Navigating SR 26-02: The New Standard for Model Risk Management

On June 6, 2024, the Federal Reserve issued SR 26-02, formally superseding the 2011 SR 11-7 guidance and setting a new regulatory baseline for model risk management that explicitly addresses the risks posed by AI and machine learning models [1]. This shift is not theoretical: the updated guidance is a direct response to the surge in AI adoption across the financial sector, and it codifies expectations that are already being enforced in regulatory examinations. For CTOs, CISOs, and compliance leaders, understanding and operationalizing SR 26-02 is now a non-negotiable requirement for maintaining regulatory compliance and protecting institutional integrity.

SR 26-02: Expanding the Definition and Scope of Model Risk

SR 26-02 marks a fundamental departure from SR 11-7 by explicitly expanding the definition of “model” to include advanced AI and machine learning systems, including those that are non-linear, non-parametric, or adaptive in nature [1]. This is not a semantic change; it is a recognition that traditional statistical models and modern AI systems present fundamentally different risk profiles. AI models, particularly those based on deep learning or ensemble methods, often operate as “black boxes,” making their decision logic difficult to interpret or audit. SR 26-02 directly addresses this by requiring institutions to develop and maintain documentation that explains not just what a model does, but how it does it—even when the underlying algorithms are complex or opaque [2]. This includes clear articulation of model objectives, design choices, training data provenance, and the rationale for selecting particular algorithms or architectures. Institutions must also document known limitations, such as susceptibility to data drift, adversarial attacks, or bias amplification, and describe the controls in place to mitigate these risks.

The guidance also expands the scope of what constitutes a “model” to include not only traditional credit risk and market risk models, but also AI-driven systems used for fraud detection, anti-money laundering (AML), customer segmentation, and even operational decision-making [1]. This means that any system that uses data-driven algorithms to inform or automate decisions—regardless of whether it was previously classified as a model—now falls under the purview of model risk management. For many institutions, this will require a comprehensive inventory and reclassification of existing systems, as well as the development of new risk assessment frameworks tailored to the unique properties of AI and machine learning.

Lifecycle Management: From One-Time Validation to Continuous Oversight

A central pillar of SR 26-02 is the shift from periodic, event-driven model validation to a lifecycle approach that emphasizes continuous monitoring, validation, and improvement [1][3]. Under SR 11-7, it was common for institutions to conduct model validations on an annual or biennial basis, often relying on static test sets and retrospective performance analysis. SR 26-02 explicitly rejects this approach for AI-driven models, which can evolve rapidly in response to new data, changing market conditions, or adversarial manipulation. Instead, the guidance requires institutions to implement real-time or near-real-time monitoring systems that can detect performance degradation, data drift, or emergent biases as soon as they occur [2].

This lifecycle approach encompasses several key activities. First, model development must include robust pre-deployment testing, including stress testing, sensitivity analysis, and adversarial evaluation to identify vulnerabilities before a model is put into production. Second, ongoing monitoring must be capable of detecting not only quantitative performance issues (such as increased error rates or false positives) but also qualitative changes, such as shifts in feature importance or the emergence of new sources of bias. Third, institutions must establish clear escalation protocols for when a model’s performance falls outside of predefined thresholds, including procedures for model retraining, rollback, or decommissioning [3]. These requirements demand significant investments in monitoring infrastructure, data engineering, and human expertise, particularly for institutions with large or diverse model portfolios.

Governance, Accountability, and AI-Specific Expertise

SR 26-02 places unprecedented emphasis on governance structures and the need for AI-specific expertise at every stage of the model lifecycle [1][3]. The guidance requires that boards of directors and senior management take explicit responsibility for model risk management, including the approval of risk appetite statements, oversight of model inventories, and regular review of model performance reports. This is a marked departure from previous practice, where model risk was often delegated to quantitative teams or middle management. Under SR 26-02, accountability for model risk is a board-level concern, and institutions must be able to demonstrate that senior leaders understand both the strategic value and the operational risks of AI-driven models.

To meet these expectations, institutions must enhance their governance frameworks to include dedicated AI risk committees, cross-functional review boards, and clear lines of responsibility for model development, validation, and monitoring. Critically, SR 26-02 recognizes that effective oversight of AI models requires specialized skills that may not be present in traditional risk or compliance teams. Institutions are therefore expected to recruit or develop talent with expertise in machine learning, data science, ethics, and explainability, and to ensure that these experts are integrated into governance processes [2][3]. This may require new hiring, targeted training programs, or partnerships with external specialists, particularly in areas such as adversarial robustness, algorithmic fairness, and model interpretability.

Documentation, Transparency, and Regulatory Auditability

Transparency and documentation are recurring themes throughout SR 26-02, reflecting regulators’ concerns about the auditability and explainability of AI-driven models [1]. The guidance introduces stricter requirements for model documentation, mandating that institutions maintain detailed records of model development, validation, deployment, and ongoing monitoring activities. This includes not only technical documentation (such as code repositories, data dictionaries, and validation reports) but also governance artifacts (such as risk assessments, board minutes, and escalation logs).

For AI models, documentation must address several unique challenges. First, institutions must provide clear explanations of how models make decisions, including the logic of feature selection, the impact of hyperparameters, and the rationale for any post-processing or calibration steps. Second, documentation must include evidence of efforts to detect and mitigate bias, including the results of fairness audits, demographic impact analyses, and remediation plans. Third, institutions must maintain records of all data used to train, validate, and monitor models, including data lineage, quality assessments, and controls for data privacy and security [2][3]. These requirements are not optional: regulators are increasingly demanding access to model documentation during examinations, and institutions that cannot provide clear, comprehensive records risk enforcement actions, fines, or forced model decommissioning.

The transparency mandate extends to third-party models and vendor solutions. SR 26-02 makes clear that institutions are responsible for the risks associated with any external models or AI services they use, and must obtain sufficient documentation and assurances from vendors to satisfy regulatory requirements. This may require renegotiating contracts, conducting independent validations, or developing internal expertise to assess black-box vendor models.

Operational Implications: What CTOs and CISOs Must Do This Quarter

SR 26-02 is not a distant or theoretical concern; it is a live regulatory requirement that will shape supervisory expectations and enforcement actions for years to come. CTOs and CISOs at regulated financial institutions must act immediately to assess and upgrade their model risk management frameworks. The first step is to conduct a comprehensive inventory of all models in use—including AI, machine learning, and traditional statistical models—and to classify them according to the expanded definitions in SR 26-02. This inventory should include detailed metadata on model purpose, architecture, data sources, and ownership.

Next, institutions must evaluate their current validation and monitoring processes against the lifecycle requirements of SR 26-02. This will likely reveal gaps in real-time monitoring, adversarial testing, and bias detection, particularly for AI-driven models. Closing these gaps will require investments in monitoring infrastructure, data engineering, and the recruitment or training of AI specialists. Governance frameworks must be updated to ensure that model risk is a board-level concern, with clear lines of accountability and regular reporting to senior management.

Documentation practices must be overhauled to meet the new transparency and auditability standards. This includes not only technical documentation but also governance artifacts and evidence of bias mitigation efforts. Institutions should also review their third-party vendor relationships to ensure that external models meet the same standards of transparency and control as internal models.

Finally, CTOs and CISOs should engage with regulators proactively, seeking feedback on their model risk management frameworks and demonstrating a commitment to continuous improvement. SR 26-02 is designed to be a living framework, and institutions that treat compliance as a one-time exercise will quickly fall behind. By investing in robust, AI-specific model risk management practices now, financial institutions can not only meet regulatory expectations but also build a foundation for safe, responsible, and innovative use of AI in the years ahead.