Imagine this scenario: A regional bank deployed a generative AI assistant inside its commercial lending workflow. The vendor pitched it as productivity tooling. The risk function did not classify it as a model. The first-line team built dashboards on top of it. The MRM register did not list it. Later, an examiner asks one question: where is the Determination documented that this was not a model?
The bank had a deployed system, a vendor contract, and a generic acceptable-use policy. None of the three answered the question.
The Reframe
Post-2026 exams will not about whether your AI is a model. It is about whether you ran the question to ground, classified the system, and produced a defensible record of the decision. The artifact is not the model card. The artifact is the Determination.
A Determination is a written, dated, signed record that names the system, classifies its risk tier, states the model versus non-model decision, defines the data scope, and assigns the approval authority. It is the load-bearing evidence that the institution governed the system before it deployed.
Most mid-market institutions do not have this. They have an inventory line, sometimes. They have a procurement record, usually. They rarely have a Determination.
What Bulletin 2026-13 Actually Changed
OCC Bulletin 2026-13 excluded generative and agentic AI from the scope of the Model Risk Management framework. Headlines read it as relief. The opposite is true.
When a system sits inside MRM, the framework supplies the governance scaffolding: inventory, validation, performance monitoring, periodic review. Strip that scaffolding away and the institution's own governance is the only thing the examiner can ask for. If the institution does not have a Determination on file, the examiner has nothing to evaluate except absence.
The exclusion did not lower the bar. It moved the bar. The Determination is now the primary regulator-facing artifact for any generative or agentic AI system, and the only artifact that proves the institution governed the system at all.
Three failure modes follow directly from the exclusion.
1. Default-Out of MRM, Default-Out of Governance
A system is classified as non-model, then quietly classified as non-anything. Nobody owns it. Nobody renews it. Nobody re-reviews it.
2. Scope Drift Without Re-Determination
A medium-tier assistant gains write access to a regulated workflow. Risk tier moves. The original Determination does not. The examiner sees the new posture, the institution shows the old record.
3. No Determination Trail at Exam Time
The institution can describe the system in conversation but cannot evidence the decision that placed it where it sits. Description is not evidence.
The Mechanism: A Determination Gate Routed Through the Decision Authority Matrix
A Determination is not a memo. It is a gate. Two mechanisms make it real.
Risk-tiered AI register. Every AI system, model and non-model, lives on one register. The register names the system, the data scope, the function, the risk tier, the Determination date, the approval authority, and the next review trigger. One artifact, one source of truth, owned by Second Line.
Determination gate, routed through the Decision Authority Matrix. Every new AI system, every material scope change, every tier reclassification routes through the Matrix. The Matrix maps risk tier to required authority and required evidence.
Critical Tier
Examples. Core banking, credit underwriting, AML decisioning, broad agentic autonomy.
Required authority. Board or executive committee.
Required evidence. Signed Determination, classification rationale, data scope statement, model versus non-model decision, governance review confirmation.
High Tier
Examples. Customer-facing decisioning, regulated workflow assistance with limited autonomy.
Required authority. Senior management with documented risk acceptance.
Required evidence. Signed Determination, risk acceptance memo, data scope statement, monitoring plan.
Medium Tier
Examples. Internal productivity, supervised workflow tools, limited regulated-data access.
Required authority. Department head with IT security review.
Required evidence. Determination, data access scope, acceptable-use confirmation.
Low Tier
Examples. General-use assistants, no regulated-data access.
Required authority. Manager acknowledgment.
Required evidence. Determination, acceptable-use attestation.
The Matrix is the part that turns the Determination into a governed control rather than a one-time memo. A scope change without re-Determination is the single most common failure mode. The Matrix forces re-approval at the new tier, with the evidence the new tier requires. It is the mechanism the policy cannot replace.
Why This Is the Highest-Exposure Domain in 2026
D-02 Model Inventory and Classification is one of nine domains scored by the V³ AI Risk Assessment. In the 2026 regulatory posture, it is the highest-exposure domain. Every other domain reads off the inventory and the Determination: data governance traces back to the data scope on the Determination, vendor AI governance traces back to the third-party Determination, monitoring traces back to the classification, board reporting traces back to the register.
When the V³ Assessment scores D-02 below Defined (Level 3), the root cause is almost always the same. The institution made a default model versus non-model decision once, at procurement, and never produced a Determination.
The Diagnostic Question
Pull the list of every AI-enabled system the institution has paid for in the last twenty-four months. For each one, ask: where is the Determination? If the answer is the contract, the policy, or the procurement record, the institution does not have one.
That gap is what the V³ Diagnostic Call surfaces in 30 minutes. Book one at voidvanguard.com.
