SR 26-2 replaces bank model risk management's prior checklist regime with a materiality-based framework: governance effort should scale with a model's financial exposure and purpose, not apply uniformly to every spreadsheet and GLM alike (Federal Reserve SR 26-2, April 2026). It does not impose a new rule on insurers or actuarial departments. For actuaries, its real value is as a reference architecture: which models need independent validation, which need monitoring only, and which need nothing more than documentation.
On April 17, 2026, the Federal Reserve issued SR Letter 26-2, the OCC issued Bulletin 2026-13, and the FDIC issued FIL-15-2026, jointly retiring SR 11-7, the guidance that had anchored bank model risk management since 2011 (Federal Reserve SR 11-7, April 2011; Federal Reserve SR 26-2, April 2026). Fifteen years is a long run for a single supervisory document, and the industry it governed changed underneath it: banks now run gradient boosting models next to Basel capital calculations, and the same architectures have migrated into insurance pricing, underwriting, and claims triage without an equivalent governance anchor ever having existed on the insurance side. The agencies' stated aim is a framework that is "risk-based, tailored, and commensurate with the organization's size, complexity, model use, and model risk profile" (Federal Reserve/OCC/FDIC, Supervisory Guidance attachment, April 2026). That language is written for banking organizations, not insurers; the actuarial relevance is translation, not direct compliance.
That distinction between institution size and model materiality is the piece worth stealing. A $2 billion regional insurer running a machine-learning claims-severity model that drives reserve adjustments has more model risk in that single model than a $50 billion bank running a thousand low-stakes reporting calculations. SR 26-2's contribution is to say the governance effort should track the second number, not the first, and that principle travels cleanly across the regulatory line between banking and insurance even though the guidance itself does not.
What Actually Changed, in Three Moves
SR 26-2 keeps the three pillars that defined SR 11-7: model development and use, validation and monitoring, and governance and controls. What moved is the calibration logic underneath them, and three shifts matter most for anyone translating the framework into actuarial practice.
The model definition narrowed. SR 26-2 defines a model as "a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates," explicitly excluding simple arithmetic calculations and deterministic rule-based processes (Federal Reserve SR 26-2, April 2026). For an actuarial department, that carve-out matters immediately: a rating factor lookup table or a fixed IBNR development-triangle spreadsheet with no statistical estimation inside it may fall outside formal model governance scope entirely, freeing validation capacity for the models that actually warrant it.
Materiality tiering replaced uniform review cycles. SR 11-7's de facto annual review applied the same rigor to every model regardless of stakes. SR 26-2 introduces an explicit materiality construct combining model exposure, meaning the dollar magnitude of decisions the model drives, with model purpose, meaning whether it serves a regulatory, financial-reporting, or internal-management function (Federal Reserve/OCC/FDIC Supervisory Guidance attachment, April 2026). Low-materiality models get identification and performance monitoring; high-materiality models get comprehensive validation regardless of how small the line item looks on the balance sheet.
Ongoing monitoring gained ground on point-in-time validation. The guidance elevates continuous drift detection and outcomes analysis relative to periodic formal review, an approach built for models that update frequently or ingest fast-changing data (Federal Reserve SR 26-2, April 2026). That is a closer fit for actuarial reserving and pricing work than SR 11-7's annual-cycle assumption ever was, since loss experience, exposure mix, and claim settlement patterns already move faster than a once-a-year sign-off can track.
Building an Actuarial Model Inventory on SR 26-2's Logic
The practical translation for an actuarial department is a model inventory segmented by materiality dimensions that map to SR 26-2's exposure-and-purpose test but are specific to insurance work: financial statement materiality (does the model drive a number that appears in the balance sheet or income statement), pricing leverage (does it set or heavily influence a rate that regulators will review in a filing), consumer impact (does it determine whether an individual is offered coverage, at what price, or whether a claim is paid), regulatory reliance (is the model's output cited in a Statement of Actuarial Opinion, a rate filing, or an RBC calculation), automation level (does a human review every output or does the model act without a human in the loop), and vendor opacity (was the model built in-house with full documentation, or licensed from a third party with limited visibility into its internals).
Scoring each model against those six dimensions produces a tier, and the tier should determine the governance action, not the other way around. A reserve model feeding the Statement of Actuarial Opinion with high automation and no vendor opacity sits at the top tier and warrants independent validation with a validator who did not build the model, full outcomes analysis against emerging experience, and board-level reporting on validation findings. A pricing GLM with moderate consumer impact and full internal transparency might warrant a lighter independent review plus ongoing monitoring, without the same board-reporting cadence. A vendor-licensed geospatial wildfire score used as one input among several in underwriting, with low automation because an underwriter reviews every flagged file, might warrant documentation of the vendor's own validation testing plus periodic outcomes analysis, but not a full independent revalidation the carrier cannot perform anyway without the vendor's training data. And a deterministic commission-calculation spreadsheet, the kind SR 26-2's narrowed model definition would exclude outright at a bank, can be documented and left alone.
| Tier | Example model | Governance action |
|---|---|---|
| High materiality | Reserve model feeding a Statement of Actuarial Opinion; ML pricing model driving a rate filing | Independent validation by a non-developer; full outcomes analysis; board or audit-committee reporting |
| Moderate materiality | Internal pricing GLM with transparent, in-house construction | Lighter independent review; ongoing drift monitoring; management-level reporting |
| Vendor / limited visibility | Licensed catastrophe model, geospatial risk score, or credit-based scoring tool used as one underwriting input | Review of the vendor's own validation documentation; periodic outcomes analysis on the carrier's own book; usage limitation where a human reviews flagged outputs |
| Low materiality | Deterministic commission or premium-calculation spreadsheet with no statistical estimation | Identification and documentation only; no independent validation required |
The AI Boundary Is Narrower Than the Insurance Press Implies
Vice Chair for Supervision Michelle Bowman drew a line in a May 1, 2026 speech that the insurance trade press has mostly flattened: "The revised guidance now applies narrowly to traditional models and basic AI applications," and for generative and agentic AI, "we expect other risk-management and governance practices to support adoption... in ways that will encourage ongoing innovation" (Federal Reserve, Vice Chair Bowman speech, May 1, 2026). That is a narrower carve-out than "SR 26-2 doesn't cover AI." It covers basic AI applications, meaning conventional supervised-learning models like a gradient-boosted claims-severity model or a random-forest underwriting score, under the same three-pillar structure as a GLM. What it excludes is the harder category: generative AI producing unstructured text and agentic systems that plan and execute multi-step actions without a human confirming each one.
Insurers are governing all four model types under that distinction whether they name it or not: GLMs, machine-learning pricing and underwriting models, generative AI drafting tools, and expert-judgment overlays layered on top of any of them, frequently under one undifferentiated "AI governance" policy. SR 26-2's boundary gives actuaries a cleaner split: basic AI applications can be folded into the same materiality-tiered inventory as traditional statistical models, using the same validation vocabulary of conceptual soundness, outcomes analysis, and ongoing monitoring. Generative and agentic tools need a separate governance track, because back-testing a large language model's claims-summary output against a defined correct answer is a different exercise than back-testing a loss-frequency GLM against observed claim counts, and an agentic system that decides its own next step in response to what it finds mid-process cannot be validated with a single pre-deployment sign-off the way a static model can.
Vendor Models: Buying the Tool Doesn't Buy Away the Accountability
SR 26-2 is explicit that banks must validate vendor and third-party models with the same rigor applied to internally built ones, and that expectation has a direct insurance analogue. Actuaries routinely rely on tools they did not build and often cannot fully inspect: catastrophe models, mortality improvement tables, credit-based insurance scores, geospatial property-risk scores, licensed generative AI drafting tools, and policy or claims automation platforms. The vendor relationship does not transfer validation responsibility; if a carrier's rate filing or reserve opinion relies on a vendor score, the actuary signing that filing or opinion still owns the conclusion, whether or not they can see the vendor's training data.
The practical response is not to demand full internal revalidation of every vendor tool, which is often technically impossible without the vendor's proprietary data. It is to require and review the vendor's own validation documentation, test the vendor's output against the carrier's own book of experience wherever an outcome can be observed (a wildfire score can be back-tested against the carrier's own fire losses even without seeing the model's internals), and set a usage limitation, such as human review of flagged files, when independent validation is not feasible. This is the same vendor-opacity dimension that should sit in the model inventory triage above: an unvalidatable vendor tool used with a human in the loop carries a different risk profile than the same tool driving automated decisions with no review.
Ongoing Monitoring as the Actuarial Bridge
SR 26-2's shift toward continuous monitoring over annual point-in-time validation is the section of the guidance that needs the least translation, because actuaries already run a version of it. A model that was conceptually sound and well-validated at deployment can still perform badly a year later without any coding defect, purely because the world it was built on shifted: exposure mix drifting toward risks the training data underrepresented, claim settlement patterns changing as courts or claimants behave differently, lapse behavior moving with interest rates or competitor pricing, medical or economic inflation running ahead of trend assumptions, social inflation lifting jury verdicts beyond the severity distribution the model was calibrated on, a shifting climate and catastrophe frequency, or a change in the litigation environment surrounding a specific line of business.
Each of those is a monitoring signal, not a validation failure, and SR 26-2's framing gives actuaries language to formalize what many reserving and pricing functions already do informally: track predicted-to-actual ratios by segment, flag divergences that exceed a threshold, and route the flag to a documented review rather than waiting for the next scheduled model refresh. Framing this as ongoing monitoring under a materiality-tiered inventory, rather than as ad hoc actuarial judgment applied inconsistently across lines, is what turns informal vigilance into a defensible governance program an examiner or auditor can actually review.
Two Regulatory Axes, Not One
SR 26-2 and the NAIC's Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, adopted in December 2023 and now in force in 24 states and the District of Columbia in full or substantially similar form (Quarles Law Firm, 2026), are frequently discussed as if one could substitute for the other. They cannot, because they answer different questions. SR 26-2 is an enterprise model-governance framework: does the institution have a defensible process for developing, validating, and monitoring the model itself, independent of what the model is used for. The NAIC bulletin is a consumer-outcome and insurance-law framework: does the model's use produce unfair discrimination, is its use documented and explainable to a regulator, and is the carrier accountable for a third-party AI vendor's outputs under the carrier's own governance program.
| Dimension | SR 26-2 (2026) | NAIC AI Model Bulletin (2023) |
|---|---|---|
| Core question | Is the model itself sound, validated, and monitored? | Does the model's use produce a fair, explainable, documented outcome? |
| Orientation | Enterprise model governance | Consumer protection and insurance law |
| Scope trigger | Model materiality (exposure x purpose) | Any AI system affecting a consumer-facing insurance decision |
| AI treatment | Covers traditional models and basic AI; generative/agentic AI excluded pending separate guidance | Covers AI broadly, including generative and predictive systems, regardless of technique |
| Vendor accountability | Validate third-party models with the same rigor as internal ones | Carrier accountable for vendor AI system outcomes under its own governance program |
Together the two frameworks describe a two-axis map: one axis for whether a model is well-built and well-monitored, the other for whether its use produces a defensible, non-discriminatory outcome. A model can score well on one axis and fail the other. A conceptually sound, well-validated underwriting model can still produce disparate impact across a protected class if the training data encoded a historical bias the validation process never tested for, which is a Model Bulletin failure, not an SR 26-2 failure. Conversely, a model built to satisfy every NAIC documentation and explainability expectation can still be poorly calibrated, badly monitored, or validated by the same team that built it, which is an SR 26-2-shaped governance gap the consumer-protection framework was never designed to catch. An actuarial model risk program that only tracks one axis will eventually be surprised by a failure on the other.
Why This Matters
Actuaries signing Statements of Actuarial Opinion, filing rate indications built on machine-learning pricing models, or validating vendor-licensed underwriting tools are already doing work that SR 26-2's vocabulary describes more precisely than anything insurance regulation has offered to date. The practical output of translating the guidance is not a compliance checklist; it is a triage decision for every model in the inventory: which ones get an independent validator who did not build them, which get monitoring dashboards and drift alerts, which get a usage limitation because the carrier cannot see inside a vendor's model, and which can simply be documented as low-materiality and left alone. Skipping that triage does not eliminate the risk in an under-governed high-materiality model; it just means the first time anyone notices is when the reserve development or the rate filing already looks wrong.
The near-term test is the RFI on generative and agentic AI that the agencies have said will follow SR 26-2, plus whatever the NAIC's Big Data and Artificial Intelligence Working Group does next with the Model Bulletin now that 24 states and D.C. have adopted it. Carriers that build the six-dimension inventory now, using SR 26-2's materiality logic on one axis and the NAIC bulletin's consumer-outcome logic on the other, will not need to retrofit a governance program once either regulator narrows the interim gap. Carriers that wait will be building it under examination pressure instead of on their own schedule.
Further Reading
- SR 26-2 Rewrites Model Risk Rules but Leaves Insurer AI in a Regulatory Vacuum
- NAIC Vendor Registry: A Model Law for Third-Party AI in Insurance
- AI Regulation in Insurance 2026: The NAIC Model Bulletin and State Adoption
- Dual-Vendor AI Stacks and the Carrier Model Risk Problem
- Machine Learning for Loss Reserves: The ASOP Compliance Gap
Sources
- Federal Reserve, SR Letter 26-2: Revised Guidance on Model Risk Management (April 17, 2026)
- Federal Reserve/OCC/FDIC, Supervisory Guidance on Model Risk Management attachment (April 2026)
- OCC Bulletin 2026-13: Model Risk Management, Revised Guidance (April 17, 2026)
- FDIC FIL-15-2026: Agencies Revise the Interagency Model Risk Management Guidance (April 2026)
- Federal Reserve SR 11-7: Guidance on Model Risk Management (April 4, 2011)
- Federal Reserve, Vice Chair for Supervision Bowman speech on AI in the financial system (May 1, 2026)
- NAIC, Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted December 2023)
- Quarles Law Firm, "Nearly Half of States Have Now Adopted NAIC Model Bulletin on Insurers' Use of AI" (2026)
- NAIC, Health Artificial Intelligence/Machine Learning Survey Report (May 2025; 92% of 93 responding health insurers report current or planned AI/ML use)
- NAIC, Artificial Intelligence Insurance Topics (private passenger auto AI/ML survey; 88% of 193 responding insurers)
- Sullivan & Cromwell, "Federal Banking Agencies Issue Revised Guidance on Model Risk Management" (April 2026)