, published April 29, 2026, makes the legal distinction clear: generative and agentic AI models are excluded from the formal MRM framework, but "the Revised Guidance recommends that banking organizations should apply their broader risk management and governance practices to guide the determination of the appropriate governance and controls to be applied to any tools, processes, or systems not covered by the Revised Guidance, including generative and agentic AI models."
Translation: GenAI is out of scope for the formal model risk management rules. It is not out of scope for governance expectations. You're just on your own to figure out what those expectations look like.
The OCC's own press release confirms that the agencies "plan to issue in the near future a request for information that addresses model risk management generally and considers, in particular, banks' use of AI, including generative AI and agentic AI and AI-based models." That RFI has not been published as of this writing.
So here is where every national bank, federal savings association, and federal branch of a foreign bank currently sits: employees are using AI tools to draft regulatory filings, summarize loan documents, synthesize risk reports, and answer compliance questions. Those tools are explicitly outside the new MRM guidance. But they are still expected to be governed. And the governance framework for governing them doesn't exist yet.
The Problem With "Broader Risk Management Practices"
SR 11-7 and its successors were built for classical quantitative models: credit scoring, VaR, AML transaction monitoring, fair lending analytics. Those models process structured data through statistical methods that can be documented, validated, and backtested against historical outcomes.
Generative AI doesn't work that way. A language model that drafts a regulatory comment letter or summarizes a credit memo cannot be validated through the same backtesting process as a credit scoring model. It doesn't have defined inputs mapping to defined outputs. Its risk profile is different in kind: hallucinated citations, context leakage from prior conversations, policy-inconsistent summaries, and prompt injection from malicious documents.
"Apply your broader governance practices" assumes those practices transfer cleanly. For most banks, they don't — at least not without meaningful extension work. The model risk management function that knows how to review a logistic regression is not automatically equipped to define acceptable use of a generative AI tool in a loan origination workflow, or assess whether an employee pasting a borrower's financials into a public AI product creates a BSA/AML documentation problem.
What Examiners Will Ask Before the RFI Arrives
The absence of formal AI-specific guidance does not mean the absence of examiner interest. The OCC, Fed, and FDIC did not say "generative AI is ungoverned until we publish the RFI." They said banks are responsible for applying existing governance frameworks to these tools. That's what examiners are already probing.
The questions banks should expect:
- Does your institution maintain an inventory of AI tools employees are using — including consumer AI products accessed through personal accounts on bank systems?
- Have you assessed whether employee AI use creates data leakage risk — customer PII, material nonpublic information, or confidential credit data shared with third-party model providers?
- Do your acceptable use policies distinguish between approved internal AI deployments and ad-hoc employee use of consumer AI products?
- Can you demonstrate that AI-generated content in regulatory submissions, credit memos, or compliance documentation is reviewed by a qualified human before it is relied upon?
- What controls exist to prevent employees from processing customer data through AI tools in ways inconsistent with your institution's privacy notices or customer data agreements?
These aren't hypothetical. Examination teams at the OCC have been asking about AI governance during regular reviews for the past year. Bulletin 2026-13 doesn't change that — it just clarifies that the answers are each bank's responsibility to design.
What Banks Should Do Right Now
The practical implication of Bulletin 2026-13 is that banks have a narrow window between now and the forthcoming AI-specific RFI to establish a defensible governance posture. Not because the RFI will mandate one retroactively — it won't — but because the RFI will surface what examiners are already examining. Banks that have something documented and operational will be better positioned than banks that treated the carve-out as permission to wait.
The minimum viable AI governance posture for a bank today includes:
An inventory of AI tools in use — approved internal deployments, approved third-party integrations, and known employee use of consumer AI products on bank infrastructure. You cannot govern what you cannot see.
Acceptable use policies that distinguish between approved AI tool categories, prohibited uses (submitting customer PII to consumer AI products, generating regulatory filings without human review), and use cases that require model risk management team involvement before deployment.
Pre-submission review requirements for AI-generated content in high-stakes contexts: credit decisions, regulatory filings, AML narratives, OFAC screening results. The human review step is what transforms AI output into a governable artifact.
Data leakage monitoring for AI-adjacent traffic on bank networks. Just as banks monitor email and endpoint activity for sensitive data egress, they need visibility into what employees are sending to external AI APIs.
A documented rationale for how existing governance practices apply to each AI tool category — not as a box-checking exercise, but as the artifact that demonstrates compliance with the "broader governance practices" expectation in Bulletin 2026-13.
The Window Is Short
The AI-specific model risk management RFI from the OCC, Federal Reserve, and FDIC is coming. When it arrives, it will ask banks to describe how they govern generative and agentic AI — and banks that have been treating the carve-out in Bulletin 2026-13 as implicit permission to do nothing will have a difficult answer to give.
The governance gap is real. It's deliberate — regulators couldn't write rules for technology they're still studying. But "we're waiting for the RFI" is not a governance posture. It's the absence of one.
The OCC's new framework rewards banks that take a risk-based, principles-driven approach to governance. That's the same standard your examiners will apply to your AI tools — whether or not a formal AI-specific bulletin exists when they arrive.
Containment.AI enforces AI governance policies in real time — at the proxy layer, in the browser, and in the admin dashboard. If your bank is building the governance posture Bulletin 2026-13 expects, start here.