America's financial sector writes its own AI rulebook: the FS AI RMF and its 230 control objectives

On 12 February 2026 the Cyber Risk Institute (CRI), working with the Financial Services Sector Coordinating Council (FSSCC), launched the Financial Services AI Risk Management Framework (FS AI RMF) — a sector-specific framework built by more than 100 financial institutions to help banks, insurers and market participants govern their use of artificial intelligence. Its centrepiece is a catalogue of 230 control objectives organised across the AI adoption lifecycle.

This is not a law and not a regulation. No agency promulgated it and no statute backs it; it is an industry-led instrument that institutions adopt at their own discretion. Its authority is the same kind the FSB's sound practices and the NIST framework enjoy — it works by becoming the reference that examiners, auditors and counterparties converge on, not by commanding compliance.

Where it came from

The framework is the most substantial output so far of the AI Executive Oversight Group (AIEOG), a public-private body the FSSCC established in late 2024 together with the Treasury's Financial and Banking Information Infrastructure Committee (FBIIC). The AIEOG's purpose is to translate the sector's AI concerns — fraud, model risk, explainability, third-party concentration — into shared, operational guidance. Through the first months of 2026 it has shipped a series of deliverables: an AI Lexicon and identity and authentication work in February, and explainability, data-nutrition-labelling and AI-enhanced-fraud deliverables in March. The FS AI RMF is the load-bearing piece among them.

What is actually in it

The framework deliberately does not reinvent AI risk taxonomy. It is structurally aligned with the NIST AI Risk Management Framework — the American voluntary baseline — and then expands it into something a financial institution can run against. It ships as four parts:

• an AI Adoption Stage Questionnaire, which places an institution on a

maturity scale so the controls can be applied proportionately;

• a Risk and Control Matrix (RCM) — the 230 control objectives themselves,

mapped to where in the AI lifecycle each one bites;

• a Guidebook explaining how to use the matrix; and
• a Control Objective Reference Guide cross-walking the objectives to

existing standards and supervisory expectations.

The design intent is layering, not replacement: an institution that already runs the NIST AI RMF or holds an ISO/IEC 42001 management system can map onto the FS AI RMF rather than start again. CRI's chief executive Josh Magri framed the launch around exactly that strategic posture — that "the future of financial services is increasingly intertwined with AI, making proactive and responsible governance a strategic imperative."

Why it matters beyond the United States

A voluntary American industry framework would be a parochial story were the financial sector not global. It is not. The same systemically important banks that will benchmark themselves against the FS AI RMF in New York operate subsidiaries in Frankfurt and Singapore, and a group that builds one AI governance system wants it to answer to supervisors everywhere at once. That is why the soft-law layer is converging: the FS AI RMF, the FSB's 12 sound practices, Singapore's MAS AI risk toolkit and the G7 Hiroshima reporting framework are increasingly describing the same governance object in compatible vocabularies.

For a European bank or insurer the FS AI RMF arrives on top of binding law, not instead of it. DORA already governs ICT and third-party risk, and the AI Act designates creditworthiness assessment and life- and health-insurance pricing as high-risk uses. What the American framework adds is not obligation but a detailed control vocabulary an internationally active institution can use to show one coherent AI risk system to many regulators — a US-shaped counterpart to the binding European stack and the wider web of international AI governance that keeps setting common terms without the power to compel.