Introduction
The years following the Global Financial Crisis produced a foundational reset in how banking regulators approached model risk. The landmark 2011 interagency guidance on model risk management (SR 11-7) established a comprehensive framework for the development, validation, monitoring, and governance of quantitative models used by financial institutions in consequential business decisions. For nearly 15 years, SR 11-7 shaped how community banks, regional institutions, and large banking organizations thought about the risks embedded in the models upon which they relied for interest rate risk (IRR) measurement, liquidity stress testing, balance sheet management, and related Treasury and financial risk management functions.
On April 17, 2026, the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) jointly issued revised supervisory guidance on model risk management (SR 26-2) superseding SR 11-71. SR 26-2 arrives at a pivotal moment for asset liability management practitioners. The 2022–2023 rate tightening cycle exposed consequential weaknesses in deposit behavioral assumptions across the industry. The bank failures of 2023 demonstrated in real time the systemic cost of underestimating deposit repricing speed and migration risk. And simultaneous with these developments, artificial intelligence (AI) and machine learning (ML) methods are gaining meaningful consideration with respect to IRR and balance sheet management frameworks.
This paper examines the principal challenges financial institutions face when deploying AI and ML methods within asset liability management frameworks, grounded in the requirements and expectations of SR 26-2. It addresses how models are defined under the revised guidance, what financial institutions of all sizes must consider in light of SR 26-2’s scope and principles, and the specific MRM requirements applicable to AI and ML applications in IRR and ALM practice.
How SR 26-2 Defines a Model
The definition of “model” is foundational to any model risk management framework because it determines what falls within the scope of governance, validation, and oversight requirements. SR 11-7 defined a model broadly, capturing most quantitative tools including many spreadsheets, expert-judgment processes, and rule-based systems. Over time, many financial institutions interpreted this breadth to include a wide range of tools in their model inventories, sometimes creating governance burdens disproportionate to actual risk.
SR 26-2 tightens the definition in a meaningful and purposeful way. Under the revised guidance, a “model” must satisfy three requirements simultaneously: it must apply a complex quantitative method rather than a simple formula or lookup table; it must have a theoretical underpinning grounded in statistical, economic, or financial theory; and it must produce a quantitative output (e.g., a number, score, probability, or valuation). All three criteria must be present. Simple arithmetic calculations, deterministic rule-based engines, and spreadsheets lacking embedded statistical or economic methods are explicitly excluded from the model definition. The practical implication is that model inventories should become smaller, more focused, and more directly aligned with an institution’s actual model risk exposures.
For ALM and IRR practitioners, this definitional refinement carries immediate relevance. Many ALM platforms in common use at community and regional institutions incorporate components that range from relatively straightforward cash flow projection engines to complex behavioral models estimating non-maturity deposit decay rates, deposit repricing betas, and loan prepayment speeds. Whether a given tool or component qualifies as a “model” under SR 26-2 is a consequential classification decision. Misclassification in either direction (failing to identify a qualifying model or incorrectly subjecting a simple tool to full MRM oversight) carries real costs, whether in the form of unmanaged risk or misallocated governance resources.
AI and ML methods , when deployed within IRR modeling frameworks to estimate behavioral assumptions, generate challenger analytics, or support scenario analysis, almost certainly satisfy all three criteria of the revised guidance. They apply complex quantitative methods grounded in statistical theory to produce quantitative outputs. Institutions considering or currently using AI/ML in their ALM frameworks should proceed from the baseline assumption that such methods are models within the meaning of SR 26-2, with all attendant governance obligations that follow.
*Generative AI and agentic AI are explicitly excluded from SR 26-2’s scope. The guidance acknowledges these technologies are novel and rapidly evolving and that the existing model risk management paradigm does not map cleanly onto them. If your institution uses a large language model to summarize ALCO reports or an AI agent to draft scenario narratives, those tools fall outside the SR 26-2 framework – though the agencies have signaled that separate guidance is forthcoming, and existing risk management principles still apply.
SR 26-2’s Scope of Applicability
SR 26-2 identifies its primary intended audience as banking organizations with more than $30 billion in total assets regulated by the Federal Reserve, the OCC, or the FDIC. This applicability statement represents a departure from SR 11-7, which was broadly applied across supervised institutions regardless of asset size. For community and regional financial institutions, the natural question is whether SR 26-2 represents a meaningful change in their supervisory exposure.
The answer requires careful reading. While SR 26-2 is primarily directed at larger institutions, the revised guidance explicitly acknowledges that smaller institutions may fall within the practical scope of its principles if they exhibit significant model risk, complex model usage, nontraditional activities, or material reliance on models for financial, credit, liquidity, compliance, or operational decisions. Importantly, SR 26-2 is formally non-binding supervisory guidance, but “non-binding” does not mean inconsequential. Regulators and examiners treat it as the benchmark for sound practice, and institutions that deviate from its principles without documented and defensible rationale expose themselves to supervisory criticism, particularly when model risk materializes in adverse outcomes.
The practical reality for sub-$30 billion institutions is that SR 26-2 modifies the underlying basis of MRM practice rather than eliminating it. The industry shift precipitated by the revised guidance is from the relatively prescriptive, compliance-oriented approach of SR 11-7 toward a more tailored, risk-based, institution-specific model risk framework. In this environment, the burden shifts from demonstrating adherence to a uniform standard toward demonstrating that the institution’s MRM framework is reasonable, defensible, and proportionate to its actual model risk profile. For institutions with significant IRR exposure, complex behavioral models, or growing AI/ML deployments, this distinction may be more formal than substantive. The expectation of sound model governance applies regardless of asset size.
AI and ML in ALM
The IRR modeling challenges surfaced by the 2022–2023 rate cycle created a compelling and evidence-based case for improving behavioral assumption analytics. Non-maturity deposit betas calibrated on post-2010 low-rate data failed to anticipate the sharp competitive repricing pressure that emerged as the Federal Open Market Committee raised the federal funds rate by more than 500 basis points between March 2022 and July 2023. Deposit decay assumptions built on the stability of the extended low-rate period proved inadequate when competitive dynamics and customer rate sensitivity reemerged. Prepayment curves calibrated for environments with strong refinancing incentives did not transition smoothly to the dramatically reduced prepayment activity of a high-rate environment. In each case, behavioral assumptions that were the primary drivers of net interest income (NII) and economic value (EVE) projections proved to be the primary sources of model error.
AI and ML methods offer a notable pathway for improving behavioral assumption analytics in these areas. Compared to the static prepayment tables, linear beta estimates, and historical decay averages typical of traditional IRR frameworks, properly deployed AI/ML can capture nonlinear borrower behaviors, refinancing incentive effects, burnout effects, and seasoning factors more robustly. For non-maturity deposit analytics, AI/ML can improve segmentation of deposit sensitivity, identify regime-dependent migration patterns, estimate dynamic betas across changing competitive environments, and quantify the response elasticity of different customer and product segments.2
The practical use case best suited for AI/ML in IRR today is the deployment of AI/ML methods in support of assumption inputs to traditional IRR frameworks. AI/ML-generated prepayment assumptions, deposit betas, and decay estimates feed the established cash flow, repricing, and valuation engines of the primary IRR model. Management continues to review outputs, apply overlays where warranted, and operate within approved limits. This controlled augmentation approach preserves the tractability and governance integrity of the core IRR framework while capturing the behavioral precision that AI/ML methods can provide.
Principal Challenges and Risks
Despite the genuine analytical advantages AI and ML methods offer, their deployment in ALM and IRR frameworks introduces a set of challenges that financial institutions (and the boards and senior management teams responsible for overseeing them) must address systematically.
Model Opacity and Explainability. Many AI/ML methods, particularly ensemble techniques such as gradient boosted trees and deep neural networks, operate in ways that sacrifice interpretability for predictive accuracy. In an IRR or ALM context, this opacity is a key consideration with respect to SR 26-2 governance expectations. Institutions must be able to explain how AI/ML methods affect net interest income projections, economic value outcomes, assumption overlays, and management decisions in terms that are meaningful and transparent to senior management, the Asset Liability Committee, and the board. A model that materially influences balance sheet risk measurement but cannot be explained to those responsible for risk oversight represents an unacceptable governance gap. SR 26-2’s supervisory expectations do not relax in response to methodological complexity. Increased model opacity mandates stronger controls, not weaker standards.
Data Dependency and Regime Sensitivity. AI and ML models are trained on historical data, and their predictive quality is bounded by the relevance of that data to current and prospective conditions. The behavioral dynamics of deposit repricing, prepayment, and customer migration are regime-dependent. Patterns observed in a decade-long low rate environment may provide limited guidance for high rate or rapidly shifting environments. This creates a structural vulnerability in AI/ML behavioral models deployed in IRR frameworks. The conditions under which model performance is most consequential are precisely those most likely to differ materially from the training environment. Institutions must explicitly assess and document the regime dependencies of their AI/ML methods, stress test model outputs across out-of-sample rate environments and maintain approved fallback methodologies for use when AI/ML performance deteriorates.
Aggregate Model Risk and Correlated Failures. SR 26-2 gives particular attention to aggregate model risk, the risk arising from shared assumptions, common data sources, and interdependencies across multiple models. In a typical community or regional bank ALM environment, the same non-maturity deposit behavioral assumptions may simultaneously drive the IRR model, the liquidity stress test, the funds transfer pricing framework, and the deposit pricing model. If those assumptions are generated by a shared AI/ML system, a single methodological weakness or data quality issue can propagate correlated errors across the entire risk management architecture. This concentration is not hypothetical. The industry’s post-2022 experience with deposit assumption failures demonstrated precisely this kind of propagating error, affecting IRR, liquidity, and profitability projections simultaneously. Institutions incorporating AI/ML into their behavioral assumption frameworks must map these dependencies explicitly and ensure that assumption changes in one framework are reflected consistently across all dependent models.
Third-Party and Vendor Model Obligations. The majority of community and regional financial institutions rely on third-party developed ALM models, and an increasing number of platform providers are incorporating AI/ML capabilities into their offerings. SR 26-2 is unambiguous on this point: vendor origin does not reduce a financial institution’s model risk management obligations. Institutions remain responsible for understanding the design, conceptual soundness, development data, performance characteristics, and limitations of vendor models to the extent necessary for sound use. Where vendor transparency is limited, institutions are expected to compensate through stronger due diligence, benchmarking, outcomes analysis, and documented limitation management. For smaller institutions with limited internal technical resources, this obligation can present a material practical challenge, one likely to intensify as vendor-sourced AI/ML capabilities become more sophisticated and widespread.
Governance, Documentation, and Change Control. SR 26-2 establishes clear governance expectations for AI/ML methods within MRM scope. Institutions should maintain comprehensive inventory entries for AI/ML models covering methodology, training data, limitations, assumptions, monitoring metrics, and model dependencies. Documentation must be sufficient to enable parties unfamiliar with the model to understand how it functions, where it is weak, and how it influences IRR decisions. Accountability across all three lines of defense (the model owner, independent model risk management, and internal audit) must be clearly established and exercised. Retraining events, specification changes, and methodology updates should require formal change control review and revalidation, not informal modifications outside governance channels. High override rates (where management judgment persistently replaces AI/ML outputs) should themselves be tracked as model performance metrics and may signal that recalibration or redevelopment is warranted rather than continued management adjustment.
Validation Requirements for AI/ML Under SR 26-2
SR 26-2 retains the three foundational pillars of model validation (conceptual soundness, outcomes analysis, and ongoing monitoring) and applies them to AI/ML methods within its scope. For AI/ML models specifically, the guidance elevates several validation practices as particularly important. Challenger benchmarking against simpler econometric or rule-based alternatives is essential: better in-sample fit is not, by itself, evidence of conceptual soundness or appropriateness for the intended use case. Out-of-sample testing and stress testing of model outputs across rate regimes must be integral components of any AI/ML validation program applied to IRR behavioral models. Effective challenge must be performed by individuals with both the technical expertise to evaluate AI/ML methodology and the business knowledge to assess whether model outputs are appropriate for their intended use in balance sheet management.
SR 26-2 also reinforces that the scope boundaries of AI/ML models in IRR must be explicit and enforced. A method validated and approved for use in generating deposit beta assumptions for dynamic scenario analysis should not be extended to serve as the primary driver of reported IRR metrics under static conditions without additional analysis, validation, and governance approval. Use case drift, the expansion of a model’s application beyond its validated and approved scope, is a formal MRM trigger under the revised guidance and represents one of the more commonly observed manifestations of tangible model risk in practice.
Conclusion
The integration of AI and ML methods into asset liability management frameworks represents an intriguing consideration. The behavioral assumption failures exposed by the post-pandemic rate cycle have created genuine and well-grounded incentives to pursue more dynamic, data-driven approaches to IRR modeling. SR 26-2, issued on April 17, 2026, provides the updated supervisory framework within which this evolution must be governed.
For financial institution leadership teams the central question SR 26-2 poses is not whether AI/ML methods can be used in IRR and balance sheet management frameworks. The central question is whether the governance, validation, documentation, and use controls surrounding those methods are commensurate with their purpose, their exposure, and the significance of the decisions they influence. Institutions that proceed with discipline, develop the capacity to understand and explain their AI/ML methods, and invest in governance infrastructure appropriate to their risk profile will be positioned to realize the benefits these methods may offer.
1Federal Reserve Board, SR 26-2, “Revised Guidance on Model Risk Management,” April 17, 2026. https://www.federalreserve.gov/supervisionreg/srletters/SR2602.htm. See also OCC Bulletin 2026-13, “Model Risk Management: Revised Guidance,” April 17, 2026; FDIC Financial Institution Letter FIL-15-2026, “Agencies Revise the Interagency Model Risk Management Guidance,” April 17, 2026.
2For a discussion of AI/ML applications in IRR modeling, including NMD analytics and prepayment modeling, see Basel Committee on Banking Supervision, “Digitalisation of Finance,” BIS, May 2024, https://www.bis.org/bcbs/publ/d575.pdf; and Frontiers in Artificial Intelligence, AI in Finance, “A case study for unlocking the potential of deep learning in asset liability management,” Thomas Krabichler and Josef Teichmann, May 2023, https://www.frontiersin.org/journals/artificial-intelligence/articles/10.3389/frai.2023.1177702/full.