If you run models inside a regulated bank, the document you have built your validation calendar around no longer exists. On April 17, 2026, the Federal Reserve, OCC, and FDIC rescinded SR 11-7 and its sister issuances and replaced them with a single revised interagency framework, carried in the Fed as SR 26-2. Knowing precisely what moved, and where large language models sit relative to that line, is the first thing you need before you touch an inventory, a tier, or an eval.

This lesson covers the regime change itself. The mechanics of inventory, tiering, and validation come in later modules. Here we fix the baseline: what the old standard required, what the new one changes, and the awkward fact that the guidance that governs your LLMs says LLMs are out of scope.

What SR 11-7 actually required

SR 11-7, issued in 2011, defined a model as "a quantitative method, system, or approach that applies statistical, economic, financial, or mathematical theories, techniques, and assumptions to process input data into quantitative estimates." That definition matters more than it looks. It was built for credit scorecards, capital models, and pricing engines, not for a system that generates text.

The framework rested on three core elements: robust model development, implementation, and use; effective model validation; and sound governance, policies, and controls. Validation itself had three pillars that practitioners still recite from memory: evaluation of conceptual soundness, ongoing monitoring, and outcomes analysis.

The binding idea underneath all of it was "effective challenge." Someone with the independence, competence, and standing to question a model's assumptions had to actually do so, and had to be able to force changes. In practice most institutions operationalized this as a separate validation function and a roughly annual revalidation cycle applied fairly uniformly across the inventory. That uniformity is the thing the 2026 revision attacks.

What SR 26-2 changes

The revised guidance keeps the architecture and changes the operating model. The three validation pillars, conceptual soundness, outcomes analysis, and ongoing monitoring, all survive. What shifts is how hard you apply them and to what.

The headline change is the move from a calendar to a risk profile. Annual revalidation as a default is gone. In its place is oversight calibrated to a model's materiality and to the size and complexity of the institution. A low-materiality model and a model that drives capital are no longer expected to sit on the same review cadence.

Three other changes are worth pinning down:

The regime moved from "validate everything on a schedule" to "validate in proportion to what the model can break."

Where GenAI sits: out of scope, not out of reach

Here is the part that trips up most teams. SR 26-2 states that generative AI and agentic AI models are novel and rapidly evolving, and therefore are not within the scope of the guidance. The agencies committed to issuing a request for information on AI, including generative and agentic AI, in the near future. As of this writing that RFI has not landed.

Read carefully, because "out of scope" is doing specific work. It does not mean your LLM is unregulated. It means the agencies have declined, for now, to map the existing validation playbook onto systems they think it does not yet fit. Safety, soundness, consumer protection, and third-party risk obligations all still apply. Your internal audit and your examiners are already reasoning about LLM systems by analogy to the framework, even though the framework formally excludes them.

So the practical posture is not "wait for the RFI." It is "apply the spirit of SR 26-2 to GenAI while the letter catches up." That means risk-based oversight, real effective challenge, and heavy reliance on monitoring and outcomes, the exact tools the revision elevated, pointed at systems the revision technically left out.

A worked example

Take an LLM that drafts adverse action notices for a consumer lending team. A human reviews and sends each notice.

Under a literal reading, this sits outside SR 26-2: it is a generative model, explicitly out of scope, and it produces no quantitative estimate, so it may even fall outside the old model definition. A team that stops there has misread the situation.

The credit decision that the notice explains is driven by a scoring model that is squarely in scope and must be governed as a material model. The LLM that explains it carries its own risk: a hallucinated reason code or an inaccurate statement of rights is a fair lending and disclosure problem regardless of which supervisory letter names it. The defensible treatment is to govern the scoring model under SR 26-2 in full, and to wrap the LLM in the revision's own logic, materiality-based oversight, an independent reviewer empowered to reject outputs, and continuous monitoring of accuracy and tone against the underlying decision. You inherit the discipline of the framework without waiting for it to formally claim the system.

The takeaway

SR 11-7 is retired. SR 26-2 keeps the three validation pillars but replaces uniform annual revalidation with oversight scaled to materiality, redefines effective challenge around substance rather than separation, and is explicitly non-binding. Generative and agentic AI are out of scope, with an RFI promised but not yet published.

The working assumption for LLM teams is straightforward: out of scope is a gap you are expected to fill with the framework's own principles, not a safe harbor. Build your GenAI governance as if SR 26-2 already covered it, because in substance your examiners already do.

Next →
The Inventory Problem: Finding Every LLM Already Running in Your Bank