Engagement Overview
A rapid, fixed-fee assessment that maps your institution's AI governance posture against the revised federal model risk guidance and the financial sector's 230-control-objective framework. Delivered in three weeks. Board-ready on day twenty-one.
On April 17, 2026, the Federal Reserve, OCC, and FDIC jointly issued SR 26-2, replacing SR 11-7 for the first time in 15 years. While formally scoped to institutions above $30 billion in assets, the revised guidance establishes the supervisory baseline that examiners, auditors, and counterparties now reference regardless of institution size. Any bank with a meaningful AI footprint, vendor-managed models, or employee-facing GenAI tools operates under these expectations in practice. Generative AI and agentic AI were explicitly excluded from scope, creating what the industry calls the "GenAI Gap."
The question is no longer whether your institution needs an AI governance program. It is whether your current program can survive the first examination under the new guidance.
After three weeks, your institution will have clear, documented answers to three questions that every board, risk committee, and examiner will ask:
What AI do we have? A complete inventory of every model, vendor AI tool, and employee-facing GenAI deployment, classified under SR 26-2's three-tier materiality framework.
Where are the gaps? A control-by-control gap analysis benchmarked against the CRI FS AI RMF's 230 control objectives, mapped to your institution's adoption stage, with cross-references to SR 26-2, EU AI Act, ISO 42001, and NIST AI RMF.
What do we do first? A prioritized 90-day remediation roadmap sequenced by regulatory exposure, starting with the 21 baseline controls every institution needs regardless of size or complexity.
Discovery & Inventory
Kickoff session with your risk, technology, and compliance leads. Access to existing model inventories, vendor registers, and AI usage policies. If no formal inventory exists, that finding itself is documented as the first control gap (CRI GV-1.6.1). Every AI system classified into SR 26-2's three tiers: traditional models (full MRM scope), non-model tools (excluded), and GenAI/agentic AI (the Gap). Shadow AI discovery across business units. Employee-facing GenAI tools mapped and risk-classified.
Gap Analysis & GenAI Exposure
Current governance practices benchmarked against the CRI FS AI RMF's control objectives at your adoption stage, cross-referenced to 20 regulatory frameworks. The Invictera Cross-Framework Mapping provides the analytical backbone. GenAI exposure documented: every generative AI tool operating outside SR 26-2's scope, assessed against enterprise risk governance requirements. Specific control failures identified with remediation priority.
Roadmap & Executive Briefing
Prioritized 90-day remediation plan mapped to CRI adoption stages: the 21 Initial controls first, then the 105 Minimal controls within 90 days. Each action item assigned an owner, timeline, and evidence requirement aligned to examination expectations. Board-ready presentation delivered to your CRO, CISO, and governance leadership. Findings, risk exposure, and the remediation roadmap presented in the format examiners and audit committees expect.
AI/ML Model Inventory
Complete inventory with SR 26-2 materiality classification. Traditional models, non-model tools, and GenAI systems mapped and risk-tiered.
CRI FS AI RMF Gap Analysis
Control-by-control assessment against the 230-objective framework, benchmarked to your adoption stage, with cross-framework regulatory mapping.
GenAI Exposure Report
Assessment of every generative AI tool operating in the "GenAI Gap" outside SR 26-2 scope. Enterprise risk governance recommendations.
90-Day Remediation Roadmap
Prioritized action plan sequenced by regulatory exposure. Mapped to CRI adoption stages with owner assignments and evidence requirements.
Executive Briefing
Board-ready presentation. Findings, risk posture, and remediation plan in the format examiners and audit committees expect.
Cross-Framework Compliance Map
Your institution's controls mapped across SR 26-2, NIST AI RMF, EU AI Act, ISO 42001, and applicable state and international frameworks.
Invictera is not a generalist consulting firm advising on AI governance from a slide deck. We built the infrastructure practitioners use to navigate the regulatory landscape.
We published the interactive cross-framework mapping that connects the CRI FS AI RMF's 230 control objectives to SR 26-2, EU AI Act, ISO 42001, DORA, and 16 other regulatory frameworks. We shipped six certification preparation platforms to the App Store, including the AIGP Exam Prep application for AI governance practitioners. The diagnostic applies the same analytical rigor to your institution's specific governance posture.
The diagnostic is scoped as a fixed-fee engagement with a defined timeline and concrete deliverables. Initial conversations typically run 20 minutes and focus on your institution's current AI footprint and regulatory exposure.
Invictera maintains strict confidentiality protocols. All preliminary discussions occur under non-disclosure terms. Viewing this page does not create a client relationship or advisory obligation. All engagements are governed by a separate written agreement. See Terms of Service.