01The short answer
Financial services AI compliance is governed by existing supervisory frameworks rather than a single AI statute. Information security and third-party risk expectations, internal control over financial reporting, data protection law, and fair lending all apply to AI the moment it touches a regulated decision or customer data. Model risk management has its own twist: SR 11-7 was the anchor for over a decade, but the April 2026 guidance that replaced it (SR 26-2) deliberately leaves generative and agentic AI outside its formal scope, with further AI-specific guidance expected.
That carve-out is a guidance gap, not a free pass. An AI assistant that helps a banker answer a customer question, summarize an account, or draft a credit memo does not get a lighter touch because it is built on a foundation model. If its output influences a decision, or if it can reach regulated customer data, the institution must be able to show what controls govern it and produce evidence that those controls operated. Supervisors expect banks to apply model-risk principles to consequential AI even though it sits outside the 2026 guidance, so the practical bar is the one that has always applied to models: documented development and use, independent challenge, governance with clear ownership, and an audit trail an examiner can inspect.
The hard part is rarely the policy on paper. It is enforcing access at the moment a request is made and producing evidence that survives examiner scrutiny. That is the gap runtime controls are built to close.
02The regulatory surface for AI in banking
There is no dedicated AI rulebook that supersedes everything else. AI in a bank is governed by the same overlapping authorities that already govern models, data, and third parties. A risk officer evaluating a finance copilot is, in practice, mapping it against several frameworks at once.
- Model risk management. Supervisory guidance on model risk was anchored by SR 11-7 for over a decade, until SR 26-2 (OCC Bulletin 2026-13) rescinded and replaced it in April 2026. It sets expectations for how quantitative models are developed, validated, governed, and documented, and traditional quantitative models stay squarely in scope. Generative and agentic AI are expressly carved out of the 2026 guidance, but model-risk thinking remains the reference point supervisors expect banks to apply to consequential AI.
- FFIEC, OCC, FDIC, and Federal Reserve supervision. The FFIEC IT Examination Handbook covers information security, architecture, and third-party risk. Vendor LLMs are evaluated as third-party relationships, with the expectation that the bank, not the vendor, owns the outcome.
- Internal control over financial reporting (ICFR). Where AI output feeds financial statements or reporting processes, the relevant controls fall under ICFR and the institution's broader control environment, mapping to expectations under frameworks examiners associate with FFIEC and ICFR review.
- GLBA data protection. The Gramm-Leach-Bliley Act and the Safeguards Rule require protection of nonpublic personal information. An AI system that can place customer financial data into a prompt or a log is squarely in scope.
- Fair lending considerations. Where AI informs credit or pricing, fair lending law and prohibitions on disparate treatment apply. Output used in lending decisions invites scrutiny of how it was produced and whether it can be explained.
None of these were written for generative AI specifically, and the 2026 model risk guidance now puts generative AI outside its formal scope. The supervisory expectation is unchanged in substance: the institution's job is to translate established model-risk and data-protection principles into controls that work at runtime, and to keep evidence that they did, while more AI-specific guidance is developed.
03How SR 11-7 defined a model, and why LLMs once fit
SR 11-7, the 2011 supervisory guidance on model risk management issued jointly by the Federal Reserve and the OCC (OCC Bulletin 2011-12), defined the term broadly. Under that guidance, a model was any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories and techniques to process input data into quantitative estimates. The definition was deliberately function-based: it turned on what the system does, not what technology it uses.
On that reading, a large language model that produces a risk score, a classification, a probability, or a recommendation that feeds a decision looked a lot like a model. The label "AI" did not, by itself, exempt it. That is why, since the arrival of foundation models, bank model risk teams asked the same first question they ask of any new system: does it produce output that influences a decision, and if so, where is it in the model inventory.
The 2026 guidance changed the formal answer. SR 26-2 (OCC Bulletin 2026-13) rescinded and replaced SR 11-7 in April 2026 and explicitly excludes generative and agentic AI from its scope, so an LLM is no longer formally classified as an in-scope model. The function-based logic still matters, because supervisors expect banks to apply model-risk principles to consequential AI even in the gap. For how that logic and the model definition map onto generative systems in more depth, see our companion guide to SR 11-7 for LLMs and model risk.
04The three components examiners expect
SR 11-7 organized sound model risk management into three components, and the 2026 guidance carries the same principles forward for in-scope models. They remain the template examiners use, and they map cleanly onto AI systems even where generative AI now sits outside the formal model-risk scope.
- Robust development, implementation, and use. The model should be built on sound theory and data, implemented as designed, and used for its intended purpose. For an LLM-based assistant this includes how it is configured, what data sources it draws on, and the controls that constrain its behavior in production.
- Independent validation and effective challenge. The guiding principle of SR 11-7 is effective challenge: critical analysis by objective, informed parties who can identify limitations and force changes. Validation should be performed by people independent of those who built the system, with enough standing to be heard.
- Governance, policies, and controls. A governance framework should define roles, ownership, policies, and controls, and it must include a model inventory. The inventory is the institution's authoritative record of where models, including AI, are used, who owns them, and what their risk rating is.
For generative AI, the second component is the difficult one. A stochastic model can return different outputs for the same input, which makes traditional validation harder. That is precisely why deterministic controls around the model matter: they are reproducible, and reproducible controls are easier to validate and challenge than non-reproducible behavior.
05How the 2026 guidance treats foundation models
In April 2026 the agencies revised the model risk framework. OCC Bulletin 2026-13, designated SR 26-2 by the Federal Reserve and issued in coordination with the FDIC, rescinded and replaced SR 11-7 (OCC Bulletin 2011-12) for covered banks, with updated guidance that preserves the original principles while taking a risk-based posture scaled to an institution's size and complexity. Traditional quantitative models, such as credit scoring, market risk, and regulatory capital models, remain in scope.
Notably, the revised guidance places generative and agentic AI outside its formal scope, stating that those systems are novel and rapidly evolving and are not within the scope of the guidance. It does not leave them unsupervised. The agencies plan to issue a request for information that addresses model risk management generally and banks' use of AI, including generative and agentic AI. In the meantime, supervisors expect banks to apply model-risk-management principles consistent with the underlying risk to the AI they deploy.
The takeaway for a risk officer is that the framework was not rewritten around foundation models, and the obligations did not disappear; they sit in a deliberate gap. Traditional and non-generative AI models stay under the model-risk regime. Generative and agentic AI fall outside the 2026 guidance, yet examiners continue to expect sound governance, inventory, validation-equivalent controls, monitoring, and documentation for consequential AI. Because the gap is deliberate and more guidance is coming, the prudent posture is to apply model-risk discipline to AI now rather than wait. If anything, the carve-out raises the value of controls a bank can validate and document on its own, because it must justify the governance choices it makes for generative tools rather than inherit them from a single rulebook.
06Data governance for finance AI
A finance copilot is only useful if it can reach real data: customer profiles, account histories, transactions over banking APIs, claims exchanged as X12 EDI, and balances and instructions surfaced through Open Banking connections. That reach is also the risk. The moment an assistant can retrieve a record, it can place that record into a prompt, a response, or a log.
The core failure is what we call the relevance is not permission problem. A retrieval system finds the records most relevant to a question. Relevance says nothing about whether the person asking is cleared to see those fields. A support agent asking about a customer's recent activity may get an answer that surfaces a full account number or an income figure simply because it was relevant to the query. The system did its job. The control did not exist.
Strong AI data governance for finance means deciding access per field and per role before the prompt is assembled, not filtering the answer afterward. Custosa runs inside the institution's environment and inspects every record and field at runtime, applying per-field decisions through a five-level clearance lattice. A field that a role is not cleared to see is withheld before it ever reaches the model. The same approach governs retrieval-augmented generation; for the broader pattern see RAG security.
07Producing audit evidence examiners can inspect
Policy enforcement is necessary but not sufficient. An examiner will ask the institution to demonstrate that controls operated, not just that they were configured. That demand collides with a real constraint: the evidence of how a customer record was handled cannot itself become a new copy of regulated customer data sitting in a log.
Custosa resolves the tension by making evidence content-free. Every decision is recorded as a signed entry that holds verdict metadata, hashes, signatures, and counts, never record content. Each entry is signed with HMAC-SHA256 and hash-chained to the previous entry, so altering or removing any entry breaks the chain. The ledger is append-only and tamper-evident, and it can be verified independently and offline without contacting Custosa. An examiner can confirm the integrity of the record without the institution exporting a single customer field.
An examiner can verify the controls without ever touching the data they protect.
08The most common examination finding
Across model risk examinations, the recurring deficiency is an inadequate model inventory. Institutions are cited not because they lack any inventory, but because the inventory is incomplete, out of date, or disconnected from what is actually running. Models are deployed, modified, or quietly retired, and the record of record does not keep pace. AI makes this worse, because assistants and copilots can be spun up quickly and embedded in workflows without going through traditional model onboarding.
Runtime verdict evidence helps close the gap from the other direction. When every access decision is logged with the policy that governed it and the system that made the request, the institution has a continuous, factual record of where AI actually touched regulated data and under what controls. That record does not replace the model inventory, but it gives model risk and audit teams a ground-truth signal to reconcile the inventory against, and evidence that the controls in the inventory are the controls that ran.
09What controls and evidence Custosa provides
Custosa is the runtime data-control plane for enterprise AI. It inspects every record and field at runtime, before the model, and decides per field whether to pass or redact based on the caller's role. For financial institutions, the controls and the evidence map directly onto what examiners and auditors look for.
| What examiners need | What Custosa provides |
|---|---|
| Defined, enforceable controls | A deterministic, formal policy engine (Cedar), not a model. The same inputs always produce the same verdict, and the pipeline is fail-closed. |
| Access scoped to role | Per-field PASS or REDACT decisions through a five-level clearance lattice, applied before the prompt is assembled. |
| Explainable, reproducible decisions | Because verdicts are deterministic, every decision is explainable and can be reproduced and documented, which is easier to validate than stochastic behavior. |
| Audit trail for review | Every decision signed with HMAC-SHA256 and hash-chained into an append-only, tamper-evident, content-free ledger that verifies offline. |
| Mapping to financial frameworks | SOC 2 and SOC 1 packs, with policy mapping to SR 11-7, FFIEC, and ICFR expectations to support examiner review. |
| Data protection | Data plane runs inside your environment so records never leave. TLS in transit, AES-256-GCM at rest, BYOK available. |
Because the policy engine is deterministic, the controls themselves behave the way model-risk principles expect controls to behave: the same inputs give the same verdict, every time, with a record to prove it. That makes them easier to validate and document than the stochastic model they sit in front of, which is exactly the discipline supervisors expect banks to bring to consequential AI in the gap the 2026 guidance leaves.
- There is no standalone AI statute for banks. Existing security, ICFR, GLBA, and fair lending frameworks apply to AI the moment it touches a decision or customer data, and supervisors expect model-risk principles applied to consequential AI even where the 2026 guidance excludes it.
- SR 11-7 defined a model by function, broadly enough that an LLM feeding a decision looked like one. That framework was superseded in April 2026, and generative AI is now outside the formal model-risk scope.
- The 2026 guidance (SR 26-2 / OCC Bulletin 2026-13) rescinded and replaced SR 11-7, kept its principles for traditional and non-generative AI, and put generative and agentic AI outside its scope, with a request for information and further AI guidance expected.
- The most common examination finding is an inadequate model inventory. Runtime verdict evidence gives teams a ground-truth signal to reconcile against.
- Custosa provides deterministic per-field controls and content-free signed evidence that support model risk management and examiner review. The bank remains responsible.
See runtime controls and evidence for finance AI
Enforce per-field access by role before the prompt, and produce signed, content-free evidence an examiner can verify offline.
Frequently asked questions
Does SR 11-7 apply to LLMs?
Not anymore, at least not directly. SR 11-7 was the long-standing model risk management framework for US banks, but in April 2026 the OCC, Federal Reserve, and FDIC replaced it with revised guidance (OCC Bulletin 2026-13, designated SR 26-2). That 2026 guidance explicitly excludes generative and agentic AI from its formal scope, describing those systems as novel and rapidly evolving, and the agencies plan a request for information on banks' use of AI. So there is currently a deliberate guidance gap for LLMs. Even so, supervisors still expect banks to apply model-risk principles to consequential AI: an LLM that influences a credit, fraud, or financial-reporting decision should have documented governance, inventory, validation-equivalent controls, monitoring, and auditable evidence. The prudent posture is to apply that discipline now rather than wait for further AI-specific guidance.
Is a large language model a model under SR 11-7?
SR 11-7 defined a model broadly as any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories and techniques to process input data into quantitative estimates, and that definition was broad enough to reach an LLM producing a score, classification, or quantitative output used in a decision. That framework was superseded in April 2026 by SR 26-2 (OCC Bulletin 2026-13), which explicitly places generative and agentic AI outside its formal scope as novel and rapidly evolving. So a generative model is no longer formally treated as an in-scope model. Supervisors nonetheless expect banks to apply model-risk principles to consequential AI, so the practical obligation to govern, validate, and document the system remains.
What do bank examiners expect for generative AI?
Examiners expect the same fundamentals they have always expected for models: a complete inventory of where AI is used, documented development and implementation, independent validation or effective challenge, ongoing monitoring, and governance with clear ownership and controls. For generative AI specifically, examiners look for controls on what data the system can access, how outputs are reviewed, and whether the institution can produce evidence that those controls operated. The bank remains responsible for outcomes regardless of vendor or model.
What is model risk for generative AI?
Model risk is the risk of adverse consequences from decisions based on incorrect or misused model output. For generative AI it includes hallucinated or unsupported answers, exposure of sensitive customer data in a prompt or response, non-reproducible behavior that is hard to validate, and the use of outputs in decisions without adequate review. Because a generative model is stochastic, the same input can produce different outputs, which complicates validation. Deterministic controls placed around the model, such as a formal policy engine that decides what data the model may see, reduce that surface and are easier to validate and document than the model itself.
How do you evidence AI controls for an audit?
You evidence AI controls by recording, for each request, what policy was applied, what decision was reached, and which fields were allowed or withheld, then making that record verifiable. Custosa signs each decision with HMAC-SHA256 and hash-chains it into an append-only, tamper-evident ledger that an examiner can verify offline. The ledger is content-free: it holds verdict metadata, hashes, and signatures, never customer record content, so it can be shared with auditors without moving regulated data.
Does FFIEC have specific AI rules?
There is no single standalone FFIEC AI rulebook. AI in banking is governed through existing frameworks: model risk management guidance, information security and third-party risk expectations in the FFIEC IT Examination Handbook, consumer protection and fair lending law, and GLBA data protection. The 2026 revised model risk guidance addresses traditional and non-generative AI models and signals that the agencies plan a request for information on AI, including generative and agentic AI. In practice, banks apply established model-risk, data-governance, and vendor-management principles to AI rather than a dedicated AI statute.