Existing Guidance Wasn’t Written
for Autonomous AI
The model risk management frameworks that govern financial institutions today — including SR 11-7, the foundational interagency guidance on supervisory expectations for model risk — were written for a different era of AI. They address statistical models, predictive algorithms, and defined decision systems.
They were not designed for agentic AI: systems that plan, execute multi-step tasks, take actions in the real world, and operate with degrees of autonomy that no prior regulatory framework anticipated.
This is not a criticism of existing guidance. It is an acknowledgment of reality. The regulatory gap is real, it is documented, and it is currently unresolved. Regulated financial institutions — banks, broker-dealers, investment advisers, and credit unions — are deploying or evaluating agentic AI systems right now, without a clear enforcement framework to govern how those systems should be validated, monitored, and controlled within existing compliance obligations.
GRACE was built to close that gap.
The Governance Gap
Policymakers Are Moving.
The Infrastructure Has to Be Ready.
Framework-level actions are underway across Congress and the executive branch. What they cannot provide at the legislative level is the enforcement architecture that makes responsible deployment operationally real inside a regulated institution.
AI Innovation Labs at Federal Regulators
Bipartisan legislation advancing to establish AI innovation labs at the Federal Reserve, OCC, FDIC, SEC, CFPB, NCUA, and FHFA — creating supervised environments where regulated institutions can test AI projects under direct agency oversight.
Bipartisan financial services AI legislation, introduced 2025. Co-sponsored across party lines.
Regulatory AI Centers of Excellence
The Administration’s AI policy framework calls for regulatory Centers of Excellence to test AI tools and share results across agencies — a structured federal approach to enabling responsible AI deployment at the institutional level.
Administration AI Action Plan, July 2025.
Bipartisan AI Policy Roadmap
The Senate’s bipartisan AI policy framework explicitly addresses financial regulation, cybersecurity, and national security applications of AI — and directed relevant committees to conduct a financial sector regulatory gap analysis.
Bipartisan Senate AI Working Group Policy Roadmap, May 2024.
GRACE removes the uncertainty that keeps institutions on the sidelines — replacing it with documented, examiner-ready evidence of responsible operation. Institutions can engage with regulatory innovation environments from day one rather than waiting for clarity that may be years away.
GRACE ensures that agentic AI systems operating inside regulated financial institutions cannot act without a validated audit trail, pre-execution controls, and cryptographically signed records of every action taken. Accountability is built into the execution layer — not added as an afterthought.
These are not competing priorities. GRACE addresses both.
From Model Risk to Agentic AI
The problem GRACE solves did not appear overnight. It accumulated across fifteen years of evolving AI capability and a regulatory framework that was never designed to keep pace with it.
Enforcement Architecture
for a Framework Era
GRACE operates at the layer below policy. While legislators define what responsible AI in financial services should look like, and regulators determine how to supervise it, GRACE provides the technical enforcement layer that makes both possible.
Pre-Execution Enforcement
Intent validation and behavioral boundary controls for AI systems that act autonomously within regulated environments. Every action intercepted before it executes — not logged after the fact.
MRM Continuity Layer
Extending SR 11-7 model risk obligations to cover agentic systems that current supervisory guidance does not explicitly reach — providing the validation documentation and examiner-ready audit records that SR 26-2 Footnote 3 implicitly requires but does not define.
Cryptographically Signed Execution Logs
Real-time state capture via SHADOW and cryptographically signed Policy Action Packets using ML-DSA-65 / FIPS 204 post-quantum standards. Tamper-evident, institution-owned records that satisfy examiner expectations without requiring manual reconstruction.
Post-Quantum Cryptographic Standards
FIPS 204 / ML-DSA-65 signing aligned with current NIST guidance, designed for institutions operating under heightened national security scrutiny and cybersecurity examination requirements. This is not a future capability — it is what GRACE uses today.
GRACE is not a compliance checklist. It is not a policy document. It is the operational infrastructure that allows regulated financial institutions to deploy agentic AI — today, within current regulatory frameworks — rather than waiting on the sidelines for clarity that may be years away.Grace AI Control · Technical Position Statement
The regulatory environment for AI in financial services
is being defined in real time.
Institutions that engage now — with the right governance infrastructure in place — will be positioned to lead when the frameworks are finalized. Those that wait will be playing catch-up against a moving standard.
We are actively briefing policymakers, regulators, and institutional stakeholders on GRACE and the governance gap it addresses. If you are working on AI policy, financial regulation, or the intersection of cybersecurity and financial infrastructure, we welcome the conversation.