Regulators took agentic AI out of the model-risk rulebook and left the duty to govern it in place. The standard a bank writes to fill that gap is worth exactly what its architecture can enforce — and prove.
— SR 26-2 made the agentic AI control standard the bank's to write, and a standard no system enforces is not a control. It is a claim.
— Architecture is where a claim becomes a control — but it enforces the boundaries the bank sets, never the soundness of those boundaries.
— An agent has more surfaces than the obvious three: authority, evidence, behavior, configuration, and containment.
— Failure does not live inside any one surface. It lives in the handoff, where each owner assumes the next one held the line.
The Standard Lives Where It Can Be Enforced
On April 17, 2026, the Federal Reserve, OCC, and FDIC replaced the model-risk framework that had governed American banking for fifteen years, and wrote generative and agentic AI out of its scope. The duty to govern those systems stayed — under the safety-and-soundness expectations that never depended on that rulebook, and under every other rule that still applies. Two earlier posts in this series traced what that leaves behind: the liability for agentic AI did not move when the framework dropped it, and the job of authoring and funding the replacement standard falls between compliance and finance. This post is about where that standard has to live — because a standard that lives only on paper does not yet exist.
A policy that no system enforces is not a control. It is an intention. For an agent that acts at machine speed, no person can supply the enforcement, because no one watches every action and intervenes in time. The architecture around the agent has to enforce the standard, in the moment, or the standard is decorative. That is what building the control into the architecture means — and it is the same place, not by accident, where the bank can later prove the control held.
The architecture enforces the boundaries it is given. It cannot tell the bank whether those boundaries are the right ones. That judgment belongs to regulatory counsel, who decides what fair-lending, BSA/AML, and conduct obligations demand of the agent before a line of it is built. So the first seam opens before the build: counsel defines what the agent must honor, the architecture enforces against that definition. Enforce a flawed definition flawlessly, and the bank has built a machine that does the wrong thing precisely, on schedule, and documents itself doing it. A sound standard and sound enforcement are different jobs, held by different expertise, and neither covers for the other.
Authority, Evidence, and Behavior — Three Surfaces
The first surface is authority — what the agent can reach, and under whose credentials. A model that scores takes an input and returns a number; an agent acts — it queries systems, pulls records, sets things in motion, each step under some identity and permission. The easy mistake is to give the agent the standing credentials of the person or service account it replaced, which hands it far more reach than any task needs and leaves no record of why an action was allowed. The corrective is authority scoped to the task and revocable at the point of use, so every action traces to a specific, bounded grant. This is where agent access management earns its place: where the bank's governance standard requires a human to approve an action, that approval is real only if it lives as an enforcement point in the access layer — a place where the agent stops and a person decides — and not as a sentence in a runbook.
The second surface is evidence — what the agent saw, and whether the bank can later show it. An agent's output is only as governable as its inputs, and the obligations that outlived the carve-out attach to outcomes. A fair-lending review asks what data drove a recommendation. An AML examiner asks what the screening agent had in front of it when it cleared or escalated a transaction. Both questions arrive months late, which means the answer has to be captured as the agent acts and reconstructable on demand — provenance for every externally supplied input and retrieved artifact. This is the data owner's plane, and the one most often assumed instead of built. A governed data foundation with built-in lineage — Cloudera's Shared Data Experience, for example — is what lets a bank reconstruct not just the decision but the basis for it. Without it, a bank can say what the agent was meant to see. It cannot prove what it saw.
The third surface is behavior — what the agent did, which is never quite what it was built to do. Configuration is intent; behavior is fact. The design says the agent escalates transactions above a threshold; only the record says whether it did, every time, and what it touched on the way. That record has to be durable and ordered, captured as the actions occur — an event stream the bank can replay, not a log stitched together afterward. Event-driven architecture is the mechanism we reach for: each action emits an event, and the sequence of events is the audit trail. This matters because the failures that draw findings are behavioral — an agent that drifted, ran on stale data, or took an action no one designed. None of them appear in the configuration. They appear only in what happened.
The Full Surface: Configuration and Containment
Three surfaces are not the whole agent. Behavior means nothing without a baseline to judge it against, which makes configuration a surface in its own right: which version of the model, prompt, and tools ran, and who changed them. And an agent that can act is only safe if it can be stopped — containment, the ability to halt or constrain a misbehaving agent, is the surface examiners raise first and pilots build last. Authority, evidence, behavior, configuration, containment: these are the surfaces a production design has to account for, and the list grows as the agents do.
No single owner can certify the agent, because no single owner holds it. Inputs belong to the data team, access to identity and security, behavior and audit to the platform group, containment to all of them. Each owns a surface and trusts that the next one held. That trust is the exposure. The failure is almost never inside a plane — it is in the handoff, where a clean boundary lets each side assume the other carried the control, and no one did. Closing it takes something unglamorous: a per-project accounting of every surface, owned by the project lead, that states for each one what the control is, who owns it, how the architecture enforces it, and how it is shown on demand. The surfaces are what every agent must answer for; the accounting is how the lead proves it answered. It is a living document, not a gate cleared once and filed.
The Bar Did Not Move — The Instructions Did
This is the test the regulators declined to write. The standard is real when the architecture can answer, for any agent and on demand, five questions: what it could reach, what it saw, what it did, how it was built, and how it can be stopped — against boundaries counsel can defend on their merits. A bank that can produce the policy but not the reconstruction does not have a control. It has an attestation, and an attestation is what a finding is written against.
It is easy to overstate what SR 26-2 changed, so be precise. It did not raise the evidentiary bar. The expectation that a bank can demonstrate control of its systems, not merely describe it, was there long before this guidance. What the carve-out took away was the printed template for proving it against a named framework. The bar did not move. The instructions for clearing it did.
Building the layer where a self-authored standard stops being a claim and becomes something a bank can prove is the work the agencies handed over without naming it. Starting from the old model-risk discipline is reasonable; stopping there is not, because agentic systems bring problems that framework never faced — behavior that is not deterministic, in the model and in the systems around it; adversaries that adapt against the agent; and agents that act in networks of one another. The bank that treats governance as architecture can answer the examiner. The one that treats it as documentation can only describe what it meant to do.