The Sector-Specific AI Framework Most Organizations Don't Know Applies to Them
NIST AI RMF is intentionally generic, designed to be tailored by sector. In the past 12 months, regulators and industry groups have produced sector-specific overlays that translate the generic framework into measurable controls: the Financial Services AI Risk Management Framework (Treasury and Cyber Risk Institute, February 2026, 230 control objectives), the HHS AI Strategy for healthcare (December 2025, risk management practices required by April 3, 2026), and the DOE AI Strategy for energy and critical infrastructure (October 2025). Most organizations setting up AI governance default to NIST AI RMF without asking whether a sector overlay applies. For regulated sectors, the overlay is the framework auditors and regulators will compare against, not the generic baseline.
Last week I was on a call with a banking client. They wanted to scope an AI governance gap assessment. They had done their homework. They knew about the NIST AI Risk Management Framework, they had read the Govern, Map, Measure, Manage functions, and they were thinking about how to map their existing controls against it.
What they did not know, and what most of the people in their seat do not know, is that the U.S. Treasury Department and the Cyber Risk Institute jointly published a sector-specific AI risk management framework for financial services two months earlier. The Financial Services AI Risk Management Framework was released on February 19, 2026: 230 Control Objectives, structurally aligned with NIST AI RMF, developed with input from over 100 financial institutions. It is non-binding industry-led guidance rather than a regulation, but for a U.S. financial services firm it is the document examiners, internal auditors, and counterparty risk teams will compare against when they ask how the institution is governing AI.
The bank had not heard of it. They were not behind on AI governance. They were preparing to do the right thing using the wrong reference document.
It’s common to find capable teams in this position. Most organizations setting up AI governance reach for NIST AI RMF because NIST AI RMF is the framework that has name recognition outside the AI policy community. The sector overlays, which translate NIST AI RMF into measurable controls for finance, healthcare, energy, and critical infrastructure, are newer, less publicized, and easy to miss if you are not in the regulatory circles where they get distributed.
This post walks the four sector overlays that exist as of May 2026, what each one covers, and what to do if you have already started AI governance work against NIST AI RMF alone.
Why Sector Overlays Exist
One scope note. Whether NIST AI RMF is the right baseline for your organization in the first place is a separate question, addressed at the end of this post. The sections that follow assume NIST AI RMF is your chosen baseline and focus on identifying which sector overlay applies.
NIST AI RMF is intentionally generic. The framework was designed to be tailored. Its own documentation refers to “profiles” that adapt the core functions to specific use cases, sectors, and risk environments. NIST publishes the floor. Sectors are expected to build the walls.
In practice, that means the NIST AI RMF Govern function tells you to “establish, implement, and maintain organizational policies and procedures for the responsible development and use of AI.” It does not tell a bank what those policies should require for model risk management of credit-decisioning AI, or what model validation cadence is appropriate, or how to handle adverse action notices when an AI system contributes to a decline. Those answers live in the sector overlay, where the regulators, examiners, and industry experts who actually understand the sector translate the generic guidance into specifics.
Without the sector overlay, you can be fully compliant with NIST AI RMF and still fail an examination. The examiner is not asking whether you implemented NIST AI RMF. The examiner is asking whether you implemented the sector framework that interprets NIST AI RMF for your industry.
The Four Overlays Available Now
Finance: Financial Services AI Risk Management Framework (FS AI RMF)
Released: February 19, 2026 Publisher: U.S. Department of the Treasury and the Cyber Risk Institute Structure: 230 Control Objectives, structurally aligned with NIST AI RMF Components: AI Adoption Stage Questionnaire, Risk and Control Matrix, Implementation Guidebook, Control Objective Reference Guide
The FS AI RMF is the most mature sector overlay published to date. It was developed through public-private collaboration with more than 100 financial institutions and input from U.S. and international agencies, including NIST. Treasury was clear that the framework is non-binding, but it is the document that examiners, internal auditors, and third-party risk teams in financial services will use as the reference standard for “reasonable” AI governance.
The structure matters. Organizations using the framework start with the AI Adoption Stage Questionnaire to classify their current AI maturity, then apply the Risk and Control Matrix to identify which Control Objectives are relevant for their stage. It is designed as a structured implementation path rather than a checklist, which means it works as well for a community bank starting with a single chatbot as it does for a money center bank running thousands of AI use cases.
If you work in financial services and are doing AI governance against NIST AI RMF alone, the FS AI RMF is what you should be doing the work against.
Healthcare: HHS AI Strategy
Released: December 2025 Publisher: U.S. Department of Health and Human Services Scope: All HHS divisions; sector-wide expectation Deadline: Risk management practices for high-impact AI required by April 3, 2026
The HHS AI Strategy is a five-pillar framework establishing department-wide expectations for AI use in healthcare and human services. It commits HHS divisions to apply risk management practices to high-impact AI by April 3, 2026, with minimum practices covering bias mitigation, outcome monitoring, security, and human oversight.
The strategy is not a controls framework in the way the FS AI RMF is. It is closer to a directive that establishes the principles and required practices, and it coordinates work across FDA, CMS, and HHS more broadly. For healthcare organizations using AI for clinical decision support, claims adjudication, or patient communication, this is the sector-level expectation that will shape examiner and accreditor expectations going forward.
The April 3, 2026 deadline has now passed. Organizations not aligned should expect questions during their next audit or examination cycle.
Energy and Critical Infrastructure: DOE AI Strategy
Released: October 2025 Publisher: U.S. Department of Energy Scope: Energy sector, critical infrastructure use cases
The Department of Energy’s AI Strategy is less prescriptive than the financial and healthcare counterparts. It is closer to a roadmap than a controls framework, but it identifies the AI use cases the sector is prioritizing (grid stability, permitting automation, critical infrastructure security) and signals where future regulatory expectations will land.
For energy companies, critical infrastructure operators, and the IT/OT vendors that serve them, the DOE strategy is the early indicator of what AI governance expectations will look like for the sector. It is also a reminder that the AI risk landscape in operational technology environments is materially different from enterprise AI use cases, and that overlays applicable to one will not be sufficient for the other.
Cross-Sector: NIST IR 8596 Cyber AI Profile
Released: December 2025 (draft) Publisher: NIST Scope: Cross-sector; applicable to any organization aligned to CSF 2.0
NIST Interagency Report 8596, known informally as the Cyber AI Profile, bridges the NIST Cybersecurity Framework 2.0 and the NIST AI RMF. It addresses two related risk surfaces: cybersecurity risks arising from AI use (model inversion, prompt injection, supply chain compromise of AI tooling) and AI risks arising from cybersecurity tooling (AI-augmented detection, automated response, AI in incident triage).
The Cyber AI Profile is technically a cross-sector overlay rather than sector-specific. It is the document that connects two frameworks most organizations are already implementing, and it fills a gap that neither CSF 2.0 nor AI RMF individually addresses. For any organization with mature CSF 2.0 alignment that is adding AI governance work, this is the document that explains how the two programs should integrate rather than run in parallel.
What To Do If You’ve Started Against NIST AI RMF Alone
If you have already invested in NIST AI RMF work, none of it is wasted. The sector overlays are structurally aligned with NIST AI RMF. The Govern, Map, Measure, Manage functions remain the underlying methodology. What changes is the level of specificity in the controls.
A practical path forward:
-
Identify your applicable overlay. Financial services maps to FS AI RMF. Healthcare maps to HHS AI Strategy. Energy and critical infrastructure map to DOE AI Strategy. Organizations with mature CSF 2.0 alignment should layer NIST IR 8596 across whatever sector overlay applies.
-
Re-baseline your gap assessment. Existing work against NIST AI RMF maps to the sector overlay, but the overlay will add specificity that the NIST AI RMF gap assessment did not produce. Plan a delta review against the sector framework’s controls.
-
Update your governance documentation. Policies, procedures, and risk register entries written against generic NIST AI RMF language should be revised to reference the sector framework. This matters for examination readiness, because examiners want to see that the organization knows which framework applies to them.
-
Make this a recurring question. As more sector overlays publish (we expect education, transportation, and additional critical infrastructure subsectors to follow in the next 12 months), the answer to “which framework applies to us?” will change. AI governance is a continuing alignment exercise rather than a one-time framework selection.
Why This Pattern Will Get Worse Before It Gets Better
The gap between what organizations are doing for AI governance and what the applicable sector framework actually requires is not going to close on its own. New sector frameworks are publishing faster than the security and compliance press is covering them. The Treasury announcement of the FS AI RMF received financial-services trade press coverage but limited mainstream attention. The HHS AI Strategy got coverage in healthcare publications. The DOE AI Strategy got narrow coverage in energy and critical infrastructure outlets. None of these landed in the broad-circulation IT and security publications that most enterprise security teams actually read.
The result is exactly what I encountered on the banking call: capable, well-informed teams scoping AI governance against the wrong reference document, because the right one was published in a venue they do not monitor.
If you are setting up AI governance, the first question is not “NIST or ISO?” The first question is who your stakeholders are (clients, internal teams, boards, examiners, counterparties, supply-chain partners) and what each one expects you to demonstrate. Stakeholder expectations drive the framework choice. ISO 42001 carries weight for organizations with international customers or that need a certifiable track. NIST AI RMF is more common for US-centric organizations, federal contracting paths, and regulated sectors. If NIST is the answer, the next question is which sector overlay interprets it for your industry. The gap to close before any other gap is knowing who you owe answers to, in what form, and where the framework that supports those answers lives.
Genesis Solutions delivers AI governance gap assessments against NIST AI RMF, EU AI Act, ISO 42001, and the sector-specific frameworks above. We track sector overlays as they publish and integrate them into engagement scoping. If your organization is doing AI governance work and wants confidence that the framework selection is current, contact us to scope an engagement.
References
- Treasury Releases Two New Resources to Guide AI Use in the Financial Sector, U.S. Department of the Treasury
- Financial Services AI Risk Management Framework, Cyber Risk Institute
- HHS Releases Strategy Positioning Artificial Intelligence as the Core of Health Innovation, Holland & Knight (analysis)
- US Energy Dept Flags AI, Cyber Gaps as Top Risks for 2026, GovInfoSecurity
- NIST Interagency Report 8596 (Cyber AI Profile, December 2025 draft), National Institute of Standards and Technology
Frequently asked
- What is the Financial Services AI Risk Management Framework (FS AI RMF)?
- The FS AI RMF is a sector-specific AI governance framework published by the U.S. Department of the Treasury and the Cyber Risk Institute on February 19, 2026. It is structurally aligned with the NIST AI RMF and adds 230 Control Objectives tailored to financial services. It includes an AI Adoption Stage Questionnaire, a Risk and Control Matrix, an implementation Guidebook, and a Control Objective Reference Guide. It was developed with input from over 100 financial institutions and is intended as a structured implementation path rather than a compliance checklist.
- Is the FS AI RMF mandatory?
- The FS AI RMF is non-binding guidance. It is not a regulation. However, sector-specific guidance from Treasury and industry-led frameworks like this are commonly adopted by examiners, auditors, and counterparty risk teams as the benchmark for what 'reasonable' AI governance looks like in financial services. Organizations that align voluntarily reduce the burden of demonstrating governance maturity during examinations and due diligence.
- What is the HHS AI Strategy for healthcare?
- The HHS AI Strategy, released in December 2025, is a department-wide framework for AI use in healthcare and human services. It commits all HHS divisions to apply risk management practices to high-impact AI by April 3, 2026, with minimum practices covering bias mitigation, outcome monitoring, security, and human oversight. It operates as a sector overlay above NIST AI RMF for healthcare-specific risks.
- Should we use NIST AI RMF or our sector-specific framework?
- Use both. NIST AI RMF provides the underlying risk management methodology and the four-function structure (Govern, Map, Measure, Manage). Sector-specific frameworks provide the controls, terminology, and risk categories your regulators and counterparties will actually compare against. The sector framework references back to NIST AI RMF, so alignment is mutually reinforcing rather than additive work.
- What is NIST IR 8596 (the Cyber AI Profile)?
- NIST Interagency Report 8596, known as the Cyber AI Profile, is a draft NIST document (released December 2025) that bridges the NIST Cybersecurity Framework 2.0 and the NIST AI RMF. It addresses how organizations should manage cybersecurity risks arising from AI use, and AI risks arising from cybersecurity tooling. It functions as a cross-sector overlay applicable to any organization already aligned to CSF 2.0.