The rescission was public when Post 2 ran. I was not writing ahead of the replacement — I was writing the substrate argument at the exact moment the regulatory ground shifted beneath it. The question worth asking is not whether the timing is awkward. It is whether the replacement dismantles the argument or extends it. The answer is that SR 26-2 does not dismantle the captured vertical thesis. It deepens it. What changed is the mechanism. SR 11-7 was a checklist. SR 26-2 is a judgment framework. That distinction is the dispatch.
When the Ground Shifted
Post 2 argued that SR 11-7 functioned as a permission gate — a compliance layer so structurally embedded in banking operations that it determined who was allowed to deploy AI at scale. SR 26-2 does not remove that function. It makes the gate harder to pass, harder to replicate, and harder to fake. The wall got higher. The vertical got more captured.
SR 11-7 was a checklist. SR 26-2 is a judgment framework. That distinction is the post.
What SR 26-2 Actually Changed
SR 26-2 — issued jointly by the Federal Reserve, OCC, and FDIC as SR 26-2 / OCC Bulletin 2026-13 — replaces SR 11-7 after fifteen years. The practical shift is from prescription to judgment. SR 11-7 established a structural framework: independent validation function, three lines of defense, conceptual soundness review. The organizing logic was separation — keep development, validation, and use in distinct organizational lanes. Compliance meant satisfying a checklist whose components could be documented and demonstrated to an examiner.
SR 26-2 reorganizes the framework around four drivers: inherent risk, exposure, purpose, and use. The definitions are precise and worth holding exactly.
- Inherent risk — The internal characteristics of the model itself: complexity, number of assumptions, data quality, interpretability.
- Exposure — The financial footprint: the scale of the decisions the model influences. A model driving $10 billion in credit decisions carries higher exposure than an internal propensity score used for marketing segmentation, regardless of technical soundness.
- Purpose — The weight of the decision context. Models supporting regulatory reporting, capital adequacy determinations, or fair-lending assessments rank higher than models used for internal research.
- Use — The most underappreciated driver. A technically sound model can still carry high risk if applied outside the conditions it was designed for, used by teams without adequate training, or deployed in contexts its development process did not anticipate.
Materiality — how much of the model risk management framework a given model attracts — is the output of these four drivers considered together. It is not a fifth driver.
Banks that mis-specify materiality as an independent input will build MRM programs that track the wrong variable and arrive at examiner reviews with structural gaps. The distinction is checkable and the guidance is explicit.
The second major shift is in how validation independence is assessed. SR 11-7 was widely read as requiring structural independence — separate reporting lines, dedicated validation functions with clear organizational separation. SR 26-2 moves the test. The guidance states directly that the quality of the validation process depends on the rigor and effectiveness of the review rather than on organizational structure. The control is now the substance of the challenge, not the box on the org chart. For institutions with governance-by-design capability — auditable evidence chains, documented decision provenance, effective challenge embedded in the workflow — this is not a relaxation. It is a reframing that rewards exactly the infrastructure they have already built.
Scope: the revised guidance is explicitly tailored to banking organizations over $30 billion in total assets. For Tier-1 institutions, nothing about applicability changed.
The Carve-Out Is the Capture Mechanism
SR 26-2 contains a footnote that will be read as relief by some practitioners and as a competitive signal by anyone paying attention to the architecture underneath it. Footnote 3 of the Fed letter states, verbatim:
“Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance.”
The immediate read — this is how it will circulate in compliance circles — is that generative and agentic AI has been carved out of model risk management requirements. That reading is incomplete, and the same footnote closes it: a banking organization’s risk management and governance practices should still guide controls for systems not covered in the guidance. The carve-out does not create a compliance-free zone. It creates a zone with no published rulebook.
That is the capture mechanism. Under SR 11-7, the compliance requirement for AI models was a known specification. You could study it, satisfy it, document it, and present it to an examiner. Under SR 26-2, agentic AI is explicitly ungoverned by published guidance. Banks deploying autonomous systems in material decision contexts must still build defensible control frameworks — but they must build them from judgment, not specification. There is no template. The Fed has signaled that a separate Request for Information on AI use in banking is planned, meaning self-governance is the operating condition for the foreseeable future.
The institutions best positioned to build a defensible framework without a template are the ones who have spent fourteen years developing the examiner relationships, governance culture, and institutional credibility to have their judgment accepted as sound. That is not a resource question. It is a trust-accumulation question.
The Wall Got Higher, Not Lower
Post 2 argued that SR 11-7 was a gate. SR 26-2 did not remove the gate. It removed the gate’s published specification. What remains is harder to pass, harder to replicate, and — critically — impossible to fake in an examination relationship that spans years.
Under SR 11-7, a bank could satisfy model risk management requirements by demonstrating structural separation and documentation. An examiner could check boxes. Under SR 26-2’s judgment framework — and in the explicit regulatory vacuum that now governs generative and agentic AI — the examination is not a checklist review. It is a credibility assessment. The examiner is evaluating whether the institution’s model risk management culture is sound: whether the effective challenge is genuine, whether the governance infrastructure reflects considered judgment, whether the control framework for ungoverned AI tools is defensible given the institution’s risk profile.
You cannot build that credibility in a compliance cycle. It accumulates — the same way the compliance substrate itself accumulated across fourteen years of SR 11-7 supervision. The captured vertical is more captured than it was on April 16.
The Architectural Implication
Post 2 closed on a distinction that SR 26-2 sharpens: SR 11-7 governed approval, not execution. SR 26-2 governs judgment, not mechanics. It updated the approval framework for traditional models while explicitly declining to write requirements for the tools banks are racing to deploy. The guidance is an updated playbook for the past and a regulatory vacuum for the future.
That vacuum does not suspend the architectural question. It intensifies it. With no published specification for agentic AI governance, the institutions that win the examination relationship are the ones whose control frameworks for ungoverned systems are the most legible, the most auditable, and the most defensible against an examiner’s judgment. That is a decision trace problem. It is a runtime authorization problem. It is the harness problem — and SR 26-2 has now made it the central problem in FSI model governance without providing any guidance on how to solve it.
The gate moved from rule to judgment. The harness question is still open. The architecture that closes it does not yet exist at scale. That is the work.
