US Treasury publishes AI risk framework for financial services

TL;DR: The US Treasury has released an AI risk management framework built by over 100 financial institutions. The guidebook defines 230 control objectives across four governance functions and classifies firms into four AI maturity stages. UK financial services firms should study it as a likely template for international standards.

The Financial Services AI Risk Management Framework (FS AI RMF) extends the existing NIST AI framework with sector-specific controls designed for the particular regulatory and operational demands of banking, insurance, and investment firms.

How the framework works

The FS AI RMF has four components: an adoption stage questionnaire, a risk and control matrix, a detailed guidebook, and a reference guide with example controls and evidence requirements. The 230 control objectives are organised across four functions borrowed from NIST: govern, map, measure, and manage.

Firms are classified into four maturity stages based on their current AI use. An initial-stage organisation with no operational AI deployment faces different requirements than an embedded-stage firm running AI in core business processes and customer-facing roles. This tiered approach means smaller firms or those early in AI adoption are not immediately burdened with controls designed for advanced deployments.

The framework addresses governance topics including data quality management, fairness and bias monitoring, cybersecurity controls, transparency in AI decision processes, and operational resilience. It recommends maintaining incident response procedures specific to AI systems and creating a central repository for tracking AI failures.

Why UK firms should pay attention

While the framework targets US institutions, its development by major global financial players makes it likely to influence international standards. UK financial firms already operate under FCA and PRA expectations around model risk management, and the FS AI RMF offers a more granular approach to AI-specific risks that existing UK frameworks do not yet address in detail.

The emphasis on explainability and transparency is particularly relevant as UK regulators consider their own AI governance requirements. Firms that adopt structured frameworks now will be better positioned when UK-specific rules arrive.

Looking forward

The framework treats AI governance as an evolving requirement rather than a fixed checklist. As AI capabilities change and regulatory expectations tighten, institutions will need to update their practices accordingly. For financial services leaders, the message is straightforward: AI adoption and risk governance must advance together.