SR 11-7 Replacement: The New MRM Framework Explained

If your model risk management program was built around SR 11-7, it's worth knowing exactly what changed on April 17, 2026 — not just that something did.

We covered the headline shift from SR 11-7 to SR 26-2 in our previous article. This piece goes one level deeper: the six concrete, practical differences that determine what your MRM team should actually do differently, starting now.

The model definition just got narrower

SR 11-7's definition of a "model" was famously broad. It pulled in end-user computing spreadsheets, rule-based engines, and simple workflow tools — creating model inventories that were, in practice, difficult to tier, govern, and maintain. Many institutions ended up treating hundreds of low-risk tools with the same governance rigor as their core credit and market risk models, simply because the definition didn't give them room not to.

SR 26-2 tightens this considerably. The new guidance requires all three of the following to be present for something to count as a model: a complex quantitative method, a theoretical underpinning (statistical, economic, or financial theory), and a quantitative output. Simple arithmetic calculations — the kind found in ordinary spreadsheets — along with deterministic rule-based processes and software, are explicitly excluded from the definition.

What this means in practice: institutions may determine that many previously inventoried spreadsheets or rule-based tools no longer meet the regulatory definition of a model. That said, falling outside the model definition is not the same as needing no controls at all. A spreadsheet that drives a material business decision still deserves some form of oversight — it just no longer needs to sit inside your formal model inventory and validation cycle by default.

Annual revalidation is no longer the default

Many institutions implemented annual validation cycles under SR 11-7, even though the guidance itself did not explicitly mandate annual revalidation. In practice, industry convention and examiner expectations converged on an annual cadence applied fairly uniformly across the model inventory, regardless of how material or volatile any individual model actually was.

SR 26-2 replaces this de facto convention with an explicitly risk-based approach. Validation frequency is now a function of model materiality, change velocity, and data availability, with explicit triggers that prompt re-review when conditions warrant it rather than defaulting to a calendar date.

What this means in practice: institutions now have a defensible basis to reduce validation frequency on low-materiality, stable models — and a regulatory expectation to increase scrutiny on models that are high-impact, complex, or operating in fast-changing conditions. This is not a free pass to reduce oversight uniformly. It is a requirement to make oversight proportionate.

Validator independence is no longer purely structural

SR 11-7 was generally read as requiring organizational separation between those who build models and those who validate them — in practice, this typically meant separate reporting lines and, often, separate teams entirely.

SR 26-2 changes this explicitly. The new guidance states that the quality of the validation process depends on the rigor and effectiveness of the review rather than on organizational structure. Validators can now sit closer to the development process, provided the review itself remains rigorous and conflicts of interest are actively managed.

What this means in practice: this gives institutions formal regulatory cover to integrate validation earlier into the model development lifecycle — sometimes called "shifting governance left" — rather than treating validation as a separate, end-of-pipeline handoff. This can meaningfully speed up model deployment, but it raises the bar on demonstrating that the review itself, not just the org chart, is sound.

The guidance is explicitly non-binding — but that cuts both ways

SR 11-7 used directive language throughout and was, in practice, enforced as close to binding — deviations could trigger Matters Requiring Attention and contribute to examination ratings downgrades.

SR 26-2 states directly that it does not set forth enforceable standards or prescriptive requirements, and that non-compliance with the guidance alone will not result in supervisory criticism. This is a genuinely different supervisory posture.

It is important not to over-read this as deregulation. The agencies' authority to act on unsafe or unsound practices remains fully intact, grounded in existing statutory and regulatory authority. SR 26-2 itself notes that the agencies will continue to consider additional measures on model risk, including a forthcoming request for information specifically addressing AI, generative AI, and agentic AI in banking models.

What this means in practice: the checklist is gone, but the underlying question has gotten harder, not easier. Examiners will no longer be checking whether you followed a prescriptive set of steps. They will be asking whether you can independently justify that your model risk practices are sound, proportionate, and defensible on their own terms — without a rulebook to point to. For many institutions, that is a higher bar, not a lower one.

Scope is weighted toward larger, more complex institutions

SR 11-7 applied broadly across essentially all supervised institutions. SR 26-2 remains principles-based and does not state that it applies only above a fixed asset threshold — but the agencies have indicated the guidance is expected to be most relevant to banking organizations with more than $30 billion in total assets. In practice, this means the most significant operational impact is expected to fall on larger and more complex banking organizations, while smaller institutions may apply proportionate controls calibrated to their own model risk profile rather than assuming the guidance simply doesn't apply to them.

The OCC separately clarified, in guidance addressing community banks specifically, that its model risk management expectations do not require annual model validation for community banks — reinforcing the broader shift toward proportionality across the regulatory perimeter, not just within SR 26-2 itself.

What this means in practice: even institutions well under the $30 billion threshold should expect the directional shift toward risk-based, proportionate model governance to inform how examiners think about model risk, regardless of where a specific institution sits relative to that figure.

What SR 26-2 deliberately leaves out

The most consequential scope decision in SR 26-2 may be what it excludes. The guidance is explicit: generative AI and agentic AI models are described as novel and rapidly evolving, and are therefore not within the scope of this guidance.

This is a carve-out, not a green light. Being out of SR 26-2's scope is not the same as being out of governance scope altogether. Institutions deploying generative or agentic AI systems still need a parallel governance framework for those systems — and the agencies have signaled that a dedicated request for information on AI in banking models, including generative and agentic AI, is forthcoming. Institutions that wait for that future guidance before building any internal governance for these systems are taking on risk in the gap.

Non-generative, non-agentic AI and machine learning models — the kind most commonly used today in credit scoring, market risk, and fraud detection — remain squarely within SR 26-2's scope and subject to its materiality-based expectations.

What stays the same

It's worth being clear about what SR 26-2 preserves, because the continuity matters as much as the change. Effective challenge remains the core governance principle. The three validation pillars — conceptual soundness, outcomes analysis, and ongoing monitoring — are retained. Third-party and vendor model validation remains a distinct, explicit requirement, with institutions held accountable for models they didn't build themselves but rely on.

SR 26-2 is a refinement of the SR 11-7 framework, not a repudiation of it. The intellectual architecture survives. What changes is how rigidly that architecture is applied.

Where this connects to forward-looking risk testing

Everything above is about governing the models an institution already has — definitions, validation cadence, independence, scope. SR 26-2 focuses on governance and validation rigor; it does not create an explicit regulatory requirement for synthetic scenario generation or testing against novel, unprecedented events.

That said, governance rigor and methodological coverage are different things. A model can satisfy every element of SR 26-2's materiality-based governance and still be validated exclusively against historical data — which leaves open the separate, harder question we raised in our previous SR 26-2 article: can a well-governed model anticipate conditions it has never seen?

Institutions may choose to complement SR 26-2-aligned governance with forward-looking scenario analysis designed to explore conditions not represented in historical datasets. This is not something SR 26-2 requires. It is a methodological choice that some institutions are making because rigorous governance of a model's process does not, on its own, test the coverage of what that model has been validated against.

What to do this quarter

For institutions directly in scope of SR 26-2:

• Re-run your model inventory against the narrower definition. Identify EUC spreadsheets and rule engines that no longer qualify as models, and decide what lighter-touch control — short of full model governance — they still need.

• Redesign your validation cadence around materiality and change velocity, not a uniform annual calendar.

• Review your validator independence policy. If rigor can now substitute for structural separation, decide deliberately whether and how to apply that flexibility — don't let it happen by default.

• Build or commission a parallel governance framework for generative and agentic AI, even though it sits outside SR 26-2's formal scope. The forthcoming agency guidance will arrive eventually; the risk exists now.

• Document your reasoning, not just your conclusions. With the prescriptive checklist gone, the institutions best positioned at the next examination will be the ones who can clearly articulate why each control exists — independent of what SR 26-2 requires.

Ahead Innovation Labs builds AI-powered investment stress testing software for financial institutions. Our generative scenario engine tests strategies and risk models against market environments that have never occurred — a complement to, not a requirement of, governance reforms like SR 26-2. Book a Demo to see it run on your portfolio.