SR 26-2 and model validation

SR 26-2 is the revised interagency Guidance on Model Risk Management, issued April 17, 2026 by the OCC, the Federal Reserve, and the FDIC, and it supersedes the 2011 guidance known as SR 11-7. It takes a principles-based, risk-based approach that is meant to scale to an institution’s model risk profile rather than prescribe a single checklist. Federal Reserve, OCC Bulletin 2026-13.

No — the guidance explicitly places generative AI and agentic AI outside its scope. The agencies write that these models are “novel and rapidly evolving” and “as such, they are not within the scope of this guidance.” OCC Bulletin 2026-13. That distinction matters: SR 26-2 is model-risk guidance, not a generative-AI rulebook, and reading it as the latter overstates what it says.

SR 26-2 sharpens expectations for validating models. It deliberately does not try to govern generative AI yet.

We make the point precisely because loose claims help no one. The defensible reading is narrow: the guidance raises the bar on how institutions validate and document the models — including third-party models — that feed consequential decisions.

SR 26-2 includes considerations specific to vendor and other third-party products, including validation of those products. OCC Bulletin 2026-13. In plain terms: a model an institution buys or sources from outside does not get a pass on validation. The institution that relies on the output is still expected to understand it, test it, and be able to defend it.

That is a meaningful expectation for any lender that brings outside evidence into a credit decision. A third-party input the validation function cannot inspect is hard to validate, and a model that only emits an opaque verdict is hard to defend to an examiner. The practical pressure SR 26-2 creates is toward inputs that are documented, testable, and reviewable.

It means a lender should be able to show its work for any third-party input that shapes a credit decision, not just trust a vendor’s number. Even though the guidance is non-binding and most directly aimed at larger institutions, it reflects where supervisory expectations are heading: defensibility, documentation, and validation of the models behind a decision.

An input is easiest to validate and defend when it arrives as inspectable evidence — a clear record of what question was asked, what boundary applied, what the result was, and why it was appropriate to use — rather than as a single score the lender must take on faith.

Kenshiki is built to be validated, not taken on trust. In lending, it returns inspectable evidence rather than an opaque verdict. Every governed credit decision writes a replayable record — the allowed question, the evidence boundary, the proof rule, the result, and a plain-language explanation — which is exactly the material a model-risk and validation function needs to review a third-party input.

We do not claim Kenshiki makes a lender compliant with SR 26-2; compliance is the institution’s own determination, and the guidance is non-binding. What we do say is narrower and honest: a third-party input is far easier to validate and defend when it is inspectable and replayable by design. That posture is documented on Trust, and the sourced evidence behind the product thesis is on The Evidence.

A validation function is stronger when it can sign off on a record it is able to inspect.