OCC Bulletin 2026-13 excluded generative and agentic AI from Model Risk Management. The artifact that just became the only thing an examiner can ask for is the Determination, and most institutions do not have one.

Vercel's April 2026 breach was not an AI vendor incident. It was an identity governance failure with an AI tool as the attack vector. Mid-market financial institutions share the exact same failure surface.

You deployed SailPoint, CyberArk, and Entra ID. Examiners still issued findings. The problem was never the tools — it was the governance architecture the tools were asked to automate.

OCC Bulletin 2026-13 rescinds the model risk guidance that governed AI classification since 2011 and explicitly excludes generative AI from scope. That is not a free pass. It is a governance vacuum your own architecture needs to fill.

When an examiner asks who approved your AI deployment, silence is not an acceptable answer. A Decision Authority Matrix maps approval authority to risk tier and creates the evidence trail that proves governance existed before the question was asked.

Federal regulatory expectations for AI governance are converging fast. Here is what examiners will be asking and what your institution needs to prove before the next exam cycle.

Your AI policy isn’t governance. It’s a suggestion with a signature line. Here’s why architecture beats documentation, and what the Governance Spine looks like in practice.

147 policies. Zero mechanisms. It is likely the single most common failure mode at regulated organizations of every size.