Agentic AI in Banking: What It Means and What the OCC Is Watching
Agentic AI takes actions, not just outputs. The April 2026 model risk guidance explicitly excludes it — and a separate AI RFI is coming. Here is what community banks need to know now.
REGULATORY UPDATE (JUNE 2026): The April 2026 interagency model risk guidance (OCC Bulletin 2026-13) explicitly excludes generative and agentic AI from its scope. A separate RFI specifically addressing these systems has been announced but not yet issued as of June 2026. The OCC's May 2026 Semiannual Risk Perspective report addressed agentic AI directly for the first time, expressing support for a measured approach while flagging governance and oversight as unresolved concerns. This post reflects the most current regulatory position available.
TL;DR
Agentic AI is different from the AI tools most community banks already use. It acts autonomously across multi-step workflows rather than producing a single output for a human to review. The April 2026 model risk guidance explicitly excluded agentic AI from its scope and signaled a forthcoming RFI. The OCC's May 2026 risk report addressed it directly. Banks that begin documenting their agentic AI exposure now will be better positioned when formal requirements arrive than those who wait.
A June 2026 survey found that 72% of banks consider themselves unprepared for an AI failure. That number is striking on its own. It becomes more significant in the context of what the same survey found about deployment: the banks expressing the most concern about AI failures are also the ones deploying AI most aggressively in credit decisioning, fraud detection, and customer operations.
The tension is not that banks are moving recklessly. It is that governance frameworks have not kept pace with deployment. The April 2026 interagency model risk guidance addressed traditional quantitative models and left generative and agentic AI explicitly out of scope. The agencies acknowledged the gap directly and announced an RFI is coming. In the interim, examiners are already asking questions about AI in examinations even though the formal framework for answering those questions has not yet been written.
For community bank COOs, CTOs, and compliance officers, the practical question is not whether agentic AI governance will be required. It is what to build now so the bank is not starting from scratch when formal requirements arrive.
What Makes Agentic AI Different
The word agentic describes a specific characteristic of an AI system: the ability to pursue a goal autonomously across multiple steps, using tools, taking actions, and adjusting behavior based on intermediate results. Standard AI tools respond to a single prompt or input and produce a single output. A document extraction model receives a PDF and returns structured data. A credit scoring model receives applicant data and returns a risk score. A fraud detection model receives a transaction and returns a risk flag. In each case, the AI produces an output and stops. A human decides what to do with that output.
An agentic AI system does not stop at an output. It receives a goal, determines what steps are needed to achieve it, takes those steps, uses tools along the way, and produces downstream effects as part of normal operation. The difference in risk profile is not subtle.
Traditional AI vs. Generative AI vs. Agentic AI
Where Community Banks Are Already Encountering Agentic AI
The practical challenge is that agentic AI is entering community banking through vendor products rather than internal builds. Banks are not typically writing their own agentic systems. They are purchasing products from core providers, fintech vendors, and compliance technology companies that have embedded agentic capabilities without always labeling them as such.
A system is effectively agentic if it takes an action rather than producing a recommendation that a human then acts on. That distinction is the one that matters for governance purposes, and it is often not clearly disclosed in vendor documentation.
Loan workflow automation
Automated loan intake systems that collect documents, check for completeness, route files to underwriters, and send status communications to applicants can operate agentically if they take those actions without a human review step between each one. Most community banks would describe these as workflow tools. Functionally, they may be agentic systems with limited human oversight checkpoints.
BSA/AML alert triage with auto-escalation
Transaction monitoring systems that not only score alerts but automatically route cases, send internal notifications, and update case management records without analyst initiation are operating agentically in the triage workflow. The underlying model governs which actions the system takes, not just what it flags for review.
Customer-facing inquiry handling
AI-assisted customer service tools that can look up account information, initiate certain transactions, and respond to customer requests without a human reviewing each interaction before the response is sent are agentic in their customer impact. Even if the bank considers these tools low-risk, the governance question of what actions they can take and what stops them from taking the wrong one applies equally.
Vendor-embedded AI in purchased products
Core providers, BSA/AML platforms, and loan origination systems increasingly embed AI capabilities in standard product features. When those capabilities include automated actions, the bank is operating agentic AI without necessarily having made that designation. Reviewing vendor release notes and product documentation for new AI capabilities is becoming a routine governance task rather than an occasional technology assessment.
What the April 2026 Guidance Says (and Doesn't Say)
OCC Bulletin 2026-13, issued April 17, 2026, explicitly states that generative and agentic AI models are novel and rapidly evolving and therefore not within the scope of the guidance. The bulletin notes that banks should continue to rely on broader risk management and governance practices for these systems. A separate RFI addressing AI including generative and agentic AI is planned but had not been issued as of June 2026. For a full treatment of what the April 2026 guidance does cover for traditional models, see the post on AI governance for community banks.
The OCC's May 2026 Semiannual Risk Perspective introduced a more direct treatment of agentic AI than any previous OCC publication. The report expressed support for banks' measured approach to integrating agentic AI into operations while maintaining guardrails and human oversight. It also flagged governance as an unresolved concern and indicated that banks may consider expanding agentic AI use to material financial decisions, with appropriate controls.
Federal Reserve Vice Chair for Supervision Michelle Bowman separately called for an assessment of whether existing AI supervisory guidance is fit for the future, noting explicitly that the amended model risk guidance does not extend to generative or agentic AI.
The explicit exclusion of agentic AI from OCC Bulletin 2026-13 does not mean agentic AI is unregulated. It means the consolidated model risk framework does not currently apply. Banks deploying agentic AI still operate under consumer protection law, fair lending requirements, BSA/AML obligations, and general safety and soundness expectations. Examiners are already asking about AI in examinations. The absence of a formal AI governance framework does not prevent examination scrutiny of AI-related risks.
What Governance to Build Before the RFI Arrives
The practical advantage available to community banks right now is time. The RFI has not been issued. Formal requirements have not been written. Banks that use this period to build basic agentic AI governance documentation will be in a materially better position than those who wait for formal requirements before beginning.
Inventory agentic capabilities in existing vendor products
For each vendor product the bank relies on, review recent release notes and product documentation for any capabilities described as automated actions, autonomous workflow steps, or AI-initiated processes. Document which products have these capabilities, what actions they can take, under what conditions, and what human oversight exists before those actions occur. This inventory does not require technical depth. It requires asking the vendor: what can this system initiate without a human approving the specific action first? The answer defines the agentic surface the bank needs to govern.
Define the human review requirement for consequential actions
Before any agentic system is permitted to take an action that affects a customer account, a regulatory record, a financial transaction, or a risk classification, the bank should define in writing what human review is required. This can start as a brief internal memo that answers three questions: what actions can the system initiate, what approval or oversight exists before each action, and what the bank does when the system takes an unexpected action.
Extend vendor due diligence to agentic capabilities
Third-party risk management processes need to be updated to ask AI governance questions. When reviewing vendor contracts and conducting annual third-party reviews, the relevant questions now include: what AI capabilities does this product use, what actions can those capabilities initiate, what governance and testing has the vendor conducted, and how will the bank be notified if AI capabilities change in future releases.
Prepare to respond to the RFI
When the AI-specific RFI is issued, community banks will have an opportunity to provide feedback on what proportionate governance looks like for institutions without dedicated AI teams. Banks that have been documenting their agentic AI exposure will have specific, grounded input to contribute. The RFI comment period is one of the mechanisms through which proportionate regulation for community bank scale gets established.
Why This Is Particularly Relevant for Community Banks
Large banks have dedicated AI governance teams, model risk officers, and legal resources assigned to tracking AI regulation. Community banks have none of those. The forthcoming AI governance framework will be written primarily in response to what large banks are doing, and community banks will need to implement it with a fraction of the resources.
The banks best positioned when formal requirements arrive are not necessarily the most sophisticated AI users. They are the ones that have done the basic documentation work: they know what AI their vendors have embedded in their products, they have defined what human oversight exists for automated actions, and they have assigned someone responsibility for monitoring how AI capabilities change over time.
That work is not technically complex at community bank scale. It is primarily an organizational discipline problem, and it is far easier to solve before formal requirements create external pressure to solve it quickly. Shore's free CORE Assessment evaluates operational readiness across five categories including regulatory compliance and data readiness. For community banks beginning to assess their AI governance posture, it identifies where documentation gaps are concentrated and provides a starting point for the inventory work described above.
Frequently Asked Questions
What is the difference between generative AI and agentic AI?
Generative AI produces content in response to a prompt: text, summaries, drafts, or explanations. A generative AI system responds and stops. Agentic AI pursues a goal across multiple steps, using tools and taking actions along the way. The distinction matters for governance because generative AI produces outputs that a human can review before acting on them. Agentic AI produces effects: it initiates actions, updates records, sends communications, or routes decisions without necessarily waiting for human review between each step.
Is the AI my core provider uses considered agentic?
It depends on what the system does. If a feature in your core provider's platform automatically initiates an action based on AI output, without a human reviewing and approving that specific action before it occurs, the feature is operating agentically. Many core providers are introducing AI capabilities incrementally through standard product updates. Reviewing release notes and asking specifically what actions each AI feature can initiate is the right starting question for each vendor product.
When is the OCC expected to issue the AI-specific RFI?
The April 2026 guidance stated the RFI would be issued in the near future. As of June 2026, it had not yet been published. The OCC's May 2026 Semiannual Risk Perspective addressed agentic AI directly, suggesting the topic remains an active priority. Community banks should monitor the OCC, Federal Reserve, and FDIC websites for RFI publication, as the comment period will likely be the primary opportunity to influence what proportionate governance for community bank scale looks like.
Can a community bank use agentic AI under the current regulatory framework?
Yes. The exclusion of agentic AI from OCC Bulletin 2026-13 means there is no specific formal framework governing it at this time. Banks can deploy agentic AI capabilities, including those embedded in vendor products, and are expected to apply general risk management and governance practices. The OCC's May 2026 risk report explicitly supported banks' measured use of agentic AI for operational and customer service functions. The governance question is not whether to use it but how to ensure adequate oversight of what it can do.
How does agentic AI governance differ from standard model risk management?
Traditional model risk management focuses on validation: testing whether a model produces outputs that are accurate, unbiased, and appropriate for their intended use. Agentic AI governance requires that plus something different: defining what actions the system is permitted to take, what oversight exists before those actions occur, and what the bank does when the system takes an action that was not expected or intended. The governance question shifts from accuracy to authorization: not just does the model work correctly, but is it permitted to do what it is doing, and how does the bank know?