Federal regulators and standards bodies are accelerating the release of AI governance frameworks targeting enterprise automation in regulated industries, creating a coordinated-if still voluntary-set of requirements centered on data provenance, audit trails, and model risk management. On February 19, 2026, the U.S. Department of the Treasury released the Financial Services AI Risk Management Framework (FS AI RMF), a sector-specific adaptation of the NIST AI RMF containing 230 control objectives spanning governance, data, model development, validation, monitoring, third-party risk, and consumer protection. Days later, on April 7, 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, extending governance guidance to operators in energy, healthcare, and other essential sectors.
Background
Congress continues to debate comprehensive AI legislation but has not passed a broad federal AI law. Regulation instead emerges from a patchwork of state laws, federal agency guidance, and voluntary standards.1Risk Management Magazine - 4 Trends in AI Governance for 2026 That gap has prompted individual agencies and state legislatures to act independently.
In 2024 alone, U.S. federal agencies introduced 59 AI-related regulations-more than double the prior year. At the state level, multiple AI laws have already taken effect or are imminent. California's Transparency in Frontier AI Act (SB 53) became enforceable on January 1, 2026, requiring large AI developers to publish safety frameworks and report critical safety incidents. Colorado's AI Act, mandating risk management programs and algorithmic discrimination impact assessments, takes effect June 30, 2026. The NIST AI RMF has emerged as the de facto standard for AI governance across U.S. federal agencies and regulated industries.
Details
The Treasury's FS AI RMF, developed in coordination with more than 100 financial institutions, the Financial Services Sector Coordinating Council, and the Cyber Risk Institute, represents the most concrete sector-specific AI governance framework issued by a federal agency to date. It provides practical tools and reference materials to help institutions evaluate AI use cases, manage risks across the AI lifecycle, and embed accountability, transparency, and resilience into deployment decisions. The framework includes a self-assessment questionnaire, a risk-to-control mapping matrix, and implementation guidance categorized by AI adoption stage.
Treasury's Chief AI Officer Paras Malik stated that the resources are "designed to help institutions move faster with AI by reducing uncertainty and supporting consistent, scalable implementation," according to the department's press release.
NIST's parallel effort targets critical infrastructure. The profile will guide critical infrastructure operators toward specific risk management practices when engaging AI-enabled capabilities. NIST also released a preliminary draft of the Cybersecurity Framework Profile for Artificial Intelligence (NIST IR 8596) in late 2025, integrating AI-specific considerations across all six core functions of CSF 2.0.
Industry analysts point to rising urgency. According to Gartner's AI governance research, by the end of 2026, over 75% of organizations will have formal AI governance frameworks in place, up from less than 30% in 2023. Yet significant gaps remain: the Kiteworks Forecast Report shows 78% of organizations lack pre-training validation and 77% lack provenance and lineage capabilities.
Outlook
The EU AI Act's full compliance requirements for high-risk AI systems activate on August 2, 2026, adding international pressure on U.S.-based enterprises operating across borders. NIST is expected to release RMF 1.1 guidance addenda, expanded profiles, and more granular evaluation methodologies through 2026. For enterprise IT leaders, the convergence of federal frameworks, state enforcement deadlines, and international obligations means AI governance programs can no longer be treated as optional or deferred.
