SuperML
← All issues

Banking's Model Risk Framework Wasn't Built for LLMs. Regulators Just Admitted It — Now Banks Have a Window to Act.

The OCC's Spring 2026 Risk Perspective and the Fed's own admission that existing model risk guidance doesn't cover agentic AI signal that formal US banking AI governance rules are imminent — and the banks that build their governance architecture now will have a structural advantage when the RFI lands.

Hi there,

The OCC just published its Spring 2026 Semiannual Risk Perspective, and buried inside the usual credit-risk boilerplate is something every AI-forward bank team should read: regulators have acknowledged that their own model risk frameworks weren't designed for LLMs or AI agents — and a tri-agency request for information is coming. Federal Reserve Vice Chair Bowman said the quiet part out loud: existing model risk guidance "applies only narrowly to traditional models and basic AI applications" and does not extend to generative or agentic AI. That is not a reassuring statement. That is a warning shot.

🔥 Featured Post

Banking's Model Risk Framework Wasn't Built for LLMs. Regulators Just Admitted It — Now Banks Have a Window to Act.

  • The OCC Spring 2026 Risk Perspective explicitly flags AI governance gaps and signals incoming tri-agency guidance on model risk for generative and agentic AI.
  • Fed Vice Chair Bowman confirmed that SR 11-7 / existing model risk guidance does not yet extend to LLMs or agentic AI systems operating in financial workflows.
  • Banks "may consider expanding" use of AI for "material financial decisions" — but without updated governance, that's an invitation to accumulate supervisory liability.
  • The architecture problem: LLM validation, explainability, hallucination testing, and agent audit trails don't map cleanly to traditional model validation procedures.
  • Banks that build LLM governance infrastructure now — before the RFI prescribes specific requirements — can shape their programs around what actually works, not what a regulator designed in a conference room.

Read the full post →

📚 In Case You Missed It

SAP Just Made Your ERP the AI Agent Governance Layer — and That's Not as Safe as It Sounds — SAP Sapphire's Autonomous Enterprise ships 224 agents, Joule Studio 2.0, and a vendor-agnostic AI Agent Hub — but bundling agent governance into the ERP layer creates concentration risk that Forrester is already flagging, and that most enterprise architects haven't modeled yet.

The EU AI Act Just Blinked — and Banks That Celebrate Are Making a Costly Mistake — The EU AI Act's 16-month delay for high-risk AI systems is not a compliance reprieve — it's a trap. Banks that pause their governance programs now will hit December 2027 with the same inventory gaps, documentation shortfalls, and unembedded oversight mechanisms they have today, only with less runway and higher penalties.

The Harness Does the Work: Inside Microsoft's 100-Agent MDASH Architecture That Found 4 Critical Windows RCEs — and Why 'Which Model?' Is the Wrong Question — Microsoft's MDASH agentic security harness found 4 Critical Windows RCEs using 100+ specialized agents in a 5-stage pipeline — and its architecture proves that the system around the model matters more than the model itself.

More posts dropping every day. Stay curious.

— Bhanu @ superml.dev