U.S. Treasury: AI Guide to Secure Banks
Le brief IA que les pros lisent chaque soir
Les 7 actus IA du jour, décryptées en 5 min. Gratuit.
Inclus dès l'inscription : notre sélection des meilleurs guides & comparatifs IA.
Choisis ton rythme
Gratuit · Pas de spam · Désabonnement en 1 clic
The U.S. Treasury and Its AI Initiative
The U.S. Treasury recently unveiled a series of strategic documents aimed at regulating the use of artificial intelligence in the financial sector in the United States. These documents, collectively known as the CRI Financial Services AI Risk Management Framework (FS AI RMF), aim to provide a methodical approach to identifying and managing the risks associated with AI. The framework was developed in collaboration with over 100 financial institutions and industry organizations, also benefiting from the expertise of regulators and technical bodies.
The primary goal of the FS AI RMF is to help financial institutions navigate the complex landscape of AI-related risks while enabling them to adopt these technologies in a responsible and secure manner.
A Framework Tailored to Sector Specificities
AI systems introduce unique risks that traditional technology governance frameworks do not fully cover. Among these risks are algorithmic bias, limited transparency in decision-making processes, cyber vulnerabilities, and complex dependencies between systems and data.
Large Language Models (LLMs) pose particular challenges due to the difficulty in interpreting or predicting their behavior. Unlike traditional software, which is deterministic, the results produced by AI can vary depending on the context of use.
While financial institutions are already subject to strict regulation and have general guidelines like the NIST AI Risk Management Framework, the application of these general frameworks often lacks specificity for the financial sector. The FS AI RMF thus positions itself as an extension of the NIST framework, offering sector-specific controls and practical guidelines.
The accompanying Guide explains how companies can assess their current AI maturity and implement controls to mitigate their risks. Its purpose is to promote consistent and responsible AI practices while supporting innovation in the sector.
Key Components of the Framework
The framework is structured around four main components:
-
An AI Adoption Stage Questionnaire that allows organizations to determine the maturity of their AI usage.
-
A Risk and Control Matrix, including a set of risk statements and control objectives aligned with the stages of adoption.
-
The Guide that explains how to apply the framework, supplemented by a reference guide of control objectives providing examples of controls and supporting evidence.
-
The framework defines a total of 230 control objectives organized according to four adapted functions from the broader NIST framework: govern, map, measure, and manage. Each function is subdivided into categories and subcategories describing elements of risk management and governance related to AI.
Assessing AI Maturity
The AI Adoption Stage Questionnaire helps organizations evaluate their current position on the spectrum of AI usage. Some companies rely on traditional predictive models in limited applications, while others deploy AI in essential business processes or use it in customer-facing roles.
Factors assessed include the business impact of AI, governance arrangements, deployment models, the use of third-party AI providers, organizational objectives, and data sensitivity.
Based on this assessment, organizations are classified into four stages of AI adoption:
-
Initial Stage: organizations with little or no operational deployment of AI. AI may be considered but is not integrated.
-
Minimal Stage: limited use of AI in low-risk areas or isolated systems.
-
Evolving Stage: organizations using more complex AI systems, including applications involving sensitive data or external services.
-
Integrated Stage: where AI plays a significant role in business operations and decision-making.
These stages help institutions focus their efforts on controls appropriate to their level of maturity. A company at an early stage does not need to implement all controls immediately, but as AI becomes more integrated, the framework introduces additional controls to address increasing risk levels.
Risk and Control
The control objectives for each stage of AI adoption cover governance and operational topics, including data quality management, monitoring for fairness and bias, cybersecurity controls, transparency in AI decision-making processes, and operational resilience.
The Guide provides examples of possible controls and types of evidence that institutions can use to demonstrate compliance. Each organization must determine which controls are best suited to them.
The framework recommends maintaining incident response procedures specific to AI systems and creating a central repository for tracking AI-related incidents, processes that will help organizations detect failures and improve governance over time.
The framework incorporates principles for Trustworthy AI, defined as validity and reliability, security, privacy protection, and fairness. These principles provide a foundation for evaluating AI systems throughout their lifecycle. In simple terms, financial institutions must ensure that AI outputs are reliable, that systems are protected against cyber threats, and that decisions can be explained when they affect customers or have regulatory relevance.
Strategic Implications
For leaders of financial institutions worldwide, the FS AI RMF offers guidance for integrating AI into existing risk management frameworks. It emphasizes the need for coordination among the various business functions of the organization. Technology teams, risk managers, compliance specialists, and business units must all participate in the AI governance process.
Adopting AI without strengthening governance structures can expose institutions to operational failures, regulatory scrutiny, or reputational damage. In contrast, companies that establish clear governance processes will be more confident in deploying AI systems.
The Guide presents AI risk management as an evolving entity. As AI technologies develop and regulatory expectations change, institutions will need to update their governance practices and risk assessments accordingly.
For decision-makers in the financial sector, the message is that AI adoption must progress in parallel with risk governance. A structured framework like the FS AI RMF provides a common language and method for managing this evolution.
Brief IA — L'actualité IA en français
L'essentiel de l'actualité de l'intelligence artificielle, décrypté et expliqué chaque jour.