Topic Hub
Model risk management, regulatory compliance, and governance architecture for LLMs and agentic AI in banking and financial services — from SR 11-7 to production audit trails.
SR 11-7 / SR 26-2 applied to LLMs and agentic AI
Audit trails, prompt versioning, and human-in-the-loop controls
OCC, CFPB, and EU AI Act compliance architecture
John Boyd designed the OODA loop for fighter pilots making life-or-death decisions in milliseconds with incomplete information. It turns out this is a better mental model for production AI agents than the ReAct loop — especially in high-stakes, time-pressured environments where agents need to fail fast, course-correct, and maintain situational awareness across a multi-step decision horizon.
SR 11-7 is 15 years old and SR 26-2 explicitly excluded generative AI from its scope. Banks are now governing their most powerful AI systems against a framework that was never designed for them. Here's the practitioner guide to what model risk management actually looks like when you apply it to LLMs, RAG pipelines, and agentic AI.
The OCC's Spring 2026 Risk Perspective and Fed Vice Chair Bowman's governance speech mark a turning point: existing model risk guidance doesn't cover generative or agentic AI, and formal new rules are coming. Here's what that regulatory gap means for bank AI architecture today.
Most AI architecture guides are written for startups deploying on greenfield infrastructure. Financial services has different constraints: regulatory audit requirements, latency SLAs on core banking integrations, data residency rules, fair lending exposure, and model risk governance. This is the pattern library for AI architects building production systems inside those constraints.
Row-based ML catches individual bad actors but misses coordinated fraud rings. Graph Neural Networks propagate relational context through transaction networks — here's the architecture, the PyTorch Geometric code, and the production gotchas that matter more than model choice.
OpenAI published its Frontier Governance Framework on May 28, mapping safety practices to the California Transparency in Frontier AI Act and the EU AI Act Code of Practice — and for enterprise teams in regulated industries, a vendor compliance document cuts both ways.
Deloitte, PwC, and KPMG have committed 1.1M professionals to Claude Managed Agents within 60 days of each other. The benchmark race is over. The governance race just started.
Colorado's last-minute repeal of its AI Act — replaced with a disclosure-only framework — reveals the underlying instability of state-by-state AI compliance strategies. Here's what the 1,561-bill patchwork means for enterprise AI teams.
Google I/O 2026 shipped a complete agent stack — Gemini 3.5 Flash, Managed Agents API, Antigravity 2.0, and Agent Identity. The ephemeral-by-default execution architecture is elegant engineering and a potential compliance trap for any regulated industry running AI at decision-level stakes.
On May 7, 2026, EU lawmakers agreed to delay high-risk AI Act obligations for banking and financial services from August 2026 to December 2027. Here's why treating that extension as a gift is exactly the wrong call.
Enterprise agent hubs can simplify governance, but they also create concentration risk when one platform controls orchestration, identity, policy, and model routing. This guide explains how to design an agent hub architecture that preserves portability, auditability, and resilience.
Fiserv just launched an agentic AI operating system natively wired into its core banking stack — and the governance, policy enforcement, and audit trail all live in the vendor layer. That's not just a product announcement; it's the moment your core vendor became your AI risk manager.
Bhanu Pratap Singh