Governance Is Not a Prompt

· Source: Agus’s Substack · Field: Legal & Regulatory — Compliance & Risk Management, Regulatory Affairs & Government Relations, Artificial Intelligence & Machine Learning · Depth: Advanced, long

Summary

On April 17, 2026, the Federal Reserve, OCC, and FDIC issued SR 26-2, new interagency guidance on model risk management, which notably excludes agentic AI from its scope. This exclusion, replacing the 15-year-old SR 11-7, signals that the existing model risk management paradigm is insufficient for agentic AI, which operates as a system using models to perceive, reason, plan, and act across multiple steps, often autonomously. Current industry practices, such as strong system prompts, flat-file memory, and LLM-based judges, are deemed inadequate for serious governance in high-risk sectors like banking, healthcare, and law. These methods provide "soft influence" rather than the "hard control" required for systems that can make consequential decisions. The regulators have left the governance of agentic AI open for future rulemaking, indicating a need for a new, robust framework.

Key takeaway

For CTOs and VPs of Engineering/Data developing or deploying agentic AI in regulated environments, recognize that current "standard harness" governance approaches are insufficient. You must prioritize building external, auditable governance structures that enforce policies deterministically, rather than relying on probabilistic model interpretations. This shift is critical to avoid regulatory exposure and ensure true accountability, moving beyond mere compliance appearance to substantive control.

Key insights

Existing model risk management frameworks are inadequate for agentic AI, necessitating a new governance paradigm focused on external, enforceable controls.

Principles

Method

A governed agentic architecture requires externalizing policies into structured, executable rules, maintaining authoritative state with provenance, using typed verification, gating actions, and constraining workflows with behavioral contracts.

In practice

Topics

Best for: CTO, VP of Engineering/Data, Executive, Legal Professional, Policy Maker, Director of AI/ML

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Agus’s Substack.