SR 26-2: What the New Model Risk Management Guidance Means for Financial Institutions

For fifteen years, SR 11-7 was the rulebook. Every model validation, every governance framework, every internal MRM policy at a US financial institution traced back to that single 2011 document. Risk teams built entire functions around it. Consultants built careers interpreting it.

On April 17, 2026, it was replaced.

The Federal Reserve, FDIC, and OCC jointly issued SR 26-2 — the Revised Guidance on Model Risk Management — formally superseding SR 11-7, SR 21-8, and a handful of related issuances that had accumulated over the past decade. If your institution hasn't reviewed what changed, this article is your starting point.

What SR 26-2 actually says

The agencies are explicit about what drove the update: fifteen years of supervisory experience, significant evolution in modelling technology, and a recognition that the prescriptive, one-size-fits-all approach of SR 11-7 no longer reflected how institutions of different sizes and complexity profiles actually manage model risk.

The headline shift is from a prescriptive framework to a principles-based one.

SR 11-7 told institutions what to do in considerable detail. SR 26-2 tells institutions what good model risk management looks like and expects them to design practices proportionate to their own risk profile. The core principles — sound model development, rigorous validation, strong governance — remain intact. What changes is how those principles are applied.

Three themes run through SR 26-2:

Proportionality. The revised guidance explicitly scales expectations to the size, complexity, and model risk profile of each institution. Practices appropriate for a G-SIB are not necessarily appropriate for a regional bank. The guidance is expected to be most relevant to banking organizations with over $30 billion in total assets, but it is designed to scale based on actual model risk exposure rather than asset size alone.

Risk-based tiering. Institutions are expected to maintain a risk-based model inventory and apply oversight commensurate with each model's risk and impact. High-risk models get rigorous validation. Lower-risk models get lighter-touch oversight. The emphasis is on defensible, documented judgment — not uniform treatment of every model regardless of consequence.

AI and advanced modelling. SR 26-2 updates the definition of a model and directly addresses non-generative, non-agentic AI models. The guidance explicitly excludes generative AI and agentic AI from its scope, indicating that institutions should continue applying existing risk management and governance processes while regulators develop future expectations for those technologies. Meanwhile, the guidance clarifies that non-generative, non-agentic AI and machine-learning models remain within scope of model risk management expectations. For institutions deploying machine learning in credit, market risk, or fraud detection, this is a meaningful clarification.

What it replaces — and what that means in practice

SR 26-2 supersedes the Supervisory Guidance on Model Risk Management (OCC Bulletin 2011-12, Fed SR 11-7, FDIC FIL-22-2017), the 2021 Interagency Statement on BSA/AML Model Risk Management, and OCC Bulletin 1997-24 on Credit Scoring Models.

In practical terms, this means:

• Internal MRM policies written to satisfy SR 11-7 need to be reviewed and updated

• Model validation frameworks built on SR 11-7's prescriptive requirements need to be assessed against the new principles-based approach

• Governance structures — model risk committees, validation independence, board reporting — remain important but need to be calibrated to the new proportionality expectations

• Institutions that have been applying SR 11-7 uniformly across all models, regardless of risk and impact, now have both the flexibility and the regulatory expectation to apply a risk-based tiered approach

One important note from the OCC: the guidance does not set forth enforceable standards or prescriptive requirements, and non-compliance will not result in supervisory criticism. This is a principles-based framework. The question examiners will ask is not "did you follow SR 26-2 step by step" but "is your model risk management sound, proportionate, and defensible."

The gap SR 26-2 doesn't close — our perspective

SR 26-2 is a better framework than SR 11-7. The proportionality principles are sensible. The risk-based tiering is practical. The updated treatment of AI models reflects reality in a way that the 2011 guidance never could.

But in our view, there is an important challenge SR 26-2 leaves unresolved — and in fact, no prescriptive regulatory framework ever could fully address.

The guidance addresses how institutions should manage the models they have. It says relatively little about whether those models are capable of identifying the risks they don't yet know about.

Standard model validation — even rigorous, SR 26-2-compliant validation — tests models against historical data. It asks: does this model perform well on data it has already seen? Out-of-sample backtesting, walk-forward validation, stress testing against historical scenarios — these are all variations of the same question.

What they cannot answer is: how does this model perform against a scenario that has never occurred?

The 2020 market dislocation is instructive here. Many models that had performed well under traditional validation frameworks struggled during the unprecedented market conditions of early 2020. The governance was in place. The validations had passed. The drawdowns arrived anyway.

SR 26-2 does not solve this. No regulatory framework can. The problem is not one of governance or process — it is one of methodology.

What forward-looking model validation actually requires

The institutions that will be best positioned under SR 26-2 are not those who update their policy documents to reference the new guidance. They are those who genuinely extend their model validation practices to cover what historical data cannot show.

That means:

Synthetic scenario generation. Testing models and portfolios against plausible, novel market scenarios — not just historical replays. If your model has only ever been tested against data from 1982 to 2024, you know almost nothing about how it will perform in a genuinely novel macro environment.

Out-of-distribution risk quantification. Producing defensible, quantified estimates of tail risk that go beyond the range of historical experience. This is not speculation — it is rigorous probabilistic modelling of the space of plausible futures, not just the space of recorded history.

Auditable, falsifiable outputs. SR 26-2's emphasis on principles over prescriptions puts more weight on institutions to demonstrate that their model risk practices are sound. Forward-looking scenario analysis that produces auditable, falsifiable outputs — predictions that can be tested against real events — provides exactly that kind of demonstrable rigour.

This is precisely the gap that Ahead Innovation Labs was built to address. Our generative diffusion model produces synthetic macro shock scenarios conditioned on real economic dynamics — testing portfolios and risk models against market environments that have no historical precedent. In our research, synthetic scenario generation identified risk patterns that were not apparent from historical backtesting alone. You can review the full methodology and findings in our published use case.

A notable addition — aggregate model risk

One of the more important conceptual enhancements in SR 26-2 is the explicit elevation of aggregate model risk.

The prior framework largely addressed models individually — develop it, validate it, govern it. SR 26-2 encourages institutions to consider model risk collectively, taking into account dependencies between models, shared assumptions, and common data sources that may create systemic vulnerabilities invisible when models are assessed in isolation.

For large institutions running hundreds of models across credit, market risk, liquidity, and compliance, this is a significant shift in thinking. A portfolio of individually well-validated models can still carry material aggregate risk if those models share assumptions, react similarly to the same macro shocks, or amplify each other's errors under stress.

This is precisely where forward-looking scenario analysis — testing the behaviour of model portfolios under novel, correlated stress conditions — becomes most valuable. Aggregate model risk is hard to see in historical data. It tends to reveal itself when conditions change in ways nobody modelled.

What to do now

If you are a risk officer or model validation lead at a US financial institution, here is the practical checklist:

• Review your MRM policy against SR 26-2's principles — particularly the proportionality and risk-based tiering expectations

• Review your model inventory and apply oversight commensurate with each model's risk and impact — the guidance expects a risk-based tiered approach explicitly

• Assess your AI models — SR 26-2 has specific relevance for non-generative, non-agentic AI models in production; vendor models and third-party model risk also remain firmly in scope

• Evaluate aggregate model risk — consider dependencies between models, shared assumptions, and correlated exposures across your model portfolio

• Evaluate your validation methodology — does it cover out-of-distribution scenarios, or is it limited to historical data?

• Review your governance structure — model risk committee oversight, effective challenge, validation independence, and board-level reporting all remain central to SR 26-2

The deadline is not a specific date — SR 26-2 is supervisory guidance, not a rule with an enforcement date. But examiners will be applying it. The time to review your practices is now, not when you're in the middle of an examination.

A final thought

SR 11-7 served its purpose for fifteen years. SR 26-2 is a more mature, more proportionate framework that reflects how the industry has evolved. The shift toward principles-based oversight is a positive development.

But the most important model risk management question of the next decade is not one that any regulatory framework will answer for you. It is this: are your models capable of telling you what you don't already know?

That requires going beyond historical data. It requires forward-looking scenario analysis. And it requires the intellectual honesty to ask, before a crisis arrives, whether your models would have seen it coming.

Ahead Innovation Labs builds AI-powered investment stress testing software for financial institutions. Our generative scenario engine tests strategies and risk models against market environments that have never occurred — giving risk teams the forward-looking visibility that historical backtesting cannot provide. Book a demo to see it run on your portfolio.