The guidance that pulled agentic AI out of model risk didn't say who inside the bank now owns the cost of governing it, and that silence is where the exposure collects.
SR 26-2 carved generative and agentic AI out of model risk and declined to specify what adequate governance looks like.
Someone inside the bank now has to author that standard; the regulators left it to you.
Agentic AI has stopped being software spend and become assurance spend — budget it as a license and you under-price the risk.
The exposure concentrates in the gap between the office that sets the control standard and the office that pays for it.
What the guidance carved out
On April 17, 2026, the Federal Reserve, OCC, and FDIC issued SR 26-2, replacing SR 11-7 after fifteen years. It is principles-based rather than prescriptive — it even states that non-compliance with the guidance alone will not draw supervisory criticism — and in a footnote it places generative and agentic AI outside its scope, calling them novel and rapidly evolving. The same guidance is explicit that out-of-scope systems must still be governed under the bank's general risk-management practices. So the agencies did two things at once: they removed agentic AI from the framework, and they declined to write the replacement. A request for information is promised but not yet issued. The one instrument the guidance does hand the bank is a materiality lens that weighs a model's exposure against its purpose — the most defensible thing to carry across the line to the systems the guidance no longer covers. For now, the standard for governing the bank's fastest-moving AI is the bank's to author, with a borrowed measuring stick and no template.
This is a briefing for two readers at once, the Chief Compliance Officer and the CFO, and the reason to read it together is the reason the exposure exists. The standard the regulators declined to write has to be authored by one office and funded by another. Neither can set it alone, and the place it most easily fails is the handoff between them. A version of this addressed to either role in isolation would describe half the problem.
Compliance authors the standard
Authoring it lands first on compliance and model risk. SR 26-2 narrowed what counts as a model and then excluded agentic AI entirely, reshaping the inventory twice over. The harder task is not cataloguing what fell out of scope; it is deciding what adequately governed means for an agent that screens transactions, recommends credit, or assembles a regulatory filing — a system that acts rather than merely scores. The questions have no examiner-issued answers. How is the agent's decision logged so it can be reconstructed months later. What does a human-intervention point look like when the agent operates faster than a person can review. How is drift caught when behavior shifts with no code change to flag it. Each answer is a control the bank must specify, build, and defend.
The standard is not invented from nothing, and that is the part worth getting right. Model risk stepped back, but the obligations attached to what the agent does never moved. An agent that recommends credit is outside SR 26-2 and still inside fair-lending law; a disparate outcome is judged the same whether a scorecard or an agent produced it. An agent in sanctions or suspicious-activity workflows is outside SR 26-2 and squarely inside the bank's BSA/AML obligations. The vendor supplying it is outside SR 26-2 and inside the interagency expectations for third-party risk. A defensible standard is assembled from those surrounding frameworks — the ones that govern the agent's function and outcomes rather than its model mechanics. The carve-out removed the how-to-validate instructions; it did not remove the duties the agent's job carries. Stitching that floor together, when no single framework fully owns the system, is the actual work.
Finance prices the assurance load
That is the compliance half. The finance half begins where most AI business cases are weakest. The cost of agentic AI was never the model license; it is the assurance wrapper — decision logging and audit trails, behavioral monitoring, human-intervention protocols, vendor due diligence, contingency and rollback plans, and the documentation that lets the bank show its work to an examiner. Budgeted as software, AI reads as a cost-saving line. Budgeted honestly, it carries legal, compliance, cyber, and assurance load that the projected savings must clear before the project is accretive. That is a go/no-go input, not an accounting refinement: re-running the case with the assurance load attached will compress the return on some agents and sink others below the line. And the liability is hard to price precisely because the standard defining failure has not been written — finance is asked to carry a risk it cannot yet size, which is the compliance gap seen from the other chair.
There is a timing trap worth naming, because it produces the wrong decision under pressure. With the request for information still pending, a CFO can reasonably ask whether it is worth building to a standard regulators may revise within the year. But the controls themselves — the audit trail, the access boundary, the monitoring — are durable regardless of what the request for information says; only the documentation mapping them to a future standard may need rework. Building the controls now is not wasted spend. Deferring them is the costly choice, because the alternative place to discover them is remediation. And remediation does not arrive as a line item. It arrives as a supervisory finding, often with a remediation program, sometimes a lookback over decisions the agent already made, occasionally a requirement to constrain the system until controls exist. None of it is written as SR 26-2 non-compliance; it is written under the general expectation that a bank manages the risk of its own systems. The carve-out changed which document a finding cites, not whether the finding can be written.
The accountability does not stop at the two offices. Both report to the same audit and risk committee, and the carve-out changes what management can tell the board. "We follow the regulatory framework" was a complete answer for fifteen years; for agentic AI it is now incomplete, because the framework declines to cover the system. What the board is asked to stand behind is a standard the bank wrote itself, and its comfort is only as good as the rigor compliance built in and the resources finance put behind it. A thin standard exposes the directors who attested to it, which lifts the seam from an operating concern to a governance one.
The seam is the exposure
The exposure, then, is not in either office. It is in the seam between them. Compliance sets a standard with no external floor to enforce its rigor; finance funds a number with no external mandate to size it. Each can assume the other is carrying the cost, and the control the bank ends up with is whatever survives the gap. A vendor does not close it: most of these systems are bought, and the procurement contract is a commercial arrangement, not a transfer of liability — the examiner holds the institution, not the supplier.
What closes the seam is a deliberate handoff rather than a mutual assumption. Compliance authors the draft standard, drawing the floor from the frameworks that still apply. Finance prices it honestly, with the assurance load in the model and the go/no-go question on the table. Where the two disagree on how much rigor is enough, the audit committee arbitrates — the right venue, because the directors answer for the result. The failure mode is not disagreement; surfaced, that is how the standard gets set. The failure mode is silence, each office presuming the other has it handled, until an examiner or an incident reveals no one did. Until the request for information arrives, the bank's control standard for its fastest-moving AI is whatever compliance and finance agree it is — and that is the operating condition for the window that matters most, the months in which these systems move into production and begin making decisions the bank will answer for.
What closes the seam is a deliberate handoff rather than a mutual assumption. Compliance authors the draft standard, drawing the floor from the frameworks that still apply. Finance prices it honestly, with the assurance load in the model and the go/no-go question on the table. Where the two disagree on how much rigor is enough, the audit committee arbitrates — the right venue, because the directors answer for the result. The failure mode is not disagreement; surfaced, that is how the standard gets set. The failure mode is silence, each office presuming the other has it handled, until an examiner or an incident reveals no one did. Until the request for information arrives, the bank's control standard for its fastest-moving AI is whatever compliance and finance agree it is — and that is the operating condition for the window that matters most, the months in which these systems move into production and begin making decisions the bank will answer for.