Bank Regulators Just Updated Model Risk Management. Your AI Program Is Now Auditable.
Treat AI in banking as a supervised model portfolio: maintain a decision-linked inventory, tier by materiality, validate and monitor outcomes, and make board oversight inspectable through minutes and an evidence index.
Sector Intelligence for Friday, May 29, 2026. Interagency model risk management guidance was updated on April 17, 2026. It resets expectations for how banks inventory, validate, monitor, and govern models. The guidance says generative AI and agentic AI are out of scope, and it also says a request for information is coming that will consider bank use of AI. Translation: your AI program is now moving into the exam file. If you cannot produce the artifacts, you do not have governance.
The supervisory shift: model risk is now explicitly portfolio-driven and risk-based
The revised guidance pulls model risk management away from one-size expectations and back toward a risk-based approach: material models get rigorous oversight; immaterial models still get inventory and monitoring so they do not become tomorrow’s surprise. It also makes the scope signal explicit: the guidance is expected to be most relevant to banking organizations over $30B, but it can apply to smaller institutions when model risk exposure is significant.
Boards should not over-read the phrase out of scope. The practical read is that banks still need a governance operating model that can support whatever comes next. The path is predictable: inventory, tiering, validation evidence, monitoring evidence, third-party controls, and minutes.
What the exam file looks like: four artifacts that turn AI from narrative into evidence
Most banks have an AI story. Very few have an auditable AI portfolio. The evidence discipline is not a memo. It is an artifact suite that can be produced on demand and stays current.
This is the governance asymmetry that matters: a policy document is a claim. An evidence index is proof. If governance is real, it is inspectable.
The 90-day board move: upgrade the rituals, not the slogans
The AI-First Culture mistake is thinking governance is a policy project. In supervised sectors, governance is a cadence: a repeatable ritual that produces minutes, exceptions, and remediation. If your oversight meetings do not create inspectable artifacts, the program is performative.
- Inventory: produce one decision-linked model and AI inventory with owners, purpose, and what decisions each system influences.
- Tiering: establish a materiality rubric that is simple enough to execute and strict enough to govern exceptions.
- Evidence: define what validation and monitoring evidence looks like for each tier, then build the first version of the evidence index.
- Cadence: install an oversight ritual that creates minutes, approvals, exceptions, and remediation commitments at a board-appropriate level.
If you want a fast way to locate the highest-priority governance gap, start with the AI-First Culture diagnostic. If you want the board-grade oversight architecture, use the Board Brief as the packet for your next committee meeting.
If AI is touching credit, fraud, compliance, customer decisions, or pricing, governance has to be inspectable. Start with the Board Brief, then use the diagnostic to locate the highest-priority control and accountability gap.