Finance6 min read

SR 26-2, AI agents, and no safe harbor

SR 26-2 scoped agentic AI out of model-risk guidance. No template means no safe harbor — the predicate rules and discovery never went away.

On 17 April 2026 the Federal Reserve issued SR 26-2, retiring SR 11-7 — the model-risk guidance that had governed how US banks validate, document, and control their models for fifteen years. The headline most teams took away was relief: the new letter explicitly scopes agentic AI out of model-risk guidance. An AI agent that books entries, clears alerts, or drafts filings is not, for supervisory purposes, a "model" in the SR 26-2 sense.

A compliance lead reading that could be forgiven for hearing "you are off the hook." That reading is dangerous. Being scoped out of a framework is not the same as being unregulated. It means the framework that would have told you exactly what evidence to keep no longer applies — and nothing has been written to replace it.

This is the 2026 regulatory gap. There is now no supervisory template for how a bank governs an autonomous agent. And no template means no safe harbor.

What "no safe harbor" actually means

A safe harbor is a documented expectation you can point to and say: we did the prescribed thing, here is the prescribed record, we are within bounds. SR 11-7 was, in practice, a safe harbor for models — validate, document the limitations, keep the evidence, and an examiner had a checklist to grade you against.

SR 26-2 removes that checklist for agents without issuing a new one. The result is not freedom. It is exposure. When there is no agreed standard for what "under control" looks like, you do not get to argue you met the standard. You get judged after the fact — by an examiner improvising, or by a plaintiff's counsel in discovery — against whatever a reasonable institution should have done.

That is a worse position than a strict rule, not a better one. A rule tells you what evidence will protect you. A gap tells you nothing, then asks you to produce evidence anyway.

The predicate rules did not move

Here is the part the "scoped out" headline obscures. SR 26-2 changed the model-risk overlay. It did not touch the underlying obligations that govern the decision an agent now makes on a human's behalf. Those rules are indifferent to whether a model or a person sits in the seat.

  • A suspicious-activity report under the Bank Secrecy Act is a mandated human decision. An agent can assemble it; a named person still owns filing it.
  • NYDFS Part 504 requires an annual senior-officer certification that the institution's transaction-monitoring and AML program is reasonably designed and operating. An agent inside that program does not make the certification go away — it widens what the certifying officer is now personally attesting to.
  • The Wolfsberg Group guidance names the maker-checker, four-eyes principle as the control standard for high-consequence financial decisions. That standard predates AI and survives it.
  • SOX still demands that controls over financial reporting are documented and effective, whoever — or whatever — operates them.

None of these has a sunset clause tied to model-risk guidance. They are date-proof. An agent that clears its own alert, approves its own journal entry, or files without a four-eyes check breaches the predicate rule directly, regardless of how SR 26-2 classifies the agent. The supervisory overlay moved. The floor did not.

Discovery never waits for guidance

Examiners are one audience. The one that should worry a personally-liable officer more is litigation. When an agent moves money to the wrong place, clears a hit that should have escalated, or approves a transaction it had no business approving, the question in deposition is not "what did SR 26-2 say." It is:

Who authorized this agent to do that, and can you prove the record was not altered?

Discovery does not pause because the regulator has not published a template. The plaintiff's expert will ask what the agent was permitted to do on the day in question, who approved that permission, whether the same actor both prepared and approved the action, and whether your audit trail can be trusted by someone who assumes you tampered with it. "It was in the system prompt" is not an answer to any of those. Neither is a database table your own administrators can edit.

The gap, in other words, does not reduce your evidentiary burden. It removes the checklist that told you how to meet it.

The defensible position is a verifiable record

If no one will hand you a template, the only durable position is to build the record you would want to be holding when someone asks. Not a policy document — an actual, mechanical, after-the-fact-provable account of what each agent was allowed to do and what it did.

Concretely, that record has to answer four questions without relying on anyone's good word:

Question in discovery What answers it
What was this agent permitted to do that day? Deny-by-default, versioned grants you can replay to any past date
Could it approve its own work? Structural segregation of duties — the same agent provably cannot be maker and checker on one run
Did a named human sign the consequential step? An n-of-m approval gate where the requester cannot approve their own request, with the signer's reason captured
Has the log been altered? A hash-chained, signed audit export a third party can verify offline, without trusting you

This is exactly the territory a control plane for AI agents occupies — a layer that sits between the agent's intent and the real world, authorizing and recording rather than hoping. It is also why the middle-office work banks most want to automate — reconciliations, alert triage, sanctions screening — is precisely where the absence of a template bites hardest: high volume, high consequence, and now no prescribed control standard.

The point is not to predict what the eventual supervisory template will require. It is that whatever it requires, a verifiable record of authority and approval is the evidence any plausible template would expect — and in the meantime, it speaks directly to the predicate rules and the discovery process that never went anywhere. You do not have to guess the future rule to be defensible against it. You have to be able to prove control.

Stop waiting for permission to be careful

The instinct after SR 26-2 is to wait — let the agentic-AI guidance arrive, then build to it. That instinct optimizes for the wrong risk. The exposure is not "we built the wrong controls." The exposure is "we ran agents through a window with no controls and no record, and now someone is asking us to account for it."

A bank that ships agents into the middle office today, without a record of what each one was permitted to do, is not early. It is accumulating undocumented decisions that a certifying officer under Part 504 will eventually have to stand behind — with nothing to stand on. A tamper-evident audit trail built before the template arrives is the cheapest insurance available against a gap that shifts the entire burden onto you.

No rules does not mean no scrutiny. It means the scrutiny arrives later, from a less forgiving direction, and asks for evidence you either kept or did not.

MakerChecker is an open-source control plane that produces exactly that record. See how it works, or book a demo to watch an agent get blocked from approving its own work — live.

Where this goes to work

MakerChecker for financial services

Agents triage AML and sanctions alerts at machine speed; the SAR decision stays a named officer’s, with examiner-ready signed evidence.

Explore →Book a demo

Related reading

See it for yourself

See an agent get stopped.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Book a demoRead the docs

Designed against the rules your auditors already enforce.