In May 2026, the Office of the Comptroller of the Currency (OCC) released its Semiannual Risk Perspective report, warning that artificial intelligence (AI) is “significantly transforming” the cybersecurity threat landscape for banks. Specifically, the OCC found that AI can be used to facilitate fraud, while also lowering the barrier to entry for threat actors and increasing the “speed, scale, and sophistication” of cyberattacks against financial institutions.
In its report, the OCC recognized that banks can harness AI to protect against these fraud and cyber threats, pointing to “increasingly advanced AI tools coming into the market to assist with cybersecurity functions,” and noting that “[a] sound understanding of the potential benefits and possible risks associated with these advanced tools can be important for cyber risk management.” Beyond cybersecurity, the OCC expressed support for banks’ “measured approach” to integrating generative and agentic AI into core operational and customer service functions—while maintaining guardrails and ensuring that human oversight remains embedded in workflows—with use cases concentrated primarily in productivity and customer experience enhancement. The OCC further indicated that banks “may consider expanding their use of [generative AI] and agentic AI for material financial decisions.”
The report cautions, however, that more advanced forms of AI present significant governance challenges, including “lack of explainability, data privacy and data poisoning issues, cybersecurity threats, and validation challenges where industry approaches are evolving,” and stresses that “appropriate governance and risk management are essential for risk mitigation.” Critically, in the “near future,” the OCC, the Federal Deposit Insurance Corporation, and the Board of Governors of the Federal Reserve System announced plans to issue a request for information on model risk management as it relates to banks’ use of AI, signaling that formal regulatory guidance in this area is forthcoming. Federal Reserve Vice Chair for Supervision Michelle Bowman has also separately called for an assessment of whether existing AI-related supervisory guidance is “fit for the future,” noting that the Federal Reserve’s recently amended model risk management guidance applies only narrowly to traditional models and basic AI applications, and does not yet extend to generative or agentic AI.
Banks and financial institutions should pay close attention to these developments. The OCC has stated that it “supports banks’ efforts to integrate AI into core functions, while managing the risk in a safe and sound manner and in compliance with applicable laws and regulations,” and is “actively reviewing” its own supervisory expectations, guidance, and regulations to ensure innovative AI opportunities are accessible to all OCC-supervised institutions. However, the forthcoming request for information, combined with evolving Federal Reserve guidance, signals that financial institutions that proactively strengthen their AI governance and risk management frameworks now will be far better positioned to navigate supervisory expectations on the horizon.