Lenders and dealer partners, it’s time for the industry to step forward. The federal government has officially passed the baton, and the financial services industry now bears primary responsibility for supervising, monitoring, and assuring the safety of generative and agentic AI models. This isn’t a future possibility or a regulatory rumor. Two significant policy developments in early 2026 have made this reality unmistakably clear.
The Policy Landscape Shifts Decisively
In March 2026, the White House issued its National Policy Framework on AI, and the signal could not have been clearer. The administration doubled down on its view that AI regulation is fundamentally a matter of national competitiveness, not consumer protection bureaucracy. Principle V of the Framework states that Congress should not create any new federal rulemaking body to regulate AI, and should instead support development and deployment of sector-specific AI applications through existing regulatory bodies and through industry-led standards. Principle VII reinforces this by calling on Congress to preempt state AI laws that impose undue burdens, in favor of a minimally burdensome national standard.
The message is unmistakable: Washington is not coming to save us. The federal government has chosen innovation velocity over prescriptive oversight, deliberately leaving the door open for industry to define what responsible AI looks like in practice.
The second hammer fell on April 17th with the issuance of SR-26-2, “Revised Guidance on Model Risk Management,” from the OCC, Federal Reserve Board, and FDIC, a long-overdue update to the SR-11-7 guidance that had governed model risk management for over 15 years. In many ways, SR-26-2 is a welcome document. It’s shorter, moving from 21 dense single-spaced pages to a more readable 12 double-spaced pages. It replaces prescriptive “should” language with descriptive principles. It introduces materiality thresholds, focusing scrutiny on banks with $30 billion or more in assets. And it encourages lifecycle thinking—treating model development, validation, deployment, and monitoring as a continuous discipline rather than a one-time compliance exercise.
The Conspicuous AI Exception
However, here’s where the guidance becomes both significant and sobering. SR-26-2 is explicit in its self-imposed limitations: “This guidance does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism.” In plain language: figure it out yourselves.
Even more striking is Footnote 3, which carves out generative and agentic AI models entirely from the guidance’s scope, describing them as “novel and rapidly evolving.” The footnote acknowledges that banks should apply their existing risk management and governance practices to these tools but offers no specific direction on how. At the precise moment when AI risks are becoming more concrete and consequential, the federal government has formally stepped aside.
One can understand the logic. Premature or poorly informed federal guidance on AI could stifle innovation, create competitive disadvantages, or generate unintended consequences. Regulators wisely may prefer to gather industry input before codifying standards. But the gap this creates is real and growing. Generative AI and agentic models are already operating inside financial institutions—making decisions, automating workflows, and interacting with customers—while the regulatory framework governing them remains effectively silent.
The Risks Are Not Theoretical
Let’s be direct about what is at stake. Generative and agentic AI models pose a category of risk that simply did not exist when SR-11-7 was written in 2011. These systems can learn on the fly, adapting their behavior in ways that may diverge from their original design. They introduce novel security vulnerabilities—prompt injection attacks, model manipulation, and adversarial inputs that traditional model risk frameworks weren’t built to detect. And agentic AI systems, capable of taking actions autonomously in the world at high speed, can create cascading failures before any human reviewer has a chance to intervene.
These are not hypothetical concerns for some distant AI-enabled future. They are operational realities today. Financial institutions that deploy these tools without robust governance frameworks are not just taking on reputational risk—they are assuming the full weight of liability that regulators have, for now, declined to share.
Industry Must Rise to the Moment
The absence of federal mandates is not a green light for inaction. Dealers, banks, lenders, and their technology providers now occupy an unprecedented position: they must build the governance infrastructure that the government has chosen not to prescribe. This is both a burden and an opportunity.
The institutions that move quickly to develop rigorous AI governance frameworks—covering model monitoring, explainability, bias detection, security testing, and human oversight protocols—will not only manage their risk more effectively. They will also shape the industry-led standards that the White House and federal regulators have explicitly invited the private sector to create. First movers in responsible AI governance have a genuine opportunity to write the rules that everyone else will eventually follow.
The federal government has told us, in clear terms, that it trusts the industry to get this right. That trust is not unconditional—and it is not permanent. Regulatory patience has a shelf life. If high-profile AI failures begin to accumulate, the pendulum of oversight will swing back, and the rules written in that environment will almost certainly be more restrictive and less workable than anything the industry could have designed for itself.
Related Stories: