AI Industry’s Role in Defining Financial Services Standards

The federal government has officially passed the baton, and the financial services industry now bears primary responsibility for supervising, monitoring, and assuring the safety of generative and agentic AI models. This is not a future possibility or a regulatory rumor. Two significant policy developments in early 2026 have made this reality unmistakably clear, and the institutions that recognize this moment for what it is will be far better positioned than those that do not.

The Policy Landscape Shifts Decisively

In March 2026, the White House issued its National Policy Framework on AI, and the signal could not have been clearer. The administration doubled down on its view that AI regulation is fundamentally a matter of national competitiveness, not consumer protection bureaucracy. Principle V of the Framework states that Congress should not create any new federal rulemaking body to regulate AI, and should instead support development and deployment of sector-specific AI applications through existing regulatory bodies and through industry-led standards. Principle VII reinforces this by calling on Congress to preempt state AI laws that impose undue burdens, in favor of a minimally burdensome national standard.

The message is unmistakable: Washington is not coming to save us. The federal government has chosen innovation velocity over prescriptive oversight, deliberately leaving the door open for industry to define what responsible AI looks like in practice. This represents a deliberate and consequential policy choice, one that carries real weight for every institution currently deploying or evaluating AI tools.

The second major development arrived on April 17th with the issuance of SR-26-2, “Revised Guidance on Model Risk Management,” from the OCC, Federal Reserve Board, and FDIC. This was a long-overdue update to the SR-11-7 guidance that had governed model risk management for over 15 years. In many ways, SR-26-2 is a welcome document. It is shorter, moving from 21 dense single-spaced pages to a more readable 12 double-spaced pages. It replaces prescriptive “should” language with descriptive principles. It introduces materiality thresholds, focusing scrutiny on banks with $30 billion or more in assets. And it encourages lifecycle thinking, treating model development, validation, deployment, and monitoring as a continuous discipline rather than a one-time compliance exercise.

The Conspicuous AI Exception

But here is where the guidance becomes both significant and sobering. SR-26-2 is explicit in its self-imposed limitations: “This guidance does not set forth enforceable standards or prescriptive requirements; accordingly, non-compliance with this guidance will not result in supervisory criticism.” In plain language: figure it out yourselves.

Even more striking is Footnote 3, which carves out generative and agentic AI models entirely from the guidance’s scope, describing them as “novel and rapidly evolving.” The footnote acknowledges that banks should apply their existing risk management and governance practices to these tools, but offers no specific direction on how. At the precise moment when AI risks are becoming more concrete and consequential, the federal government has formally stepped aside.

One can understand the logic. Premature or poorly informed federal guidance on AI could stifle innovation, create competitive disadvantages, or generate unintended consequences. Regulators wisely may prefer to gather industry input before codifying standards. But the gap this creates is real and growing. Generative AI and agentic models are already operating inside financial institutions, making decisions, automating workflows, and interacting with customers, while the regulatory framework governing them remains effectively silent.

The Risks Are Not Theoretical

Let us be direct about what is at stake. Generative and agentic AI models pose a category of risk that simply did not exist when SR-11-7 was written in 2011. These systems can learn on the fly, adapting their behavior in ways that may diverge from their original design. They introduce novel security vulnerabilities that traditional model risk frameworks were not built to detect. The Center for Internet Security issued a formal report in April 2026 warning that prompt injection attacks represent a serious and growing threat to organizations using generative AI, noting that hidden malicious instructions embedded in documents, emails, and websites can lead to stolen sensitive data, unauthorized system access, and operational disruption. Prompt injection now ranks as the top vulnerability in the OWASP Top 10 for large language model applications.

Agentic AI systems, capable of taking actions autonomously in the world at high speed, amplify these risks further. They can create cascading failures before any human reviewer has a chance to intervene. And the financial sector is squarely in the crosshairs: a 2026 cybersecurity analysis confirmed 340 ransomware victims in financial services during 2025 alone, with AI-accelerated attacks enabling threat actors to move at machine speed across interconnected systems.

These are not hypothetical concerns for some distant AI-enabled future. They are operational realities today. And financial institutions that deploy these tools without robust governance frameworks are not just taking on reputational risk. They are assuming the full weight of liability that regulators have, for now, declined to share.

Industry Must Rise to the Moment

The absence of federal mandates is not a green light for inaction. Dealers, banks, lenders, and their technology providers now occupy an unprecedented position: they must build the governance infrastructure that the government has chosen not to prescribe. This is both a burden and an opportunity, and the data suggests that many institutions are not yet ready for it.

Grant Thornton’s 2026 AI Impact Survey of 950 banking executives found that banks are more likely than any other industry to report their AI controls are untested. Only 18 percent of banking leaders expressed full confidence in their AI controls, and half of respondents cited governance and compliance barriers as contributors to AI underperformance or failure. This is not a posture that will hold as AI deployment deepens and as regulatory patience runs its course.

The institutions that move quickly to develop rigorous AI governance frameworks, covering model monitoring, explainability, bias detection, security testing, and human oversight protocols, will not only manage their risk more effectively. They will also shape the industry-led standards that the White House and federal regulators have explicitly invited the private sector to create. First movers in responsible AI governance have a genuine opportunity to write the rules that everyone else will eventually follow.

The market for generative AI in financial services is already enormous and accelerating rapidly. According to Research and Markets, the generative AI financial services sector is projected to grow from $1.89 billion in 2025 to $2.48 billion in 2026, representing a compound annual growth rate of more than 31 percent. That growth rate makes governance not a nice-to-have but a structural imperative. Institutions deploying AI at this scale without tested controls are not building competitive advantage. They are building unpriced liability.

The federal government has told us, in clear terms, that it trusts industry to get this right. That trust is not unconditional, and it is not permanent. Regulatory patience has a shelf life. If high-profile AI failures begin to accumulate, the pendulum of oversight will swing back, and the rules written in that environment will almost certainly be more restrictive and less workable than anything the industry could have designed for itself. The window to act on our own terms is open now. The question is whether the industry will use it.