Treasury’s AI RMF Is a Milestone. The Next Step Is How We Turn It Into Practice

February 22, 2026

This week's release of the U.S. Treasury's Financial Services AI Risk Management Framework felt like a turning point. It is the clearest signal so far that AI risk in our sector is moving from "interesting topic" to "expected discipline."

The framework, developed with the Cyber Risk Institute and over 100 financial institutions, builds on NIST and adds financial-services specifics: vendor chains, fraud, model governance, data lifecycle. It comes with an AI lexicon for common terminology, a maturity questionnaire, and a risk and control matrix with 230 control objectives organized across four NIST functions: Govern, Map, Measure, and Manage.

Reading through it, I kept seeing the same themes we have been exploring in this series: governance sized to your reality rather than borrowed from someone else's, data quality as the prerequisite before AI, and clarity on who owns what when most AI is coming through vendors. Seeing those principles reflected in a Treasury-aligned framework is encouraging.

Where it got interesting for me was the maturity piece.

The assessment that almost lost me

Before you can download the risk and control matrix, the CRI site walks you through an Adoption Stage Questionnaire to classify your organization into one of four tiers: Initial, Minimal, Evolving, or Embedded.

The questionnaire starts at the top. Step 1 is Embedded. It presents six statements covering business impact, governance, deployment models, third-party AI use, organizational goals, and data sensitivity. If any one of those six is true for your organization, you stop. You are Embedded.

Here is one of the six: "My organization's key goals in driving AI adoption are strategic differentiation, innovation, scalability, transformative business models, and ethical business practices, in addition to operational efficiency, customer experience, safety, and regulatory compliance.”

For most credit unions doing anything meaningful with AI today, at least one of those statements is going to ring true. Your core processor's fraud models, your digital banking provider's chatbot, your card network's transaction monitoring. Check yes on one, and the questionnaire says: stop, you are Embedded.

My first reaction was that the assessment was not useful.

Then I opened the full RCM

The risk and control matrix itself tells a very different story. Each of the 230 control objectives has adoption stage indicators and detailed implementation guidance that distinguishes what Minimal, Evolving, and Embedded actually look like in practice for that specific control.

When I started reading through the individual control areas, governance and roles, data lifecycle, vendor oversight, human oversight, incident readiness, decommissioning, it became clear that answering those questions area by area would produce a much more honest picture than a single enterprise-wide label.

A single tier flattens all of that into one label, and that label is going to be the one boards, examiners, and leadership teams anchor to.

The direction I am heading

I am still working through the full RCM. 230 control objectives across four functions is not a weekend exercise. But the direction my thinking is moving is to assess adoption stage by domain rather than as a single score.

Mentally, I have been sketching it across two dimensions:

- By control domain: governance and roles, data and model lifecycle, vendor and third-party AI, human oversight and escalation, incident readiness

- By AI use-case family: fraud and financial crime, lending and credit decisioning, member-facing automation and GenAI, operations and back-office

That kind of grid starts to surface patterns that feel much closer to reality. It makes conversations with leadership and boards more specific: here is where we are strong, here is where we have gaps, here is what we should resource next.

Earlier in this series, we talked about three governance controls any credit union can start with: an AI use-case inventory, shared responsibility documentation, and a high-stakes decision review process. The FS AI RMF gives those controls a formal home and a structure to grow into. But only if we resist the temptation to reduce a rich framework down to a single label.

What I am still learning

Transparently, I have not fully pulled apart the entire matrix yet. That will be the work of the next few weeks. What I can share is that sitting with this framework has already influenced how I think about where our governance is genuinely mature versus where it just looks mature because adjacent enterprise practices happen to exist.

If you are looking at the FS AI RMF and feeling either overwhelmed by the scope or underwhelmed by the questionnaire, I would encourage you to skip past the initial assessment and go straight into the control objectives. The real value is in the details.

Question

For those starting to explore the new FS AI RMF and the CRI risk and control matrix: when you think about AI maturity inside your institution, does a single adoption tier capture your reality, or do you see a more varied picture across different AI use cases and governance areas? What is your experience with trying to make these assessments practical?

Sources

Treasury Releases Two New Resources to Guide AI Use in the ... https://home.treasury.gov/news/press-releases/sb0401

US Treasury Department offers secure AI advice to financial services ... https://www.cybersecuritydive.com/news/treasury-department-ai-security-guidance-financial-services/812700/

AIEOG AI Deliverables - FSSCC https://fsscc.org/AIEOG-AI-deliverables/

Financial Services AI Risk Management Framework https://cyberriskinstitute.org/artificial-intelligence-risk-management/