CISO
CIO
Compliance Officer
Board
Industry relevance
Financial Services
Healthcare
Government
Energy
APRIL 7, 2026
NIST is extending AI governance requirements into operational technology and industrial control systems — financial infrastructure running on these platforms is now in scope.
On April 7, 2026, NIST's Information Technology Laboratory published a concept note launching development of an AI Risk Management Framework Profile specifically for Trustworthy AI in Critical Infrastructure. The profile targets AI deployed across Information Technology, Operational Technology, and Industrial Control Systems in sectors including energy, water, healthcare, and financial services. NIST researchers Raymond Sheh and Martin Stanley are leading the effort. NIST is establishing a Community of Interest for stakeholder input through seminars, working sessions, and requests for information. The profile aims to harmonize definitions across AI, critical infrastructure, and cybersecurity domains and provide actionable risk management guidance for operators at any level of AI maturity.
GOVERNANCE IMPLICATION
The NIST AI RMF Profile for Critical Infrastructure explicitly extends to Operational Technology and Industrial Control Systems, not just IT environments. For financial services, this has direct implications for trading platforms, payment rails, and clearing infrastructure that runs on OT-grade systems. Organizations that have classified AI deployments as IT risk rather than enterprise risk may find themselves with a structural gap the moment this profile reaches draft status and regulators begin referencing it in examination guidance. The trajectory of the NIST Cybersecurity Framework is the precedent — what starts as a concept note becomes a compliance expectation within 18 to 24 months.
SCENARIO
A clearing firm's CISO files AI governance documentation under IT risk management in Q1 2026, covering the AI systems used for settlement processing and exception handling. The NIST AI RMF Critical Infrastructure concept note is published in April 2026. By Q4 2026, the Federal Financial Institutions Examination Council references the profile in updated examination guidance. The clearing firm's AI governance documentation does not cover the OT-adjacent systems that process settlement instructions. The gap requires a supplemental filing and a six-month remediation program.
THE GOVERNANCE QUESTION
When NIST extends AI governance to OT and ICS environments, which of your AI deployments are classified as IT risk only — and does that classification hold up when a regulator references the critical infrastructure profile?
CONTROL GAP
Most financial services AI governance programs are scoped to IT systems and do not assess AI embedded in or adjacent to operational technology infrastructure. The NIST Critical Infrastructure profile creates an expectation that governance extends to the full operational environment.
REGULATORY RELEVANCE
NIST Ai RMF
FFIEC
OCC
FINRA
SEC Cyber
PRIMARY SOURCE
Concept Note: AI RMF Profile on Trustworthy AI in Critical Infrastructure
NIST Information Technology Laboratory
April 7, 2026
Read the primary source →(opens in new tab)CONTINUE READING
JANUARY 27, 2026
Regulated IndustriesFINRA published observations from its risk monitoring engagement with member firms in January 2026. Firms are moving cautiously on customer-facing AI agents while moving faster on back-office automation. FINRA encouraged firms to proactively engage as their agentic AI strategies develop and noted it will continue monitoring and sharing findings with the industry and fellow regulators.
DECEMBER 9, 2025
Regulated IndustriesFINRA's 2026 Annual Regulatory Oversight Report names GenAI agents as a new trend requiring explicit supervisory treatment. It identifies five risk dimensions specific to AI agents: autonomy without human validation, scope and authority beyond user intent, auditability complications in multi-step reasoning, data sensitivity exposure, and domain knowledge gaps in industry-specific contexts.