The U.S. Department of the Treasury has released two new resources designed to help financial institutions adopt artificial intelligence more safely and consistently, signaling a growing federal appetite for practical, sector-specific AI guidance rather than sweeping top-down regulation.
The two resources — an Artificial Intelligence Lexicon and a Financial Services AI Risk Management Framework (FS AI RMF) — were developed through the Treasury’s Artificial Intelligence Executive Oversight Group (AIEOG), a public-private partnership that brought together executives from over 100 financial institutions alongside federal and state regulators. Both resources are framed as voluntary tools rather than binding mandates, and both are designed to advance the goals set out in the White House’s AI Action Plan.
The Problem These Resources Are Trying to Solve
One of the more fundamental problems the Treasury is trying to solve is a surprisingly simple one: financial institutions, regulators, legal teams, and technology departments often don’t share the same vocabulary when it comes to AI. That gap in common language has made governance harder and oversight uneven across the sector. When a bank’s risk team, its compliance attorneys, its data scientists, and its primary regulator use the same words to mean different things, the consequences compound. Contract negotiations stall. Examination findings become harder to contest. Board-level oversight becomes surface-level rather than substantive.
This isn’t a hypothetical concern. As AI adoption in financial services has accelerated — driven by demand for better fraud detection, faster underwriting, more responsive customer service, and more sophisticated risk modeling — the absence of a shared conceptual foundation has created real friction. Institutions have struggled to communicate meaningfully with regulators about what their AI systems actually do, what risks they pose, and how those risks are being managed. Regulators, in turn, have found it difficult to develop consistent supervisory expectations across institutions using vastly different frameworks and terminology.
The two new Treasury resources take aim at both problems simultaneously.
The AI Lexicon: A Common Language for a Complex Technology
The AI Lexicon establishes common definitions for key AI concepts, capabilities, and risk categories, enabling clearer communication across regulatory, technical, legal, and business functions and supporting more consistent supervision and implementation. Definitions were drawn from existing academic literature, government publications, and industry standards rather than invented wholesale — a deliberate design choice intended to give the document credibility across multiple audiences and avoid the proliferation of yet another competing definitional standard.
The significance of this kind of standardization is easy to underestimate. At the board and executive level, it enables more meaningful AI governance conversations that don’t get derailed by semantic disputes. In vendor relationships, it provides a neutral reference point for contract language around AI capabilities and risk disclosures. In regulatory examinations, it gives both institutions and examiners a shared benchmark for evaluating whether governance programs are addressing the right risks in the right ways. And in litigation or enforcement contexts, clear definitions reduce the ambiguity that can complicate liability analysis.
The AI Lexicon seeks to establish a common language to help financial institutions and regulators communicate more clearly about artificial intelligence risks and capabilities. As banks increasingly rely on artificial intelligence for customer service and operational decisions, inconsistent terminology has sowed confusion, harming governance and oversight.
The Financial Services AI Risk Management Framework: NIST, Translated
The Financial Services AI Risk Management Framework goes a step further by taking NIST’s existing AI Risk Management Framework — a solid but deliberately general document — and adapting it specifically to the operational and regulatory realities of financial services. The sector-specific framework includes 230 control objectives mapped to varying stages of AI adoption. It provides guidance for evaluating AI use cases, managing lifecycle risks and integrating AI governance into existing enterprise risk programs. The framework is scalable and intended for institutions of different sizes.
The FS AI RMF consists of four parts — an AI adoption stage questionnaire, a risk and control matrix, a user guidebook, and a control objective reference guide. The adoption stage questionnaire is particularly important for smaller institutions: rather than confronting a monolithic list of 230 controls and trying to determine which apply to them, organizations can use the questionnaire to establish where they currently sit on the AI maturity curve and then work from a prioritized, stage-appropriate subset of controls. Because the framework categorizes controls by adoption stage, banks do not have to waste resources on controls that do not yet apply to their operations.
The Cyber Risk Institute — a nonprofit coalition of financial institutions and trade associations that helped co-author the framework — describes its design philosophy this way: it should fit institutions of every size, from community banks and credit unions to the largest multinational institutions, and it should complement rather than replace existing enterprise risk programs. The 230 control objectives are structured around four functions that mirror the NIST AI RMF’s core architecture: govern, map, measure, and manage. Within each function, controls address AI-specific concerns that generic cybersecurity and operational risk frameworks don’t adequately capture — things like model drift, training data lineage, explainability requirements, and the particular consumer protection dimensions of AI-driven decisions in lending, insurance, and investment contexts.
What the Framework Actually Covers
For compliance and risk teams trying to understand the practical scope of what the FS AI RMF addresses, the 230 control objectives span a broad operational territory:
- Data governance: PII minimization, data lineage tracking, retention rules, and documentation of training data sources. These controls are directly relevant to the regulatory scrutiny financial institutions already face around data practices and are increasingly relevant as regulators examine how AI systems are trained and on what.
- Model quality and resilience: Performance benchmarks, drift detection mechanisms, explainability thresholds, human-in-the-loop requirements for high-stakes decisions, and rollback procedures. These map closely to existing model risk management expectations under SR 11-7 guidance, with AI-specific extensions.
- Fairness and consumer protection: Disparate impact testing, documentation of methodology, and support for adverse action notice requirements under Regulation B and the Equal Credit Opportunity Act. For institutions using AI in underwriting or credit decisions, these controls connect directly to existing fair lending obligations.
- Third-party and vendor risk: Due diligence standards for AI vendors, contractual controls around model documentation and incident disclosure, and exit strategy planning for vendor dependencies.
- Security and adversarial resilience: Access controls, prompt filtering for generative AI systems, logging and monitoring practices, and AI-specific red-team exercises designed to probe for data leakage, model manipulation, and adversarial inputs.
- Incident response: Defined escalation paths and regulatory reporting triggers for model failures, bias events, and data exposure incidents — an area where many institutions currently have significant gaps relative to their existing cyber incident response programs.
Many controls map to specific system behaviors, ownership assignments, and evidence artifacts expected to withstand audit and supervisory review. That last point is worth emphasizing. The framework isn’t designed primarily as a policy exercise — it’s designed to produce the kind of documented, attributable evidence that holds up in an examination. Institutions that treat it as a documentation refresh will miss the point; institutions that use it as an architectural blueprint for how AI governance should actually operate will be better positioned when supervisory expectations harden.
The Sector’s Hunger for This Kind of Guidance
The timing of these resources reflects just how much pressure financial institutions are under to deploy AI responsibly at scale. Banks want to use AI to improve fraud prevention, insurers want to use it to evaluate risk, and securities markets want to use it to analyze transactions. Roughly one-third of the work that capital markets, insurers and banks perform has high potential to be fully automated by AI. The competitive and efficiency pressures driving that adoption are real and accelerating.
But so are the risks. Generative AI introduces vulnerabilities around hallucination, data leakage, and adversarial manipulation that don’t have good analogs in traditional IT risk frameworks. AI-driven credit and underwriting decisions create fair lending exposure that requires new testing and documentation approaches. AI systems operating at scale can create systemic interdependencies that compound rather than diversify risk. And the regulatory scrutiny of all of it is intensifying even as the frameworks for managing it have lagged behind the pace of deployment.
The AIEOG itself was born out of a recognition of these gaps. Its workstreams specifically targeted areas where the financial sector’s governance infrastructure was least developed relative to the risks it was accumulating: governance structures, fraud and digital identity, data integrity, and transparency in how AI systems make or influence decisions. The Lexicon and the FS AI RMF are the first installments of a six-part guidance series designed to address each of these areas systematically. The remaining four resources — covering governance and accountability, data integrity and security, fraud and digital identity, and operational resilience — were expected to roll out throughout February.
The Bigger Picture: Acceleration, Not Just Safety
What distinguishes the Treasury’s approach from more cautious regulatory postures is its explicit framing around acceleration alongside safety. The resources are not primarily designed to slow AI deployment or create additional compliance friction — they’re designed to remove the uncertainty and inconsistency that currently acts as a brake on responsible adoption. By strengthening common terminology and risk management practices for AI, these resources support quicker and more widespread adoption of AI in the financial sector, via more robust AI cybersecurity and improved operational resilience.
Treasury Secretary Scott Bessent made the administration’s orientation clear when the initiative was announced, framing AI leadership in financial services as a national priority. Acting Deputy Secretary Derek Theurer reinforced that the goal is practical utility, not aspirational statements. Treasury’s own Chief AI Officer, Paras Malik, put it most directly: the resources are designed to help institutions move faster with AI by reducing uncertainty, not to create new layers of compliance overhead.
That acceleration-forward framing carries an important implication for compliance and legal teams. Voluntary guidance that exists to support innovation tends to become the baseline expectation against which institutions are evaluated — not immediately, but quickly. The Federal Financial Institutions Examination Council (FFIEC) standards for cybersecurity and IT began as guidance and became the de facto examination scaffold. The expectation that the FS AI RMF will follow a similar trajectory seems reasonable. Institutions that proactively align their AI governance programs to the framework now — before examination expectations formally crystallize — will be substantially better positioned than those that engage with it reactively.
FS AI RMF’s adoption
For compliance, legal, and risk teams assessing what these new resources mean operationally, a few immediate priorities stand out.
First, use the AI Lexicon to align internal terminology across teams before the next regulatory examination or significant AI deployment. The definitional inconsistencies that currently exist between technical, legal, and business functions create unnecessary risk in examination responses and regulatory communications. Getting on the same page now is a low-cost, high-value exercise.
Second, run the FS AI RMF’s adoption stage questionnaire against your current AI portfolio. The goal isn’t to score well — it’s to identify where your governance posture is materially out of step with the control expectations for your level of AI deployment, and to prioritize remediation accordingly. Institutions that have been deploying AI in high-stakes contexts (credit decisions, fraud scoring, customer communications) without commensurate governance infrastructure are the ones with the most urgent remediation work ahead.
Third, inventory third-party and vendor AI dependencies with the same rigor applied to first-party systems. A significant and growing share of AI risk in financial services is embedded in vendor relationships, where institutions may have limited visibility into model architecture, training data, or performance monitoring. The FS AI RMF’s vendor risk controls provide a structured framework for closing those visibility gaps through due diligence and contractual requirements.
Finally, watch for the remaining four AIEOG resources as they are released. The full six-part suite is designed to be used together, and the governance, fraud, identity, and operational resilience resources will likely contain the most operationally specific guidance for institutions that are already working through the foundational controls established in the Lexicon and the FS AI RMF.
The federal government’s posture on AI in financial services has shifted from observation to active facilitation. For institutions that have been waiting for authoritative direction before committing to governance programs, the Treasury’s new resources offer the clearest signal yet of where regulatory expectations are heading — and a credible, industry-informed starting point for getting there.
