🤖 AI Summary
Current supervisory guidance SR 26-2 does not address generative AI and agent-based systems, creating a governance gap for financial institutions deploying these technologies in regulated processes—particularly concerning explainability, documentation, and compliance controls. This work proposes the first Generative AI Control Framework (GAICF) aligned with SR 26-2, extending model risk management principles to non-traditional AI systems through risk-tiered modeling and use-case mapping. Although designed for generative AI operating beyond formal model boundaries, the framework remains consistent with SR 26-2’s risk-based approach, offering financial institutions an actionable governance pathway to meet regulatory expectations when employing such systems in auxiliary tasks like policy analysis and regulatory interpretation.
📝 Abstract
The release of SR 26-2 marks a significant modernization of U.S. model risk management by replacing SR 11-7 with a more risk-based and materiality-sensitive supervisory framework. However, generative and agentic AI are excluded, creating an important governance challenge for banking organizations and other financial institutions. Although generative AI may not directly estimate credit risk or make underwriting decisions, its outputs can materially affect the surrounding control environment through monitoring interpretation, policy analysis, or adverse-action language drafting. These uses may influence how regulated financial decisions are explained, challenged, documented, and governed.
This paper proposes the Generative AI Control Framework (GAICF), an SR 26-2-compatible governance framework for generative AI-enabled financial workflows. The framework translates core model risk management principles into a layered control structure for generative AI applications that operate outside the formal model boundary but remain embedded within regulated banking processes. GAICF provides a practical approach for financial institutions seeking to align emerging generative AI governance practices with the risk-based supervisory expectations reflected in SR 26-2.