Artificial intelligence (AI) adoption across the financial services sector continues to accelerate, supporting activities such as fraud detection, customer engagement, credit decisioning and operational automation.
At the same time, AI introduces distinct risk considerations related to governance, transparency, cybersecurity, data integrity, and third‑party reliance. Recognizing these challenges, the Cyber Risk Institute (CRI) released the Financial Services Artificial Intelligence Risk Management Framework (FS AI RMF), intended to help financial institutions manage AI risks in a structured and consistent manner while enabling responsible innovation.
The FS AI RMF was developed in collaboration with 100 financial institutions and incorporates input from U.S. and international agencies, including the National Institute of Standards and Technology (NIST). It is designed to assist financial institutions in managing AI risk.
Purpose and Scope of the FS AI RMF
The FS AI RMF was created to address AI risk and to close gaps in risk management programs by translating high‑level principles into specific, actionable guidance tailored to the financial services operating environment and adoption maturity.
The framework is intended for use by a wide range of stakeholders, including AI and technology leaders, risk management and compliance teams, legal advisors, internal audit, business leaders and regulators with responsibility for AI governance. It is also designed to extend across third‑party relationships, reflecting the growing role of vendors and service providers in AI development and deployment.
Alignment with the NIST AI Risk Management Framework
The FS AI RMF is structurally aligned with the National Institute of Standards and Technology (NIST) Artificial Intelligence Risk Management Framework. CRI emphasizes that the framework is complementary to existing regulatory guidance and internal policies, rather than a replacement for them. Two key features the FS AI RMF provides are controls scoped to current AI adoption levels and examples of appropriate controls and supporting evidence.
Supplemental context from the U.S. Department of the Treasury highlights the importance of sector‑specific adaptations of the NIST AI RMF to support safe, secure and resilient AI adoption within financial services. The Treasury Department has identified the FS AI RMF as a practical mechanism for translating NIST’s principles into governance, risk and control considerations relevant to financial services.
Framework Structure and Key Components
Similar to other industry-focused CRI frameworks, the FS AI RMF is designed to allow institutions to assess their current maturity, define target states and prioritize risk management activities incrementally. This staged approach is intended to support both early‑stage AI experimentation and more advanced, embedded AI use cases in a controlled manner.
The FS AI RMF begins with an AI Adoption Stage Questionnaire to determine the current level of AI adoption and corresponding risks. The levels are as follows:
- Initial – AI features in use are limited, as are protective methods;
- Minimal – entails low-risk implementations;
- Evolving – involves high-risk production applications; and
- Embedded – describes AI that is widely integrated across the organization.
Once the current state of an organization’s AI use is identified, the Risk and Control Matrix (RCM) matches up to 230 AI controls to be implemented, and provides practical implementation guidance, based on the adoption level/stage. Institutions can use the RCM stages to manage their current risk level and identify key controls and processes to implement as AI adoption increases.
The required control objectives are as follows, listed by level/stage:
- Stage 1: (Initial) 21 Control Objectives;
- Stage 2: (Minimal) 126 Control Objectives;
- Stage 3: (Evolving) 193 Control Objectives; and
- Stage 4: (Embedded) all 230 Control Objectives.
How Schneider Downs Can Help
For most financial institutions, the question is no longer whether to use AI—it is how to govern it effectively. Schneider Downs helps translate framework requirements into practical action, close gaps before they become regulatory problems and build scalable, risk-based oversight.
Drawing on Risk Advisory, Internal Audit and IT Risk expertise, our professionals assess AI maturity, align AI-related risks with existing governance frameworks and embed AI considerations into enterprise risk management, internal audit plans and third-party risk management processes.
We design policies, procedures and controls that are sustainable, auditable and tailored to your operating model. To discuss how we can help your organization navigate the FS AI RMF, contact our team at [email protected].
About Schneider Downs Financial Services
The Schneider Downs Financial Services industry group supports financial institutions as they navigate evolving risk, regulatory, and governance challenges. Our professionals work with institutions to strengthen internal audit, risk advisory, and related risk management programs that support sound decision‑making, operational effectiveness, and regulatory alignment.
Through services spanning internal audit, risk advisory, IT risk advisory, third‑party risk management, fraud risk advisory, and enterprise risk and compliance, we help financial institutions design and enhance resilient, risk‑based programs aligned with their strategic objectives and operating environment.
To learn more, visit our Financial Services Industry Group page.
