Current as of June 2026. Banking AI rules are moving fast: model risk guidance was rewritten in April 2026 and fair-lending enforcement was recalibrated the same month. Every date below reflects the most recent confirmed status, and uncertainty is flagged where it exists.

AI compliance for a bank is not one rulebook. It is a stack: supervisory model risk guidance, consumer-protection and fair-lending law, the securities rules that govern broker-dealers and investment advisers, the privacy and security regimes around customer data, and the EU overlays for any firm with European reach. They are layers, not options you pick between, and a program built to the strongest common methodology can satisfy several at once. As of January 2025, 54% of financial-services firms had deployed AI, up from 40% a year earlier and ahead of the cross-sector average (S&P Global, 2025). The harder problem sits underneath every layer: none were written for AI agents that take actions through tool calls.

NIST AI RMF and ISO/IEC 42001 Are the Horizontal Backbone

Every bank’s AI program should align to two horizontal instruments first: the NIST AI Risk Management Framework supplies the methodology, and ISO/IEC 42001 supplies the certifiable management system. NIST AI RMF organizes risk work into four functions, Govern, Map, Measure, and Manage (NIST, 2024). ISO/IEC 42001, published December 2023, is the first AI management system standard an external auditor can certify against (ISO, 2023).

These map cleanly onto how banks already work. A bank that runs model validation and three-lines-of-defense governance recognizes NIST’s structure immediately, and a 42001 certificate gives procurement and regulators an external proof point. They are the connective tissue across the sector-specific rules below, none of which provides a single, certifiable management system on its own.

Model Risk Management Is the Center of Gravity, and It Just Got Rewritten

Model risk management is where AI compliance in banking concentrates, and the governing guidance changed in April 2026. SR 26-2, issued jointly by the Federal Reserve, OCC, and FDIC, supersedes the long-standing SR 11-7 framework and reaffirms the core discipline: model inventories, independent validation, ongoing monitoring, and governance of third-party models, scaled to an institution’s size and risk profile (Federal Reserve SR 26-2, 2026). It is most relevant to banks with more than 30 billion dollars in assets.

The detail that matters most for AI is what SR 26-2 leaves out. The guidance explicitly places generative and agentic AI outside its scope, calling them novel and rapidly evolving, and directs institutions to apply existing risk-management principles while the Federal Reserve solicits input. The newest model-risk guidance in 15 years openly declines to govern the AI banks are now racing to deploy. Credit underwriting models, market-risk models, and Bank Secrecy Act and anti-money-laundering models all sit squarely inside SR 26-2. The agent that chains those models together does not.

The FFIEC Handbooks Govern the Stack AI Runs On

The FFIEC IT Examination Handbook sets the control expectations for the technology an AI system runs on, from infrastructure and security to development, change management, and resilience (FFIEC, 2024). An examiner reviewing a bank’s AI deployment looks at the same control domains that govern any production system: access control, secure development, and operational resilience.

Third-party risk is the part banks most often underbuild for AI. Outsourcing a model to a vendor, an AI model provider, or a managed analytics platform does not transfer the risk or the accountability. The bank remains responsible for the vendor’s controls, its data handling, and its failure modes. An AI model accessed through a third-party API is a third-party relationship the FFIEC framework expects the bank to govern directly, not a black box the bank can disclaim.

ECOA and Regulation B Still Demand a Reason for Every Denial

A bank that denies credit must give the applicant specific, accurate reasons, and the Equal Credit Opportunity Act (ECOA) and Regulation B impose that duty regardless of how the decision was made (Regulation B, eCFR, 2025). Model opacity is not a defense. The CFPB confirmed in 2022 that this applies to complex algorithms, stating that creditors cannot use uninterpretable models as an excuse for failing to identify the principal reasons for an adverse action (CFPB, 2022).

The enforcement posture has since shifted. In April 2026 the CFPB finalized a rule narrowing ECOA enforcement, removing disparate-impact liability and refocusing on intentional discrimination (ABA Banking Journal, 2026). The adverse-action notice requirement itself did not go away, and state attorneys general and state regulators continue to apply disparate-impact theory. For AI credit models, the practical obligation stands: a bank has to be able to produce the specific reasons behind every automated denial, which means it has to understand and log what its models did.

GLBA and the FTC Safeguards Rule Govern Customer Data in AI

Customer financial data carried into an AI tool is still governed by the Gramm-Leach-Bliley Act (GLBA) and, for many non-bank financial institutions, the FTC Safeguards Rule, which require privacy protections and a written information security program (FTC, 2024). The channel is new. The obligation is not.

An analyst pasting account data into a consumer chatbot, or a model trained on customer records without the right safeguards, is a GLBA exposure through a new path. These rules govern the data itself, which means AI use has to respect existing privacy notices, opt-outs, and security controls. The compliance work is concrete: detect customer financial data as it moves toward an AI tool, and enforce the firm’s controls before it leaves a boundary GLBA cares about.

FINRA Rules Are Technology-Neutral, So They Already Cover AI

Broker-dealers do not get a separate rulebook for AI, because FINRA’s rules are technology-neutral and apply to generative AI exactly as they apply to any other tool. Regulatory Notice 24-09 reminds member firms that supervision, communications, recordkeeping, and privacy obligations all attach to AI-mediated activity, whether the tool is built in-house or licensed from a vendor (FINRA, 2024). Under Rule 3110, a firm using AI in its business needs a reasonably designed supervisory system that covers it.

FINRA has since extended the point to agents. Its 2026 oversight report flags that AI agents may call for supervisory processes specific to the agent’s scope, including how to monitor agent system access and data handling and where to place human-in-the-loop oversight (FINRA, 2026). The supervision duty does not shrink when the actor is an agent. It gets harder to discharge.

The SEC Treats AI Claims as Securities Claims

An investment adviser that overstates its AI is exposed to securities-fraud liability, not just reputational risk. In March 2024 the SEC brought its first AI-washing enforcement actions against two advisers, Delphia and Global Predictions, for false and misleading statements about their use of AI, charging violations of the Advisers Act and the Marketing Rule and imposing 400,000 dollars in total penalties (SEC, 2024). The agency has since brought AI-washing charges against a public company as well.

The lesson for any firm marketing AI capabilities is that the representation has to match the reality, and the firm has to be able to substantiate it. The SEC applied longstanding antifraud and marketing rules to AI claims rather than waiting for AI-specific law, which means the exposure already exists. The same Compliance Rule that requires written policies to prevent marketing violations now extends to how a firm describes its models.

EU and Global Overlays: Annex III, EBA, and Basel

For any bank with European reach, AI used to assess creditworthiness is high-risk under the EU AI Act, carrying obligations on risk management, data quality, documentation, logging, transparency, and human oversight (EU AI Act Annex III, 2024). The Act is extraterritorial, so a US bank serving EU customers is in scope. Fines reach 35 million euros or 7% of global annual turnover at the top tier.

Two prudential references round out the EU picture. The European Banking Authority has published guidance on using machine learning in internal ratings-based (IRB) models, covering data quality, transparency, validation, and monitoring (EBA, 2023). The Basel Committee has flagged prudential concerns about AI and machine learning, including opacity, bias, and stability, that feed into supervisory expectations. Both reinforce the same theme as SR 26-2: a model used in a regulated decision has to be explainable, validated, and monitored.

How the Banking AI Compliance Stack Lines Up

Each layer of the banking stack governs a different thing, and almost none of it reaches autonomous agents. The table below maps what each instrument governs, whether it is mandatory, and how far it extends into agentic AI. The pattern is consistent, and SR 26-2 makes it explicit by carving agents out by name.

Read down the last column. Every instrument was built for a person operating the model. The agent that acts on its own is either unaddressed or, in the case of SR 26-2, deliberately left for later.

Every Framework Assumes a Banker at the Keyboard, and Agents Broke That Assumption

The banking frameworks all assume a person operates and oversees the AI, and AI agents acting through Model Context Protocol (MCP) tool calls remove that person from the chain. MCP is the open standard that lets an agent connect to external tools, core systems, and data sources and act through them. An agent that pulls a customer record, runs a model, and drafts a decision is taking actions no banker reviewed in the moment.

This is the hinge. SR 26-2’s validation and monitoring assume a model a person deploys and oversees. ECOA assumes a creditor who can explain a decision. FINRA’s supervision rule assumes a supervisable human workflow. The SEC’s disclosure rules assume a firm describing what it does. An agent chaining tool calls across a bank satisfies none of those assumptions cleanly, because the action surface moved from a screen a person reads to a tool call that fires in milliseconds. Singapore’s Infocomm Media Development Authority launched the first governance framework written specifically for autonomous AI agents in January 2026, the first official signal that the existing stack does not reach agents. The control for that gap has to come from architecture, not the frameworks.

You Cannot Comply With What You Cannot See

Aurascape catalogues more than 20,000 AI applications and ships production-ready connectors within 48 hours of a new tool appearing, which is the inventory layer the banking frameworks assume an institution already has (Aurascape Product Brief, 2026). Banks run model inventories, but those inventories track sanctioned models, not the AI employees adopt on their own.

Discovery is where the policy meets reality. A bank can have a model risk program and an AI policy and still be blind to the personal ChatGPT accounts analysts use, the AI features switched on inside an approved SaaS tool, and the copilots staff enabled without asking. Aurascape secures user activity across tens of thousands of AI apps with prompt and response decoding and automated remediation, the inventory-plus-enforcement combination the frameworks assume is in place. A model inventory that excludes the shadow AI on the network is incomplete by definition.

Sensitive Data Controls Operationalize GLBA and Privacy at the Prompt

Aurascape’s real-time, multimodal data classification catches regulated customer data at the prompt, before it reaches any external AI service, because GLBA and privacy rules attach the moment that data moves toward an AI tool. The financial sector had the second-highest average breach cost at 5.56 million dollars in 2025 (IBM Cost of a Data Breach Report, 2025). The AI Proxy inspects prompts, responses, file uploads, and multi-turn conversations, then enforces policy inline: allow, block, redact, or coach.

Sensitive Data Fingerprinting tags account numbers, cardholder data, and other regulated content so enforcement is context-aware rather than blunt. In the Police Credit Union deployment, conversation-level guardrails operating in the live path cut AI risk by 83% and delivered NCUA compliance readiness, for an institution that had seriously considered banning generative AI entirely. That is the inventory-plus-enforcement pairing GLBA implies but does not provide.

Audit Logging Is How You Prove It to an Examiner

SR 26-2 model validation, FINRA recordkeeping, and the EU AI Act all treat traceable records as an evidence requirement, not a best practice. Aurascape generates audit-ready, conversation-level logs of every AI interaction: what was prompted, what was returned, what data was involved, and what policy decision fired. The Police Credit Union deployment produced exactly that, with examiner-ready interaction logs a regulator could review directly.

This is the difference between asserting governance and demonstrating it. An OCR-style fair-lending review, a FINRA examination, a model validation file, and an EU AI Act assessment all want the same thing: a traceable record that the stated controls actually ran. Decoded interaction histories and policy-decision logs are that record. The platform does not make a bank compliant and does not replace legal counsel. It produces the evidence compliance, risk, and legal teams use to demonstrate the controls were in place and enforced.

Copilot Readiness Helps Closes the Privacy Gap

Microsoft 365 Copilot and similar Embedded AI tools surface everything a user can technically reach, which turns a tolerable permissions mess into a live GLBA exposure the moment someone runs a cross-department summary prompt. Aurascape’s Copilot Readiness module finds overshared permissions before a rollout, Copilot Oversight monitors live usage, and Copilot Unlearning removes sensitive data already ingested by the AI system.

In a bank, a permissions structure that staff navigated one file at a time becomes a privacy and confidentiality problem when a copilot can summarize across all of it in one prompt. Finding the oversharing before go-live is the readiness step. Monitoring usage and removing exposed data afterward is the ongoing control. All three map to the data-protection duties GLBA and the EU AI Act impose on the channel copilots opened.

The Zero-Bypass MCP Gateway Is the Control the Frameworks Are Missing

Only 31% of organizations say they are fully equipped to control and secure agentic AI systems, even as 83% plan to deploy them (Cisco AI Readiness Index, 2025), and the gap is structural: the banking frameworks assume a human oversees the action, and SR 26-2 leaves agents out by name. Aurascape’s Zero-Bypass MCP Gateway inspects, verifies, signs, and controls every Model Context Protocol tool call, API invocation, and data retrieval before an agent reaches any external system. Secure Agentic AI wraps the rest of the lifecycle: pre-build adversarial testing, Code Path and CVE Detection, and Safe Output Governance at runtime.

Where the frameworks assume a banker in the loop, the Gateway treats the agent as a privileged user and inspects both legs of its behavior: the agent-to-model leg and the agent-to-tool leg. The control fires at the tool call itself, where an agent reaches a core system or external service, not at a network destination the agent already moved past.

Auri Gives Compliance Teams the Evidence Without the Console

Auri, Aurascape’s natural-language agent, gives risk, compliance, and legal teams role-based access to AI activity records, summaries, and audit evidence through plain-language questions, with no dashboard login or query syntax required (Aurascape, 2026). The people who own the model risk or fair-lending obligation are rarely the people who run the security tooling.

A model risk officer preparing for a validation review, or a compliance lead readying a FINRA examination, needs to pull relevant interaction records and policy decisions on their own timeline. Self-service, role-bound access to that evidence lets the second and third lines of defense operate the program rather than filing a ticket and waiting on the security team for every request.

The Stack Holds, but Only If Something Watches the Agents

The banking frameworks cover the human-operated AI surface well when a bank builds to them together: NIST AI RMF as the methodology, ISO/IEC 42001 as the external proof, SR 26-2 for model risk, ECOA and the securities rules for conduct, and GLBA for data. The crosswalks are real, and a bank that builds to the strongest common denominator can satisfy several layers without duplicating the work.

The stack’s one structural gap is the agent. Only one in five companies has a mature model for governing autonomous AI agents, even as agentic AI use is set to rise sharply (Deloitte State of AI in the Enterprise, 2026). SR 26-2 is the clearest evidence: the newest model-risk guidance names generative and agentic AI only to place them outside its scope. Gartner predicts guardian agents will capture 10 to 15% of the agentic AI market by 2030, establishing AI-on-AI governance as a defined category (Gartner, 2025). Until supervisory guidance catches up, the control for autonomous banking AI has to come from architecture that inspects the tool call directly.

Frequently Asked Questions

Does SR 26-2 cover generative and agentic AI?

No. SR 26-2, the April 2026 interagency model risk guidance that replaced SR 11-7, explicitly places generative and agentic AI outside its scope, describing them as novel and rapidly evolving. It directs banks to apply existing risk-management principles to those systems while the Federal Reserve gathers input. The core model risk disciplines, inventory, validation, and monitoring, still apply to traditional and machine-learning models.

Can a bank use a black-box AI model for credit decisions?

Only if it can still produce the specific, principal reasons for each adverse action. ECOA and Regulation B require that statement regardless of the technology used, and the CFPB confirmed in 2022 that model complexity is not a defense. A bank that cannot explain why a model denied an applicant has a compliance problem, even after the 2026 narrowing of fair-lending enforcement.

Do FINRA rules apply to AI used by broker-dealers?

Yes. FINRA’s rules are technology-neutral, so supervision, communications, recordkeeping, and privacy obligations apply to AI exactly as they apply to any other tool, whether the AI is built in-house or licensed. Regulatory Notice 24-09 makes this explicit, and FINRA’s 2026 oversight report extends the point to AI agents and the supervision they require.

What is AI-washing and why does the SEC care?

AI-washing is making false or exaggerated claims about using AI. The SEC treats it as securities fraud: in March 2024 it charged two investment advisers under the Advisers Act and the Marketing Rule for overstating their AI use, with 400,000 dollars in total penalties. Any firm marketing AI capabilities has to be able to substantiate the claim.

Does the EU AI Act apply to a US bank?

Yes, if the bank’s AI affects people in the EU. The Act is extraterritorial, and AI used to assess creditworthiness is high-risk under Annex III, carrying obligations on risk management, data quality, logging, transparency, and human oversight. Physical presence in the EU is not the trigger; the reach of the AI’s output is.

Does outsourcing AI to a vendor transfer the risk?

No. Using a third-party AI model or platform does not transfer the bank’s accountability for its controls, data handling, or failure modes. The FFIEC framework expects the bank to govern the third-party relationship directly, including AI accessed through an external model provider’s API. The vendor’s model is the bank’s risk.

Does an ISO/IEC 42001 certificate satisfy banking regulators?

No. ISO/IEC 42001 is a voluntary management-system certification. Supervisory guidance like SR 26-2, and binding rules from the CFPB, FINRA, the SEC, and the EU, each have their own requirements. A 42001 certificate strengthens governance evidence and can streamline parts of an exam, but it does not substitute for any of them.

Can a security platform make my bank compliant?

No. A platform like Aurascape operationalizes and evidences compliance: it discovers AI use, enforces data controls at the prompt, governs agent tool calls, and produces audit-ready records. Compliance itself is a legal and supervisory determination that requires counsel and formal assessment. Tooling supports and demonstrates it but does not replace either.

How Aurascape Operationalizes Banking AI Compliance Across Every AI Interaction

Aurascape’s Zero-Bypass MCP Gateway inspects, verifies, and signs every agent tool call before it executes, closing the gap the banking frameworks leave open: autonomous agents acting through Model Context Protocol connections that existing SSE, SASE, and DLP controls never see, and that SR 26-2 explicitly leaves for later. The platform discovers every AI app and agent including shadow and Embedded AI, classifies and controls regulated customer data inline before it reaches an external tool, and produces the conversation-level audit records that model validation, FINRA recordkeeping, and the EU AI Act require.

For the agentic surface specifically, Secure Agentic AI adds adversarial testing and runtime guardrails across the full agent lifecycle, from pre-build Code Path and CVE Detection through Safe Output Governance at runtime. The platform sits alongside an existing SSE, SASE, or DLP stack rather than replacing it, and Auri gives compliance teams self-service, natural-language access to the evidence. Aurascape does not make a bank compliant or replace legal counsel. It operationalizes the controls and produces the proof that risk, compliance, and legal teams use to demonstrate the program is real.

This page is one of a set. For the cross-industry version, see AI Compliance Frameworks, Standards, and Governance for Enterprise AI.

---

Aurascape is the AI-native control layer for the one place the banking compliance stack still goes blind: autonomous agents acting through tool calls your existing controls never see. Every deployment runs through a tailored demo with your security team.

See how Aurascape governs every AI interaction in the live path →