Agentic AI is now exempt from model-risk guidance. The exposure isn't.
Revised U.S. bank model-risk guidance issued in April 2026, SR 26-2, explicitly excludes generative and agentic AI models from its scope, leaving the fastest-growing category of AI-assisted banking decisions without a settled governance framework to point to. That gap is a live exposure today, not a someday problem, and the fix doesn't depend on how the eventual rule lands: a governed memory that traces every fact a system used back to its source, and every conflict back to who resolved it.
Ask a bank's model risk team what they'd hand an examiner today to defend a decision an agentic AI tool helped make, and the honest answer is: whatever they've improvised. Not because nobody's paying attention. Because the rulebook they'd normally reach for was just updated to say, on the record, that this category isn't its problem.
SR Letter 26-2, the Federal Reserve, FDIC and OCC's revised guidance on model risk management, issued 17 April 2026, is why. It replaces SR 11-7, the framework that has anchored bank model governance since 2011: validate it, document it, monitor it, be ready to show your work. Buried in the new letter's scope section is a footnote stating plainly that generative and agentic AI models are "novel and rapidly evolving" and, as such, "are not within the scope of this guidance." The OCC's companion bulletin, 2026-13, repeats the line almost word for word.
That's not the guidance staying silent on agentic AI. It's the guidance naming it and stepping around it, on the same page where it commits, in the next breath, that its principles still apply to "traditional statistical and quantitative models and non-generative, non-agentic AI models." The exclusion is deliberate, and it lands squarely on the systems banks are rolling out fastest.
Guidance, not exemption
None of this makes agentic AI in banking optional to govern. SR 26-2 is non-binding supervisory guidance to begin with. It states plainly that "non-compliance with this guidance will not result in supervisory criticism," and it's aimed most directly at institutions above $30 billion in assets. But examiners have spent fifteen years calibrating what good model governance looks like against exactly the framework this letter replaces, and the newest, fastest-growing category of models a bank runs no longer has one to point to. The agencies have also signalled plans for a future request for information aimed specifically at generative and agentic AI, so this reads as an acknowledged, interim gap rather than a settled position. Interim is still where every institution running these systems operates right now. At institutions above that threshold, agentic tools already draft underwriting narratives, triage fraud alerts, and field customer lending questions: exactly the decisions a model-risk file exists to make defensible.
The questions don't wait
Whatever eventually fills the gap, it will ask the same three questions every model-risk framework has always asked: what did the system know when it produced this output, where did that knowledge come from, and who signed off when two sources disagreed. Those questions don't wait for a finalised rule. An examiner, a board, or a plaintiff's lawyer can ask them under the old framework, a future one, or none at all.
Provenance as infrastructure
This is the case for treating provenance as infrastructure rather than paperwork assembled after the fact. SAGE, the governed memory engine, traces every fact a connected AI tool used back to the document, version and ingestion that produced it, and logs how each conflict was closed: automatically where lineage or authority settle it, escalated to a person where it doesn't, with that ruling logged too. Answering the three-part question above becomes a property of how the memory works, not a project undertaken every time an exam is scheduled. It doesn't need to know which agency's language will eventually cover agentic AI, because it isn't built to satisfy a citation. It's built to preserve the trail a citation would eventually ask for.
The rulebook will catch up to agentic AI eventually, on its own schedule, worded however the agencies land on. The exposure it currently excludes doesn't wait for that. Neither should the evidence a bank would need to answer for it.
Loriq builds SAGE, the governed memory engine. Talk to us.