Trustworthy AI in Critical Infrastructure, read through a financial services lens
A working map of the profile and where the financial sector already has field-proven answers. Built to think clearly about two feedback points: how deterministic guardrails work in high-speed automated systems, and how executives can map existing model-risk governance onto the profile.
16 critical infrastructure sectorsFinancial Services = Sector 912 PracticesFeedback open to mid-August 2026
What this profile is
A one-paragraph orientation, then straight to the substance.
The NIST AI Risk Management Framework (AI RMF 1.0, 2023) is the voluntary framework that regulators, auditors, and procurement offices increasingly treat as the baseline for "did you manage AI risk properly." A Profile customizes that framework for a context. This one applies it to the 16 DHS/CISA critical infrastructure sectors. It is being built now, in the open, through a Community of Interest, and the people who shape it early shape what supervisors reference years from now. Financial services is one of those 16 sectors, and it carries the most mature model-governance regime already in existence. That is the source of the two contributions below.
The 12 Practices
Each Practice breaks into Tasks, and each Task into Implementations. The highlighted ones are where the financial sector has the most transferable experience.
PRACTICE 1Establish requirements for success
PRACTICE 2Robustness, resilience, and quality of service
PRACTICE 3Risks, policies, and oversight for automated / agentic behavior
PRACTICE 4Emergency avoidance override, recovery, situational awareness
PRACTICE 5Identity and access management for AI agents
PRACTICE 6External AI supply chain / third-party risk
PRACTICE 7Internal AI supply chain and data provenance
PRACTICE 8AI-aware incident analysis and response
PRACTICE 9Calibrated, needs-based AI risk training
PRACTICE 10Multi-tiered AI system logging and audit
PRACTICE 11AI-aware mission continuity and disaster recovery
PRACTICE 12Validating AI-generated artifacts
1Deterministic guardrails, where markets are a decade ahead
Practice 3 → Task 3.2 → the three implementations. The draft illustrates these with a water flow-rate example. Financial markets run the identical pattern at machine speed.
Practice 3
Define risks, policies, and oversight for automated AI and agentic behavior
Task 3.2
Implement independent guardrails ("safety wrappers") for AI outputs
Implementation · draft language on the left, financial-sector analog on the right
3.2.1 — Identify AI output intercept pointsWhere can monitoring and controls sit? The draft's example: an AI recommending a flow rate can be intercepted at the setpoint interface, the local controller, or the emergency shutoff.
FinServ analogAn automated order can be intercepted at the strategy engine, the broker's risk gateway, and the exchange matching engine. Same idea: multiple intercept points, chosen by consequence.
3.2.2 — Define deterministic operational constraintsBoundaries enforced independent of the AI's internal logic, at the physical process boundary, regardless of the model's confidence: in/out-of-range values, rate-of-change limits, hard logical constraints. The draft has no worked example here yet.
FinServ analog: SEC Rule 15c3-5The Market Access Rule (effective 2011) requires the broker to enforce hard price and size limits before an order reaches the exchange, independent of the model that generated it. The order gateway is the "physical process boundary."
3.2.3 — Specify fail-safe states and fallback behaviorWhen a boundary is hit, the system must fall into a defined safe state rather than continue.
FinServ analog: circuit breakersLimit Up-Limit Down and market-wide halts are deterministic, model-agnostic halts triggered by rate-of-change and range violations. The safe state is "stop trading," not "keep going."
Feedback: add a financial-markets example to Implementation 3.2.2 (which currently has none), and let the trading-halt example extend into 3.2.3. It shows the same deterministic-boundary pattern working in a high-speed, fully digital sector with no operational technology at all, which is exactly the evidence that the pattern generalizes beyond physical-process infrastructure.
2The rule the profile is missing: review speed versus action speed
NIST's own to-do list flags this and asks whether it deserves its own task. The financial sector already answered the question by force.
When review is faster than action
Human-in-the-loop is meaningful. A person can inspect and approve before the consequential action executes. Loan origination, onboarding, suitability review.
When action is faster than review
Human pre-approval becomes nominal, then impossible. Once trading crossed sub-second speeds, the entire apparatus shifted to pre-boundary deterministic limits plus after-the-fact surveillance.
The generalizable rule for any sector: when action velocity exceeds feasible human review latency, oversight has to be redesigned from "a human approves each action" to "a deterministic boundary constrains every action, and humans audit after." Stated as a named task, cross-referenced from Practices 3, 4, and 9, it gives every sector a decision rule instead of an aspiration.
3Executive translation: extend the regime you already run
NIST names this an open design area, and asks for regulatory references that help leadership map governance and compliance obligations onto the practices. The financial answer is not "build an AI governance office." It is "extend model risk management."
The reference is SR 11-7, the Federal Reserve and OCC guidance on model risk management (OCC Bulletin 2011-12). It predates AI governance by over a decade and already defines accountable ownership, independent validation, an enterprise model inventory, and lifecycle controls. It maps onto the profile cleanly:
SR 11-7 conceptual soundness review: an independent validator checks whether the model's objective actually matches business intent
→
Practice 1 and its open item "understanding what the system is actually optimizing for." The sector already funds a function whose job is that objective-versus-intent gap.
SR 11-7 model inventory and lifecycle documentation
→
Practice 7 internal AI supply chain and data provenance
SR 11-7 ongoing monitoring and outcomes analysis
→
Practice 10 multi-tiered logging and audit
Feedback: give the executive-translation layer a short "map to your existing governance regime" pattern: route these practices through the model-risk, ownership, and validation structures leadership already runs, rather than standing up a separate AI silo. For sectors with no SR 11-7 equivalent, name the transferable elements: accountable owner per system, independent validation of objective versus intent, an enterprise inventory, and lifecycle monitoring.
The two points, in one breath
Point 1 — Practice 3 / Task 3.2 / Implementation 3.2.2
Cite the financial-markets deterministic-boundary model (SEC 15c3-5 pre-trade limits, exchange circuit breakers) as a cross-sector example, and promote "review versus action velocity" to its own task. A regulated sector already concluded oversight must move from in-the-loop to on-the-boundary once action outpaces review.
Point 2 — Strategic Governance open design area
Show executives how to extend an existing model-risk regime (SR 11-7) onto the practices, mapped concretely to Practices 1, 7, and 10, rather than build a parallel AI governance structure.