Skip to content

Menu

Network by SubjectChannelsBlogsHomeAboutContact
AI Legal Journal logo
Subscribe
Search
Close
PublishersBlogsNetwork by SubjectChannels
Subscribe

Financial Services AI Risk Management Framework: Expanded Controls for the Financial Services Industry

By Beau Braswell on June 2, 2026
Email this postTweet this postLike this postShare this post on LinkedIn

In February 2026, a public-private partnership headed by the U.S. Department of the Treasury concluded an investigative process aimed at strengthening cybersecurity and risk mitigation for AI in the financial services sector.

The partnership consisted of executives from over 100 financial institutions, U.S. and international agencies, federal and state financial regulators, and other key stakeholders. One of the partnership’s key deliverables announced at the conclusion of the investigation is the Financial Services AI Risk Management Framework (Financial Services AI RMF), which adopts and expands the AI Risk Management Framework provided by the National Institute of Standards and Technology (NIST Framework) for specific application to the financial services industry.

Framework Organization

The NIST Framework is organized into four “functions”: Govern, Map, Measure, and Manage. The Financial Services AI RMF adopts the NIST Framework’s functions, but then provides further controls under each function, which are aimed at tailoring the framework to the financial services sector. The Financial Services AI RMF contains 230 controls designed to be scalable and adaptable for financial institutions, including community banks, credit unions, national and multinational banks, insurers, investment firms, and their third-party providers.[1] Implementation of the Financial Services AI RMF is not mandatory; the framework is instead categorized as a tool that is “complementary to existing risk frameworks” and that “synthesizes global standards and supervisory expectations.”[2]

The Financial Services AI RMF consists of four components: 1) an AI adoption stage questionnaire, which businesses can fill out as a starting point to identify their current AI adoption stage; 2) a risk and control matrix, which lists the 230 controls; 3) a user guidebook for control adoption and implementation; and 4) a control objective reference guide, which provides further information on each control, as well as examples of “effective evidence” of implementation.

Key Controls

Below, we highlight and summarize a sample certain controls that legal counsel can help financial services organizations assess and address:

  • Govern 1.1.1: The organization identifies, monitors, and integrates applicable laws, regulations, contractual obligations, and sector requirements into policies, procedures, and operations.
  • Govern 1.1.3: The organization implements procedures to validate AI system compliance with law, including audits and impact assessments.
  • Govern 6.1.1: The organization establishes processes for evaluating and selecting third-party AI technologies based on criteria that assess security and privacy implications, due diligence, and contracting practices.
  • Govern 1.2.3: The organization develops an AI Acceptable Use Policy.
  • Map 4.1.1: The organization documents processes for identifying, mapping, assessing, and managing potential legal risks associated with the AI systems, including risk related to data privacy, intellectual property, third-party rights, and use of service providers.
  • Map 4.1.3: The organization communicates identified legal risks associated with the AI system, and changes in laws, regulations, and industry standards, to relevant stakeholders.
  • Map 5.2.2: The organization engages with stakeholders to solicit insights and develop action plans that detect, prevent, and mitigate potential risks, costs, or adverse impacts.
  • Measure 2.10.1: The organization conducts an initial examination of the privacy risks associated with AI systems and documents the results. The organization establishes mechanisms for managing risks and incidents, such as data breaches.
  • Measure 2.10.3: The organization establishes procedures for tracking and managing data subject consent, including handling data subject rights requests.
  • Manage 3.1.5: The organization monitors AI risks associated with third-party resources, including monitoring contracts and contract compliance.

Taft’s Privacy, Security & AI attorneys  stand ready to assist financial services organizations in implementing the Financial Services AI RMF and otherwise assessing and managing enterprise AI risk. As always, please sign up to receive emails of our latest posts here on Privacy and Data Security Insights, and follow us on LinkedIn for the latest in privacy, security and artificial intelligence legal news.

[1] See a description of the Financial Services AI RMF online here: https://cyberriskinstitute.org/artificial-intelligence-risk-management/.

[2] Id.

Photo of Beau Braswell Beau Braswell

Beau has advised clients on data privacy and cybersecurity matters for more than eight years. He began his legal career in the U.S. Department of Justice, where he obtained a TS/SCI clearance and advised on data protection in the law enforcement and intelligence…

Beau has advised clients on data privacy and cybersecurity matters for more than eight years. He began his legal career in the U.S. Department of Justice, where he obtained a TS/SCI clearance and advised on data protection in the law enforcement and intelligence contexts.

Show more Show less
  • Posted in:
    Privacy & Data Security
  • Blog:
    Taft Privacy & Data Security Insights
  • Organization:
    Taft Stettinius & Hollister LLP
  • Article: View Original Source
LexBlog logo
Copyright © 2026, LexBlog. All Rights Reserved.
Legal content Portal by LexBlog LexBlog Logo