The 2026 Regulatory Environment for Models and AI: A Practitioner's Map

The regulatory perimeter around models and AI moved further in the last eighteen months than in the previous decade. SR 11-7 — the 1,500-word letter that quietly shaped a generation of model risk programs — has been formally superseded. The EU AI Act is no longer a future-tense problem. NIST's AI Risk Management Framework and ISO/IEC 42001 have crossed from "good practice" into the language procurement teams write into contracts.

What follows is the map we hand new clients on day one: the rules that actually matter in 2026, who they apply to, why they exist, and where our practice plugs in.

SR 26-2 — Revised Interagency Guidance on Model Risk Management

Issued: April 17, 2026, jointly by the Federal Reserve, OCC (Bulletin 2026-13), and FDIC. Supersedes: SR 11-7 / OCC 2011-12. Applies to: US banking organizations, with the letter explicitly aimed at institutions over $30B in assets but treated as the de facto standard everywhere else.

What's new vs SR 11-7. The bones are the same — conceptual soundness, outcomes analysis, ongoing monitoring, effective challenge — but the surface area expanded. SR 26-2 explicitly brings AI/ML and GenAI systems inside the model definition, formalizes tiering proportionate to risk rather than uniform rigor, and tightens expectations around third-party and vendor models (including LLM providers). Documentation expectations are deeper, and the role of the second line is described in operational, not aspirational, terms.

Who needs to care. Anyone with a model inventory inside a US-regulated bank, plus the long tail of insurers, fintechs, and non-banks whose regulators pattern-match against the interagency standard.

Where Forli plugs in. Independent validation, inventory and tiering rebuilds, GenAI risk frameworks, and exam preparation are the bulk of our Model Risk Management practice. Watchtower generates SR 26-2-shaped monitoring evidence continuously, so the audit file is a byproduct rather than a quarterly fire drill.

EU AI Act

In force: staged through 2025–2027, with high-risk system obligations now binding. Applies to: any provider, deployer, importer, or distributor of an AI system placed on the EU market — regardless of where the company is headquartered.

Key points. A risk-tiered regime: prohibited uses, high-risk systems (credit scoring, employment, insurance pricing, critical infrastructure, biometric ID), limited-risk transparency obligations, and minimal-risk. High-risk systems carry obligations for risk management, data governance, technical documentation, logging, human oversight, accuracy/robustness, and post-market monitoring. General-purpose AI models carry their own transparency and systemic-risk obligations.

Who needs to care. Anyone selling into or operating inside the EU — and increasingly, US firms whose enterprise buyers require AI Act-aligned documentation as a procurement gate.

Where Forli plugs in. We map AI Act obligations to existing MRM controls so clients aren't running two parallel governance programs. Crosswalk emits AI-Act-shaped technical documentation, data contracts, and post-market monitoring hooks as part of every artifact — governance is the side effect, not a separate workstream.

PRA SS1/23 — Model Risk Management for Banks

In force: May 2024, with PRA CP6/24 extending principles to AI-specific controls. Applies to: UK banks, building societies, and PRA- designated investment firms.

Key points. Five principles covering model identification, governance, development & implementation, independent validation, and risk mitigants. Notably less prescriptive than SR 26-2 but more explicit about board-level ownership and the treatment of deterministic versus non-deterministic models.

Who needs to care. UK-regulated firms, plus US and EU groups with UK subsidiaries that need a coherent group-wide policy.

Where Forli plugs in. Cross-jurisdictional policy design, validator-grade reviews accepted by UK internal audit, and mapping of UK principles to US/EU frameworks so one piece of evidence satisfies all three.

NIST AI RMF (incl. Generative AI Profile)

Issued: AI RMF 1.0 (2023); Generative AI Profile (2024). Applies to: voluntary, but increasingly the de facto US federal standard and a common contract requirement.

Key points. Four functions — Govern, Map, Measure, Manage — applied across the AI lifecycle. The GenAI Profile adds specific risks (confabulation, data privacy leakage, dangerous content, IP, value chain & component integration) and the controls expected against each.

Who needs to care. Federal contractors, anyone subject to OMB M-24-10, and increasingly any enterprise whose customers demand a recognized AI risk taxonomy.

Where Forli plugs in. We use NIST AI RMF as the common backbone in AI/ML engagements where SR 26-2 doesn't formally apply but a defensible governance story still does — particularly for GenAI and agentic systems.

ISO/IEC 42001 — AI Management Systems

Issued: December 2023. Applies to: any organization that develops, provides, or uses AI systems and wants a certifiable management system.

Key points. An ISO-style management-system standard (think ISO 27001 for AI): policy, leadership, planning, support, operation, performance evaluation, improvement. Pairs neatly with technical frameworks like NIST AI RMF — ISO 42001 is the system, NIST AI RMF is the practice.

Who needs to care. Enterprises pursuing certification as a market signal, regulated firms wanting an auditable AI governance scaffold, and vendors whose buyers ask "are you 42001-aligned?"

Where Forli plugs in. Gap assessments, policy/procedure design, and integration with existing ISO 27001 and SOC 2 programs so AI governance doesn't become a parallel bureaucracy.

CFPB Circular 2022-03 & ECOA / Reg B

Applies to: US lenders, credit decisioning platforms, and any model used for adverse action.

Key points. Adverse action notices must give specific, accurate reasons even when the underlying model is complex or "black-box." There is no algorithmic exception to ECOA. Disparate impact testing, subgroup performance, and explainability are not optional add-ons — they are compliance preconditions.

Who needs to care. Lenders, BNPL providers, insurers using ML pricing, and any consumer-facing decisioning model.

Where Forli plugs in. Bias and fairness reviews, adverse-action explanation pipelines, and validation of ML credit models — typically alongside an SR 26-2 validation engagement.

Adjacent regimes worth knowing

• SEC / FINRA on predictive analytics — proposed rules on conflicts of interest in broker-dealer and investment adviser use of AI and predictive analytics; relevant to wealth and capital markets.
• NYDFS Circular Letter No. 7 (2024) — insurers' use of AI and external consumer data in underwriting; explicit governance, fairness, and transparency expectations.
• HHS / OCR Section 1557 — non-discrimination in clinical decision support tools; covered entities must identify and mitigate algorithmic discrimination.
• State AI laws — Colorado's AI Act, NYC Local Law 144 (automated employment decision tools), and a growing patchwork of state privacy and AI bills creating overlapping obligations.

The Forli view

The temptation, faced with this list, is to spin up a separate workstream per regime. Don't. The intersection of these frameworks is far larger than their differences — they all want defensible inventories, independent validation, evidence of monitoring, explainability, and human oversight. Build the controls once, generate the evidence continuously, and map the artifacts to whichever regulator is at the door this quarter.

That is the operating model behind every engagement we run, and the design principle behind Crosswalk and Watchtower. If your program is still assembling evidence by hand the week before committee, you are paying the SR 11-7-era tax in an SR 26-2-era world. We can help you stop.