UNITED STATESTREASURY FS AI RMFFEB 2026

The Treasury FS AI RMF — the sector-specific tailoring that closes February 2026.

How Hael produces the substantive examination pack the US Treasury FS AI RMF and SR 26-02 supervisory teams open — generated from live operational state, sealed with hash-chained provenance.

Feb 2026

Closes

GenAI

SR 26-02 expected

NIST

Maps onto AI RMF

Sector

Financial services

What Treasury FS AI RMF requires

The US Treasury Financial Services AI Risk Management Framework is the sector-specific tailoring of NIST AI RMF for financial institutions. Published for consultation in early 2024 and closing February 2026, it inherits the four-function structure (GOVERN, MAP, MEASURE, MANAGE) and adds financial-services-specific risk categories, supervisory expectations and incident reporting requirements.

The framework is significant for two reasons. First, it converts NIST AI RMF from voluntary to effectively mandatory for federally regulated financial institutions. The OCC, Federal Reserve, FDIC and CFPB have signalled examination expectations referencing the framework. Second, the framework explicitly extends to generative and agentic AI — closing the gap left by SR 11-7, which was written for traditional quantitative models and does not contemplate GenAI use cases.

SR 26-02 is the expected supervisory letter from the Federal Reserve formally extending SR 11-7 model governance expectations to GenAI under the Treasury FS AI RMF structure. Once issued, regulated banks must demonstrate Treasury FS AI RMF compliance through supervisory examinations. The compliance window is narrow: framework closes February 2026, SR 26-02 expected shortly after, examinations following.

Treasury FS AI RMF is what SR 11-7 was for traditional models — for GenAI, for agents, for the systems banks are deploying now.

The artefact, not the attestation

Treasury FS AI RMF inherits NIST AI RMF's profile concept and adds financial-services-specific risk categorisations: model risk, third-party risk, operational risk, compliance risk, conduct risk and consumer protection risk. The substantive artefact is a sector-tailored profile that maps each AI system to applicable risk categories and demonstrates the controls running against each.

Supervisory examiners arrive with specific expectations. They ask to see the AI system inventory. They ask to see the risk categorisations and the controls executing against each risk category. They ask to see incident records, evidence of monitoring and remediation actions. They ask to see the governance decisions and oversight assignments. They ask to see the third-party risk assessments for foundation model providers. Hael generates each of these artefacts from operational state.

How Hael runs it

Hael ships Treasury FS AI RMF coverage as a sector overlay on the NIST AI RMF profile generator. The same evidence base produces both artefacts: NIST profile for general procurement and federal procurement, Treasury FS overlay for supervisory examination readiness. Financial-services-specific risk categories are pre-mapped to the relevant evidence collectors — model risk pulls from validation records, third-party risk pulls from vendor governance, conduct risk pulls from consumer-facing AI decision audit trails.

The platform's audit chain is examiner-ready by design. Each governance decision, each risk assessment, each control execution, each incident response is hash-chained and cryptographically verifiable. When the examiner arrives, scoped access to the audit chain lets them verify evidence integrity in real time. Examinations that historically consumed weeks of internal preparation complete in days.

Examiners arrive with specific expectations. Hael generates each substantive artefact they ask for.

CategoryOutcomeCoverageHow Hael runs it

MODEL-1Model inventory and risk tieringFullAgent registry with FS-specific risk classification

MODEL-2Model validation and ongoing performanceFullSR 11-7-aligned validation records extended to GenAI

MODEL-3Model documentationFullAuto-generated model cards with validity statements

TPR-1Third-party AI provider assessmentFullVendor governance with foundation-model provider workflows

TPR-2Sub-processor inheritanceFullTransitive risk surface for nested AI suppliers

OPS-1Operational risk identificationFullPer-agent operational risk register

OPS-2Operational resilience and continuityFullIncident chain with response playbook execution

COMP-1Regulatory compliance mappingFullCross-reference engine to applicable supervisory expectations

COMP-2Internal audit independenceFullScoped read-only access for internal audit functions

COND-1Conduct and fair-treatment evaluationFullBias and disparate-impact testing for consumer decisions

COND-2Consumer-facing decision audit trailsFullHash-chained per-decision evidence for AI-driven outcomes

CONS-1Consumer protection risk assessmentFullFRIA-equivalent assessment for consumer AI

INC-1AI incident classification and reportingFullSupervisory-deadline-aware incident routing

INC-2Material incident escalationFullBoard and regulator notification chain

GOV-1Board and senior management oversightFullGovernance decision records with attestation

GOV-2AI risk management policiesFullPolicy library with FS-specific overlays

MON-1Continuous monitoring and metricsFullReal-time telemetry with threshold alerting

MON-2Periodic reporting to risk committeesFullScheduled board pack generation

REG-1Examiner readinessFullScoped audit-chain access for supervisory exams

REG-2Regulatory engagement recordsFullCommunication and response audit trail

Questions

When does Treasury FS AI RMF become enforceable?

The framework closes February 2026. SR 26-02 — the Federal Reserve supervisory letter extending SR 11-7 model governance to GenAI under the Treasury FS AI RMF structure — is expected shortly after closure. Once issued, supervisory examinations will reference the framework as the applicable standard for financial institution AI risk management.

Does Treasury FS AI RMF replace SR 11-7?

No. SR 11-7 remains the standard for traditional quantitative models. Treasury FS AI RMF extends model risk management coverage to generative and agentic AI — the systems SR 11-7 was not designed to govern. The two operate in parallel: SR 11-7 for traditional models, Treasury FS AI RMF for GenAI and agents.

Which financial institutions does Treasury FS AI RMF apply to?

All federally regulated US financial institutions deploying AI: national banks (OCC), state member banks and bank holding companies (Federal Reserve), state non-member banks (FDIC), and CFPB-supervised entities. Sector breadth covers commercial banking, investment banking, asset management, broker-dealers, mortgage lenders and payment processors.

How does Treasury FS AI RMF relate to NIST AI RMF?

Treasury FS AI RMF is the financial-services-specific tailoring of NIST AI RMF. It inherits the four-function structure (GOVERN, MAP, MEASURE, MANAGE) and outcome statements, adds financial-services-specific risk categories and supervisory expectations, and is expected to be enforced through supervisory examinations once SR 26-02 issues.

What evidence will supervisory examiners ask for?

Examiners typically request the AI system inventory with risk categorisations, model validation and ongoing performance records, third-party risk assessments for foundation model providers, incident records and remediation evidence, governance decisions and oversight assignments, and consumer-facing AI decision audit trails. Hael generates each of these from operational state.

See Hael generate your Treasury FS AI RMF artefacts.

A scoped four-week proof-of-value: map your AI systems to financial-services risk categories, seal your supervisory examination evidence, prepare for SR 26-02.

Book a demo See the platform