Federal innovation policy meets state-by-state regulation — creating the most fragmented AI governance landscape in the world.
← Back to Regulatory LandscapeThe Trump administration revoked the Biden-era Executive Order 14110 and issued new directives emphasising innovation and minimal regulatory burden. Yet financial services regulators — the OCC, Federal Reserve, FDIC, and SEC — retain full authority over AI deployment within their regulated institutions. States are filling the federal vacuum with their own legislation, creating a patchwork of obligations that is more complex to navigate than a single comprehensive federal framework would be.
Published in January 2023, the NIST AI RMF establishes a voluntary framework organised around four core functions:
Establish and maintain organisational AI risk management policies, processes, procedures, and practices. Cultivate a risk-aware culture.
Identify and categorise AI risks based on context, intended use, and potential impact. Understand the AI system's operating environment.
Employ quantitative and qualitative methods to analyse, assess, and track identified AI risks. Benchmark against established metrics.
Allocate resources and implement plans to respond to, recover from, and communicate about AI risks on a regular and prioritised basis.
While voluntary, the NIST AI RMF has become the de facto standard for AI governance in the US. Critically, it provides safe harbor protections under certain state laws — making adoption a strategic decision, not merely a best-practice exercise.
The Treasury Department's financial services-specific AI risk management framework bridges the gap between the NIST AI RMF and existing financial regulatory expectations. With 230 control objectives, it provides a detailed mapping of AI governance requirements to the specific context of banking, insurance, and capital markets.
For financial institutions already subject to OCC, Federal Reserve, and FDIC oversight, the Treasury framework translates general AI risk principles into the language and structure of financial regulation — making it the most practical starting point for compliance programme design.
The Federal Reserve's SR 11-7 (Guidance on Model Risk Management) has long been the baseline for how banks manage model risk. The challenge in 2026 is applying this framework to agentic AI systems that do not fit the traditional definition of a "model."
Financial institutions must decide whether to extend SR 11-7 to cover agentic systems, develop parallel governance frameworks, or adopt an integrated approach. Corvair's architecture supports all three strategies while maintaining a single source of governance truth.
The Colorado AI Act, effective February 15, 2026, is the most significant state-level AI regulation in the United States. It establishes concrete obligations for deployers of high-risk AI systems.
The Colorado AI Act includes a significant safe harbor provision: deployers who can demonstrate compliance with the NIST AI RMF or a substantially equivalent framework receive an affirmative defence against enforcement actions. This makes NIST alignment not just a best practice but a legally strategic decision for institutions operating in Colorado.
Beyond the primary frameworks, several federal agencies have issued AI-specific guidance relevant to financial services:
Understand how federal frameworks, state laws, and agency guidance apply to your institution's AI deployments.
Schedule a Briefing