What is SR 26-2 and how does it differ from SR 11-7?

SR 26-2 is the revised interagency model risk management guidance issued on April 17, 2026, by the Federal Reserve, OCC, and FDIC. It replaces SR 11-7, which had governed bank model risk management since 2011. The key shift is from prescriptive, checklist-based compliance to a principles-driven, risk-based framework where governance effort scales with model materiality. SR 26-2 also narrows the model definition to exclude simple arithmetic calculations and deterministic rule-based processes, and it explicitly excludes generative and agentic AI from scope.

Does SR 26-2 apply to insurance companies?

No. SR 26-2 applies to banking organizations supervised by the Federal Reserve, OCC, and FDIC, primarily those with over $30 billion in assets. Insurance companies are regulated by state departments of insurance and the NAIC, which have no equivalent comprehensive model risk management framework. This creates a regulatory gap where insurance carriers deploying the same AI architectures as banks operate without comparable oversight standards for model validation, governance, and ongoing monitoring.

Why were generative and agentic AI excluded from SR 26-2?

The federal banking agencies stated that generative AI and agentic AI models are 'novel and rapidly evolving' and therefore not within the scope of SR 26-2. The agencies plan to issue a separate Request for Information addressing banks' use of AI, including generative AI, agentic AI, and AI-based models. In the interim, institutions are directed to apply existing risk management and governance practices to these technologies.

SR 26-2 Rewrites Model Risk Rules but Leaves Insurer AI in a Regulatory Vacuum

On April 17, the OCC, Federal Reserve, and FDIC replaced the 15-year-old SR 11-7 model risk framework with a principles-driven successor. The revised guidance explicitly excludes generative and agentic AI from its scope. For insurance carriers deploying the same AI architectures with no equivalent model risk management framework from NAIC or state departments of insurance, the exclusion exposes a regulatory gap that actuaries validating AI models must navigate without a formal roadmap.

From tracking model validation practices across banking and insurance regulators for several years, the gap between how these two sectors govern the same underlying AI architectures has never been wider than it is after April 17. On that date, the OCC issued Bulletin 2026-13 and the Federal Reserve published SR Letter 26-2, jointly replacing the SR 11-7 framework that had governed model risk management at banks since 2011. The revised guidance modernizes validation requirements, introduces risk-based materiality tiering, and shifts from prescriptive mandates to a principles-driven approach. It also contains one sentence that matters more than any other for insurance professionals: "Generative AI and agentic AI models are novel and rapidly evolving. As such, they are not within the scope of this guidance."

For banking organizations, that exclusion is temporary. The agencies announced plans to issue a separate Request for Information addressing AI model risk governance, and banks can expect formal AI-specific rules within 12 to 18 months. For insurance carriers deploying the same generative AI and agentic systems in underwriting, claims triage, and pricing, the exclusion highlights a deeper problem: the insurance sector has no SR 11-7 equivalent to revise in the first place. The NAIC Model Bulletin on AI use by insurers, adopted by over half the states, addresses bias, transparency, and consumer protection. It does not establish a comprehensive model risk management framework with the specificity that SR 11-7, and now SR 26-2, provides for banks.

Grant Thornton's 2026 AI Impact Survey of 950 executives quantifies the consequence: 63% of insurance leaders have operationalized AI or implemented it across parts of their business, up from 45% in 2025. Yet only 24% are very confident they could pass an independent AI governance review within 90 days. That 76% confidence gap is where the regulatory vacuum lives.

76%

Insurance executives who cannot demonstrate adequate AI governance on demand (Grant Thornton 2026)

63%

Insurance leaders who have operationalized AI across their business, up from 45% in 2025

States piloting the NAIC AI evaluation tool for market conduct examinations in 2026

What SR 26-2 Changes from SR 11-7

The revised guidance is roughly half the length of its predecessor. That compression reflects a deliberate philosophical shift: where SR 11-7 laid out detailed prescriptive requirements that examiners checked clause by clause, SR 26-2 articulates principles that institutions must satisfy through approaches proportionate to their risk profiles. The guidance explicitly states it "does not set forth enforceable standards or prescriptive requirements." Examiners now assess whether an institution's risk discipline is defensible on its own terms rather than whether it ticks every paragraph in a 20-page rulebook.

Four structural changes stand out for actuaries who work across banking and insurance model validation.

Model definition narrowed. SR 26-2 defines a model as "a complex quantitative method, system, or approach that applies statistical, economic, or financial theories to process input data into quantitative estimates." This explicitly excludes simple arithmetic calculations and deterministic rule-based processes. The narrower definition removes many spreadsheets, workflow tools, and basic calculators from formal model risk management scope. Banks expect 10% to 30% of legacy models to shift tiers under the new materiality framework, with most moving downward.

Risk-based materiality tiering replaces uniform governance. SR 11-7's de facto annual review cycle applied the same validation rigor to every model regardless of its operational significance. SR 26-2 introduces explicit materiality tiering that combines model exposure (dollar magnitude of decisions the model influences) with model purpose (regulatory versus internal use). Low-materiality models require identification and performance monitoring only; high-materiality models demand comprehensive oversight regardless of financial footprint. This allows institutions to concentrate validation resources where model risk is concentrated rather than spreading them uniformly.

Validation independence redefined. SR 11-7 was widely interpreted as requiring organizational separation between model developers and validators. SR 26-2 states that the quality of the validation process depends "on the rigor and effectiveness of the review rather than on organizational structure." Validators can sit closer to development teams, providing explicit regulatory cover for organizations embedding governance earlier in development lifecycles rather than treating validation as a post-deployment gate.

Ongoing monitoring elevated. The guidance places greater emphasis on continuous monitoring and outcomes analysis relative to point-in-time validation events. For models that change frequently or use rapidly evolving data, the goal is not to replicate full validation cycles for every change but to maintain confidence through drift detection, back-testing, and outlier analysis. This continuous-monitoring philosophy aligns more naturally with how ML and AI models behave in production, where data drift and concept drift can degrade performance between formal validation cycles.

Dimension	SR 11-7 (2011)	SR 26-2 (2026)
Governance approach	Prescriptive, clause-by-clause compliance	Principles-driven, risk-proportionate
Model definition	Broad; included rule-based tools and spreadsheets	Narrowed to complex quantitative methods applying statistical, economic, or financial theory
Materiality	Implicit; uniform review cycles	Explicit tiering by model exposure and purpose
Validation frequency	De facto annual cycle	Risk-based; tied to materiality, change velocity, and data availability
Validator independence	Organizational separation expected	Rigor and effectiveness of review, not org structure
Ongoing monitoring	Secondary to point-in-time validation	Elevated; drift detection and continuous outcome analysis
Generative / agentic AI	Not addressed (predates practical deployment)	Explicitly excluded from scope; separate RFI planned

The Generative AI Exclusion and the Planned RFI

The exclusion of generative and agentic AI from SR 26-2 is not an oversight. It is an intentional design choice that reflects the agencies' assessment that these technologies cannot yet be governed under the same validation framework as traditional statistical models. The guidance acknowledges the distinction on its first page, and the agencies plan to issue a separate Request for Information that addresses model risk management generally and considers "banks' use of AI, including generative AI, agentic AI, and AI-based models."

The reasoning is defensible. Traditional model risk management assumes models are statistical artifacts that transform defined inputs into quantitative outputs through documented mathematical relationships. An actuary building a GLM for auto pricing can specify every coefficient, document every assumption, and back-test predictions against observed losses. The three validation pillars of SR 11-7 and SR 26-2, namely conceptual soundness, outcomes analysis, and ongoing monitoring, map directly onto this workflow.

Generative and agentic AI systems operate differently. A large language model processing claims documents does not apply "statistical, economic, or financial theory" in the sense the guidance's model definition requires. An agentic system that perceives, reasons, plans, executes, and evaluates autonomously across multiple steps introduces runtime uncertainty that static pre-deployment validation cannot fully capture. Back-testing a generative model's output is fundamentally different from back-testing a loss-frequency GLM because the output space is unbounded and context-dependent.

The agencies' decision to carve out AI for separate rulemaking acknowledges this mismatch. But the planned RFI process, followed by proposed rulemaking, public comment, and final rule issuance, will take months or years. Banks deploying generative AI in production during this interim period operate under a directive to apply "existing risk management and governance practices," which amounts to telling institutions to extrapolate from traditional frameworks without specifying how.

The global regulatory picture provides contrast. The UK's Prudential Regulation Authority issued supervisory statement SS1/23 with broader model risk coverage that does not carve out AI technologies by category. The EU AI Act classifies insurance AI systems as high-risk and imposes data governance, testing, and monitoring requirements that apply regardless of the model's underlying architecture. These frameworks are less specific to model validation than SR 26-2 but broader in technological scope.

The Insurance Regulatory Gap: No MRM Framework to Revise

The regulatory gap for insurance carriers is more fundamental than the generative AI carve-out in SR 26-2. Banks had SR 11-7 as a comprehensive model risk management framework since 2011, and now have SR 26-2 as its successor. Insurance carriers have no equivalent document. There is no single authoritative framework from the NAIC or any state department of insurance that establishes comprehensive expectations for model validation, governance, documentation, and ongoing monitoring across the full model lifecycle.

This is not because insurance regulators have ignored AI. The NAIC adopted AI Principles in 2020 and a Model Bulletin on the Use of AI Systems by Insurers in December 2023. Over half the states have adopted the Model Bulletin or substantially similar guidance. But the Model Bulletin addresses a different question than SR 26-2. It focuses on consumer protection: ensuring that AI systems do not produce unfair discrimination, that insurers maintain governance and documentation, and that third-party AI vendors are subject to appropriate oversight. It does not prescribe how to validate a model's conceptual soundness, how to structure ongoing monitoring for drift detection, or how to tier governance effort by model materiality.

The closest the insurance sector comes to a model risk management framework is the combination of the NAIC's AI Systems Evaluation Tool, now being piloted by 12 states, and individual state-level regulatory requirements. The AI evaluation tool provides a structured framework for regulators reviewing insurer AI governance during market conduct examinations. It includes four exhibits: Exhibit A quantifies AI usage, Exhibit B assesses the governance risk framework, Exhibit C details high-risk AI systems, and Exhibit D covers AI data practices. This is valuable for examination purposes, but it is a regulatory assessment instrument, not a model risk management standard. It tells regulators what questions to ask during exams, not insurers how to build their MRM programs.

The distinction matters operationally. A bank's Chief Model Risk Officer can point to SR 26-2 and build a model governance program that they know will satisfy examiners. An insurance company's model risk function has no comparable anchor document. They must synthesize requirements from the NAIC Model Bulletin, their state DOI's specific guidance, ASOP No. 56, and general principles borrowed from banking MRM practice, hoping the resulting framework is sufficient when a market conduct examiner arrives with the AI evaluation tool.

State-Level DOI Approaches: A Patchwork in Place of a Standard

The absence of a federal-level MRM framework for insurers means that what oversight exists comes through state-level action. The resulting landscape is a patchwork of approaches at varying stages of maturity, creating compliance complexity for multi-state carriers and making it difficult for actuaries to establish consistent model validation practices.

Colorado is the most prescriptive state. SB 21-169, the Protecting Consumers from Unfair Discrimination in Insurance Practices Act, prohibits insurers from using algorithms, predictive models, or external consumer data if the result is unfair discrimination against a protected class. The Division of Insurance's Regulation 10-1-1 expanded in October 2025 to cover private passenger auto and health benefit plan insurers in addition to life insurers. Beginning in July 2026, covered insurers must submit annual compliance reports detailing governance practices, testing, and model oversight. Colorado's approach is the closest analog to a prescriptive model governance requirement in insurance, but it targets bias and discrimination specifically, not the full spectrum of model risk that SR 26-2 addresses.

Connecticut advanced an omnibus AI bill (Senate Bill 5) that cleared both chambers on May 1, 2026, covering automated decisions across multiple sectors including insurance. Connecticut is also one of the 12 states participating in the NAIC AI evaluation tool pilot, which provides the state's DOI with a structured framework for examining insurer AI practices during market conduct reviews.

Maryland is among the 12 pilot states for the NAIC AI evaluation tool and has adopted AI insurance regulations aligned with the NAIC Model Bulletin. Maryland's approach relies on the bulletin framework rather than creating bespoke state legislation, reflecting the NAIC's intended adoption pathway.

The variation across states creates a compliance burden that the banking sector does not face. A national bank subject to SR 26-2 operates under a single model risk management framework regardless of which states it operates in. A multi-state insurer deploying the same AI model in Colorado, Connecticut, and Maryland faces three different sets of expectations, none of which provides the comprehensive MRM structure that SR 26-2 gives banks. Colorado demands annual bias attestations. Connecticut's evaluation tool pilot focuses on examination-readiness. Maryland follows the NAIC bulletin's governance expectations. None of them individually, or collectively, tells the insurer how to validate the conceptual soundness of a gradient boosting model used for claims triage or how to structure ongoing monitoring for an LLM-based document processing system.

Jurisdiction	Framework	Focus	MRM Equivalent?
Federal banking (SR 26-2)	Comprehensive interagency guidance	Full model lifecycle: development, validation, monitoring, retirement	Yes; the standard
NAIC Model Bulletin	Non-binding model guidance	Consumer protection, bias, transparency, third-party oversight	No; addresses AI governance broadly, not model validation specifically
NAIC AI Evaluation Tool	Examination framework (pilot)	Structured assessment of AI usage, governance, high-risk systems	No; regulatory assessment instrument, not an MRM standard
Colorado (SB 21-169 / Reg 10-1-1)	State statute and regulation	Algorithmic discrimination prevention, annual attestation	Partial; prescriptive on bias testing, silent on broader model risk
ASOP No. 56	Actuarial standard of practice	Modeling: data, assumptions, testing, documentation, governance	Partial; professional standard for actuaries, not a regulatory framework

Adapting SR 26-2 Principles for Insurance Model Validation

The absence of an insurance-specific MRM framework does not mean insurance carriers cannot build effective model risk programs. Several carriers and consulting firms have already been adapting SR 11-7 principles for insurance use, and SR 26-2's modernized approach actually maps more naturally onto insurance model validation workflows than its predecessor did.

From reviewing how insurers approach model validation for state rate filings and regulatory submissions, three of SR 26-2's core principles translate directly to insurance model governance.

Conceptual soundness. This principle requires assessing whether a model's design, theory, and assumptions are appropriate for its intended use. For an insurance pricing model, this means evaluating whether the selected rating variables have actuarial justification, whether the model structure (GLM, gradient boosting, neural network) is appropriate for the data and the pricing question, and whether assumptions about loss distributions and development patterns are reasonable. ASOP No. 56 already requires actuaries to assess model appropriateness and document their reasoning. SR 26-2's conceptual soundness requirement reinforces this obligation with a specific validation vocabulary that actuaries can adopt.

Outcomes analysis. SR 26-2 requires comparing model outputs to real-world results through back-testing and outlier analysis. Insurance actuaries have been doing this for decades: comparing predicted loss ratios to actual loss ratios, tracking model residuals across rating segments, and identifying territories or classes where predictions diverge from experience. The discipline is familiar; what SR 26-2 adds is a structured expectation that outcomes analysis be documented, that divergences trigger investigation, and that findings feed back into model improvement. For AI models in claims triage or underwriting, outcomes analysis means tracking whether the model's risk classifications are confirmed by subsequent loss experience, which is the same actuarial cycle applied to a different model type.

Ongoing monitoring. This is where SR 26-2's modernized approach is most relevant for insurance AI. Traditional actuarial models are updated on annual or quarterly cycles. Machine learning models deployed in production environments can degrade between updates as data distributions shift, regulatory environments change, or market conditions evolve. SR 26-2's emphasis on continuous monitoring, drift detection, and automated alerting provides a template for how insurance carriers should monitor deployed AI systems. The guidance's recognition that monitoring approaches should differ based on model characteristics and use, with more intensive monitoring for frequently updated or high-materiality models, aligns with how actuaries already differentiate oversight across model portfolios.

The practical recommendation for insurance model risk officers is straightforward: use SR 26-2 as a reference architecture. Build a model inventory using the guidance's materiality framework. Apply risk-based tiering to concentrate validation resources on high-impact models. Implement continuous monitoring protocols for production AI systems. Document everything in language that maps to ASOP No. 56's professional standards. This approach creates a defensible MRM program even in the absence of an insurance-specific regulatory mandate, and positions the carrier well for whatever framework NAIC or state DOIs eventually establish.

What the Exclusion Means for LLMs and Multi-Agent Systems in Insurance

The practical consequence of the AI exclusion in SR 26-2 extends beyond regulatory compliance into operational risk management. Insurance carriers are deploying generative and agentic AI systems in functions where model failure has direct financial and consumer-protection consequences. The regulatory exclusion does not eliminate the risk; it just removes the standardized framework for managing it.

LLMs in claims processing. Carriers using large language models to process claims documents, extract medical record information, or generate loss summaries face a validation challenge that SR 26-2's traditional model framework was not designed to address. An LLM's output is probabilistic and context-dependent; the same document processed twice may yield slightly different extractions. Traditional validation through conceptual soundness review does not apply because the model's "theory" is learned from training data rather than derived from actuarial or statistical principles. Outcomes analysis is possible but requires defining what constitutes a correct output for an open-ended text processing task, which is a different exercise than comparing predicted to actual loss ratios.

Agentic systems in underwriting. Multi-agent systems that autonomously gather information, assess risk, and generate underwriting recommendations introduce runtime uncertainty that static validation cannot fully capture. An agentic system's behavior depends on the specific inputs it encounters, the order in which it processes information, and the decisions it makes at each step. Traditional model validation assumes a deterministic or narrowly probabilistic relationship between inputs and outputs. Agentic systems break this assumption, and neither SR 26-2 nor any insurance regulatory framework has established how to validate a system that can modify its own decision pathway in response to what it discovers during processing.

Vendor model risk. Many carriers access generative AI capabilities through third-party vendors rather than building models internally. The dual-vendor AI architectures common among mid-size carriers create layered model risk: the carrier depends on the vendor's model, the vendor depends on the foundation model provider's base model, and the carrier's actuaries must validate the combined system without full visibility into either layer. SR 26-2 addresses vendor model risk for banks by requiring that institutions validate vendor models with the same rigor as internally developed models. Insurance regulators have not established comparable vendor model validation expectations, though the NAIC Model Bulletin does address third-party oversight in general terms.

For actuaries validating these systems, the practical gap is between what they can observe and what they need to validate. A pricing GLM is fully transparent: every coefficient is documented, every input is defined, and every output is reproducible. A generative AI system processing claims documents operates as a probabilistic black box whose internal reasoning is not directly observable. The validation toolkit that actuaries have developed over decades of GLM and actuarial modeling work does not extend naturally to these systems, and neither banking nor insurance regulators have yet provided the bridge.

ASOP No. 56 as a Bridge Framework

In the absence of an insurance-specific MRM standard, ASOP No. 56 (Modeling) serves as the closest thing to a comprehensive model governance framework available to actuaries. Effective since October 2020, the standard applies to any actuary performing actuarial services involving models, regardless of the model's underlying technology.

Several provisions of ASOP No. 56 are directly relevant to the current gap. Section 3.2 requires actuaries to consider the appropriateness of data used in models, including its reasonableness, comprehensiveness, and consistency. For AI models trained on large datasets, this means evaluating data quality, representativeness, and potential biases in training data. Section 3.4 requires model testing appropriate to the model's intended purpose, which, for ML and AI models, should include performance benchmarking, sensitivity analysis, and fairness testing. Section 3.7 addresses reliance on others, directly relevant when actuaries must sign off on models built by data science teams or acquired from AI vendors.

The limitation of ASOP No. 56 as a bridge framework is that it establishes professional obligations for individual actuaries, not organizational requirements for insurance carriers. SR 26-2 tells a bank's board of directors and senior management what they must oversee. ASOP No. 56 tells the actuary what they must do within their scope of professional responsibility. A carrier can comply with ASOP No. 56 by having its actuaries follow the standard's requirements while still lacking the organizational infrastructure (model inventory, tiered governance, independent validation function, board-level reporting) that SR 26-2 expects of banks.

The compliance gap between actuarial standards and ML model development workflows is a parallel challenge. ASOP No. 56 was drafted before generative AI was practically available, and its framers were contemplating traditional actuarial models, not LLMs or multi-agent systems. The Actuarial Standards Board's current pipeline includes multiple updates addressing data and modeling practices, and supplemental guidance on AI model governance may eventually emerge. In the interim, actuaries must apply ASOP No. 56's general principles to AI models with careful professional judgment, documenting their validation approaches thoroughly enough that another actuary could evaluate their work.

The 12-to-18-Month Window

The regulatory timeline creates a specific strategic window for insurance carriers. The federal banking agencies will issue their RFI on AI model risk governance, receive comments, analyze responses, draft proposed guidance, seek further comment, and issue final rules. Conservatively, formal AI-specific banking MRM guidance is 12 to 18 months away. The NAIC's AI evaluation tool pilot runs through September 2026, with results informing recommendations for adoption at the Fall National Meeting in November 2026. Any resulting model law or binding regulatory framework would require further drafting, exposure, and state-by-state adoption, putting enforceable insurance-specific AI governance requirements well into 2027 or 2028.

This window is not an invitation to delay. Grant Thornton's finding that 43% of insurance organizations have yet to introduce a formal AI risk management framework, combined with the 76% who cannot demonstrate governance on demand, indicates that much of the industry is unprepared for whatever standards eventually emerge. Carriers that build robust model risk programs now, using SR 26-2's principles as a reference architecture and ASOP No. 56 as a professional standards anchor, will have two advantages: they will be better positioned to adapt when formal insurance requirements arrive, and they will have a defensible governance posture for the market conduct examinations that the 12-state AI evaluation tool pilot is preparing regulators to conduct.

The specific risk of inaction is that the NAIC pilot produces findings about insufficient insurer AI governance, which accelerates the timeline from voluntary guidance to binding model law. The NAIC's Big Data and Artificial Intelligence Working Group has been exploring whether to transition the Model Bulletin's non-binding guidance into an enforceable Model Law that would create regulatory obligations rather than expectations. If pilot findings reveal widespread governance gaps, the political pressure for binding requirements intensifies.

Why This Matters for Actuaries

The issuance of SR 26-2 clarifies the model risk management expectations for one sector while highlighting the absence of comparable expectations for another sector deploying the same technologies. This creates both a challenge and an opportunity for the actuarial profession.

The challenge is immediate. Actuaries signing Statements of Actuarial Opinion on reserve adequacy for carriers using AI-driven claims models, actuaries filing rate indications based on ML pricing models, and actuaries validating underwriting algorithms for state regulatory submissions are all doing work that touches model risk. They are doing this work under professional standards (ASOP No. 56) that predate the AI tools they are validating, for organizations that frequently lack the model governance infrastructure that banks are now required to build under SR 26-2, in a regulatory environment where state DOIs are still developing the examination frameworks they will use to assess AI governance.

The opportunity is equally clear. SR 26-2 provides a well-articulated, recently modernized framework that actuaries can adapt for insurance use. Its principles of conceptual soundness, outcomes analysis, and ongoing monitoring are not banking-specific; they are general model validation principles that apply to any quantitative model in any sector. Its risk-based materiality tiering reflects how resource-constrained model risk functions should prioritize their work. Its emphasis on continuous monitoring over periodic point-in-time validation addresses the reality of ML models in production environments.

The actuarial profession has an opportunity to lead the development of insurance-specific model risk management standards rather than waiting for regulators to impose them. The SOA, CAS, and Academy have research committees, practice notes infrastructure, and standards-setting processes that could produce an insurance MRM framework adapted from SR 26-2's principles. That framework would give practicing actuaries the anchor document they currently lack, give state DOIs a reference standard for AI examination expectations, and give insurance carriers a defensible basis for their model governance programs.

The gap between banking and insurance model risk governance has been growing for years. SR 26-2 widened it. Whether the actuarial profession closes it proactively or waits for regulators to close it reactively will shape how AI governance in insurance evolves through the rest of this decade.