AI Agent Governance after SR 11-7.
On April 17 2026 the Federal Reserve, OCC and FDIC jointly rescinded SR 11-7 and issued a non-prescriptive replacement that explicitly excludes generative and agentic AI from its scope. This whitepaper is the framework banks adopt instead. Written for Chief Risk Officers, Heads of Model Validation and AI Governance leads at banks and FinTech with active AI deployment.
Written by Ashish K. Saxena · Founder, Caventia
The argument in one minute
Three lines. One spine.
The three-lines-of-defense framework has governed bank risk for fifteen years. The framework survives the move to AI agents. The workflows do not. Watch where it breaks and what Caventia adds.
The letter is gone. The principles aren't.
On April 17 2026 the Federal Reserve, OCC and FDIC jointly rescinded SR 11-7 and replaced it with a 12-page principles-based "Supervisory Guidance on Model Risk Management". The new guidance is non-prescriptive, most relevant to banks above $30B in total assets and footnote 3 contains the sentence that defines the next decade of AI governance in banking.
"Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance. Nonetheless, a banking organization's risk management and governance practices should guide the determination of appropriate governance and controls for any tools, processes, or systems not covered in this document."
The agencies named the gap. They said: we will not tell you how to govern AI agents. Figure it out yourselves.
This is not a relief. It is an obligation. Footnote 1 of the same document preserves the escape hatch the agencies left themselves: "supervisory action may result for any violations of law or unsafe or unsound practices stemming from insufficient management of model risk." Banks can still be cited. They just no longer have a checklist to point at.
The surviving principles - model inventory, validation, outcomes analysis, ongoing monitoring, effective challenge, vendor oversight, model materiality, aggregate risk - all map cleanly onto generative and agentic AI. The branded artifacts of the SR 11-7 era ("model risk pack", "three lines of defense") do not. The vocabulary changed; the work didn't.
This whitepaper is the framework banks adopt for the AI agents the 2026 MRM Guidance left to them. Five places the old SR 11-7 framework broke down for agentic AI - each, as it turns out, is precisely why the agencies carved gen AI and agentic AI out. A five-step practical framework banks build instead. Per-agent documentation artifacts that satisfy what examiners still expect.
The opportunity: banks that build AI agent governance correctly in 2026 have a 12 to 24 month head start on competitors who will be forced to retrofit it under board, regulator or first-incident pressure. [Leave your email to get the new edition on launch.]
Eleven sections and two appendices.
About 4,800 words. Roughly 12 pages once typeset.
I.
What the April 2026 MRM Rewrite says (and doesn't)
The non-prescriptive replacement guidance applies most to banks over $30B. Footnote 3 explicitly excludes generative and agentic AI from scope - while telling banks they still must govern them.
II.
Why the principles outlived the letter
Model inventory, validation, outcomes analysis, ongoing monitoring, effective challenge, vendor oversight. The surviving principles map cleanly onto AI agents. The branded artifacts no longer do.
III.
Five places the old framework broke down
Non-determinism. Prompt-as-feature. Tool use and emergent behavior. Model provider opacity. Continuous capability evolution. Each is precisely why the agencies carved gen AI and agentic AI out.
IV.
A five-step framework banks adopt
Inventory and classify. Document each agent. Validate before deployment. Capture production decisions. Monitor and re-validate. Pressure-tested against post-rewrite examiner conversations.
V.
Documentation artifacts you still need
Per-agent (Model Identity Document, validation reports, monitoring history, exception log). Program-level (inventory, policy, independence policy, provider risk assessment). Names change. Substance doesn't.
VI.
Architectural requirements for capture
Reproducibility. Tamper evidence. Independence from agent operator. Retention. Demographic capture for ECOA. Replay queries. Minimum bars for examiner-defensible evidence.
VII.
Validation for non-deterministic systems
Behavioral envelope testing. Adversarial test suites. Disparate impact analysis on balanced corpora. Shift from accuracy-on-test-set to envelope stability.
VIII.
Seven pitfalls banks are making in 2026
Reading 'non-prescriptive' as 'unaccountable'. Treating AI as automation. Documenting the LLM as the model. Validating once, never again. No demographic capture. Capture in logs engineers can modify. Among others.
IX.
Implementation roadmap
Days 1-90 (inventory, classify, pattern build). Days 91-180 (capture layer rollout, monitoring). Days 181-365 (full coverage, re-validation cycle). Aligned to the new guidance's risk-based tailoring.
X.
Independence: the quiet advantage
Counterintuitive: AI agents make independent validation easier to satisfy than traditional models. Validators no longer need scarce quant PhDs. Effective challenge survives the rewrite intact.
XI.
Provider risk: the section that just got sharper
LLM providers ship updates that meaningfully change agent behavior. The new guidance's Section VII on vendor and third-party products applies in full. Contractual, operational, strategic and documentary controls.
App.
Appendices
The 2026 MRM Guidance to AI agent mapping table. Glossary covering agent, capture layer, decision drift, feature snapshot, hash chain, Merkle root, prompt drift and tamper evidence.
The closing argument
What the examiner sees.
Same incident, two artifacts. The OCC examiner walks in and asks how the agent decided. What you hand them tells the whole story.