The regulatory gap your LLM pipeline just fell into

Here's a thought experiment. Pick the AI or machine-learning system in your bank that's closest to a live credit decision. Maybe it's an LLM summarising financial statements for your analysts. Maybe it's a classifier flagging covenant breaches before your analysts see them. Maybe it's something more ambitious — a GenAI tool drafting initial credit assessments on mid-market borrowers.

Now ask yourself: what model risk framework covers it?

If you'd answered that question three weeks ago, you'd have said SR 11-7 — the interagency guidance that's governed model risk management in banking since 2011. It was broad enough to cover basically anything that produced a quantitative output used in a decision. Your logistic regression scorecard, your stress-testing suite, your LLM pipeline — all in scope, all subject to the same validation and documentation expectations.

That changed on 17 April. The Fed, OCC and FDIC issued SR 26-2, replacing SR 11-7 after fifteen years. The new guidance is shorter, more principles-based, and explicitly risk-tiered. But the line that matters most is the one that says generative AI and agentic AI are out of scope — excluded from the model risk management framework entirely, with a separate request for information promised "in the near future."

I want to talk about what that means in practice, because I think the implications for anyone building AI systems inside a bank are more immediate than the headlines suggest.

The old SR 11-7 defined "model" broadly: any quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories to process input data into quantitative estimates. That definition was wide enough to catch an LLM generating credit summaries, if you squinted — and most compliance teams were squinting.

SR 26-2 keeps a similar definition but now applies a risk-based tiering system. More importantly, it explicitly carves out generative AI and agentic AI, stating that these technologies will be addressed separately. The guidance applies primarily to banks above $30 billion in assets, and the overall tone is less prescriptive — fewer checklists, more "demonstrate that your governance is proportionate to the risk."

For traditional models — your PD/LGD scorecards, your VaR engines, your IFRS 9 ECL models — this is mostly a simplification. Less paperwork for low-risk models, more focus on the ones that actually matter.

For GenAI, it's a different story. The old framework, imperfect as it was, at least gave compliance teams something to point at. Now there's a gap. Your logistic regression scorecard has a clear validation regime. Your LLM-based underwriting tool does not — at least not under model risk rules.

SR 26-2 is American. The PRA hasn't followed suit. So why does this matter if you're sitting in a mid-market bank in London or Manchester?

Two reasons. First, US model risk guidance has historically set the tone globally. SR 11-7 was cited — formally or informally — in model risk frameworks across Europe for a decade. When UK banks built their internal MRM policies, most of them borrowed heavily from SR 11-7's structure. If the US is moving to a risk-tiered, principles-based approach that excludes GenAI, that shift will ripple into how the PRA thinks about its own framework.

Second, the GenAI carve-out creates a specific problem for anyone running AI experiments right now. If you've been validating your LLM pipeline under your existing model risk policy — which was probably inspired by SR 11-7 — you now have to ask whether that policy still makes sense, or whether you're applying a framework that the originating regulators have decided doesn't fit.

For most mid-market banks, I suspect the honest answer is no. The GenAI tools are either ungoverned, governed under model risk policies that were designed for regression models, or governed under a patchwork of IT risk and third-party risk policies that don't quite fit either.

I want to be careful here, because I can already hear someone reading this and thinking "great, GenAI is out of scope, so we don't need to validate it." That's exactly wrong.

The FINOS analysis makes this point well: SR 26-2 excluded GenAI from model risk scope, but fair lending law, consumer protection rules, third-party risk expectations, and data privacy obligations all still apply. In the UK, the Senior Managers and Certification Regime still applies. The Consumer Duty still applies. The PRA's existing expectations around operational resilience still apply.

What's missing isn't permission to skip governance. What's missing is a single, coherent framework that tells you how to govern these systems. What documentation is proportionate? What does validation look like for a model that generates text rather than a probability? Who in the three lines of defence owns it?

I'll be blunt: most internal AI governance documents I've seen are fiction. They describe how things should work, not how they do. The gap between the policy PDF and what actually happens when someone deploys an LLM into a credit workflow is wide enough to drive a bus through. SR 26-2 didn't create that gap — but it did remove the one framework that was at least forcing people to pretend it was closed.

And grey zones in banking tend to resolve badly for the people who waited.

This week, find the person in your bank who owns the model risk policy — or the AI governance policy, if you have one — and ask them one question: does our current framework explicitly address generative AI, or are we relying on a model risk policy that was written for scorecards? If the answer is the latter, it's worth spending a day drafting a short interim position paper — even just two pages — that names the GenAI tools you're running, states which existing policies cover them, and flags the gaps. It won't be perfect. But when the PRA does publish guidance, you'll be starting from a documented position rather than a blank page. That's the difference between responding in a week and responding in a quarter.

— Aksel

The Analytical Banker is a weekly note on data, analytics, and AI inside corporate banking — written for finance leaders who actually have to make this stuff work. Reply to this email if something here resonates, or forward it to a colleague who'd benefit.