A regulator already wrote down the fields you have to fill

The Fed's 2025 inventory records thirty-eight individual AI use cases as of its January 28, 2026 snapshot — sixteen deployed, seven in pilot, fifteen pre-deployment. Two are classified as generative AI; zero are flagged high-impact. One arithmetic note worth carrying, because it trips careful readers: the inventory's identifiers run from FRB-0001 to FRB-0056, so the highest ID is fifty-six. But the IDs are not contiguous — eighteen are skipped — and the true count is the rows that are present: thirty-eight, not fifty-six.

The fields are the contribution. The schema carries twenty-six metadata columns per use case, and read in order they amount to a governance dossier: a use-case identifier and name; the stage of development; whether the use case is high-impact and, if not, the justification; the AI classification — explicitly distinguishing classical or predictive machine learning, natural-language processing, and generative AI; the problem the system solves and a description of its outputs; whether it was bought from a vendor, built under contract, or developed in-house, with the vendor named; whether an Authorization to Operate exists; the data used to train, fine-tune, or evaluate the model; whether the use case involves personally identifiable information, with a link to any Privacy Impact Assessment; and whether demographic variables are used as model features.

Each field answers a governance question someone will eventually ask. Is this in production, and since when? What kind of model is it? What went into it, and can its provenance be traced? Who built it? Was it approved to go live? How material is it? A regulator did not choose these fields to satisfy curiosity. It chose them because they are the minimum facts required to govern a portfolio of models — which is precisely the task it sets for the banks it supervises.

SR 26-2, issued jointly by the Federal Reserve, the OCC, and the FDIC and effective April 17, 2026, replaced the 2011 guidance that built the model-risk canon. It is principles-based and risk-proportionate: overall model risk is inherent risk assessed against materiality, where materiality is a function of exposure and purpose. It preserves a three-pillar architecture, and those pillars are the spine of everything that follows.

Develop covers how a model came to be: design documentation, data inputs and provenance, assumptions, the intended-use scope, pre-deployment testing, third-party documentation, and change control. Validate covers whether it was checked and is watched: conceptual soundness, back-testing, and ongoing monitoring on a risk-based cadence including drift detection. Govern covers who is accountable: board and senior-management ownership, a written model-risk policy, effective challenge, internal audit, and the model inventory itself.

The model inventory is where the whole apparatus lives or dies. A comprehensive inventory is expected to carry model name, type, purpose, and owner; development methodology; key inputs and assumptions; outputs; risk-classification level; validation status and date; independent-review completion; and known limitations. A bank that cannot populate those fields, per model, on demand does not have a model inventory in the sense the guidance means. It has a list.

Set the inventory's fields beside the model inventory's required fields and the correspondence is not approximate — it is field-level. A representative slice makes the point:

The deeper reading is that the regulator and the supervised institution face the same problem and the same decomposition. A portfolio of models has to be characterized, classified by consequence, traced to its inputs, and approved before use — and the facts that decomposition needs are a small, fixed set. The Fed enumerated them for its own disclosure. A bank can lift the enumeration wholesale. The full field-by-field mapping, with the evidence mechanisms behind each cell, is in the in-depth companion.

Here is the twist. SR 26-2 draws a boundary its predecessor never had to: it places generative and agentic AI outside the formal scope of model-risk management, calling those models novel and rapidly evolving and directing banks to rely on broader risk-management practices for them instead. The reasoning is defensible — these architectures do not fit the back-testing-and-benchmark mold. But it leaves a conspicuous gap: the fastest-moving category of AI a bank is likely to deploy is the one the framework declines to govern in its own terms.

The Fed's inventory schema does not have that gap. Its AI Classification field already treats generative AI as a first-class category, and two of the Fed's thirty-eight use cases are recorded under it. The supervisor, in other words, built a disclosure field for precisely the AI category its supervisory guidance carves out. A bank told to handle generative AI under broader risk management still has to handle it somehow — and the inventory schema is a ready structure: classify the system as generative, record its purpose and outputs, trace its data, capture its vendor provenance, and run it through the same impact screen as everything else.

The practical move is direct: lift the twenty-six-field schema as the skeleton of a model-inventory template, extend it with the inventory fields the disclosure schema does not carry — risk-classification level, validation date, independent-review completion, known limitations — and the union is close to a complete model-inventory specification. Then tag each field to a pillar and wire it to a real evidence source, so the form becomes a living inventory whose every cell has a provenance an auditor can follow.

Seen this way, the Fed's inventory takes its place beside the other regulator-authored evidence schemas a governed AI program already contends with — the EU AI Act's Annex IV technical documentation chief among them. When more than one regulatory regime enumerates substantially the same metadata, the metadata is unlikely to be a compliance artifact peculiar to one rule. It reads as a recurring core of what governing an AI system requires.

The supervisor published the mirror. A regulated bank does not need to ask what its model-risk inventory should contain. It can look into the supervisor's mirror and read the fields back. The form is free; the discipline of filling each field with evidence that survives independent challenge is the work that remains — and it is the only part that was ever the point.