AI Regulation Tracker / United States
US Treasury Issues a Voluntary AI Risk Framework and Lexicon for the Financial Sector
On February 19, 2026, the US Treasury released two resources to guide how the financial sector uses AI: a shared AI Lexicon and the Financial Services AI Risk Management Framework. Both are voluntary guidance, not a rule, and neither changes a legal duty. Here is what CPAs, RIAs, and finance teams should take from them.
On February 19, 2026, the Treasury Department put out two resources aimed at how banks and financial firms build and govern AI. The first is a shared Artificial Intelligence Lexicon, a common set of definitions for AI concepts, capabilities, and risk categories. The second is the Financial Services AI Risk Management Framework, the FS AI RMF, which takes the National Institute of Standards and Technology's AI Risk Management Framework and adapts it to the realities of financial services. Both were released in support of the President's AI Action Plan, and both came out of a public-private process run through the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordinating Council's AI Executive Oversight Group.
Derek Theurer, performing the duties of Deputy Secretary of the Treasury, framed the point plainly. "Implementing the President's AI Action Plan requires more than aspirational statements, it requires practical resources," he said, adding that "creating a common language for AI and a tailored risk framework will help protect consumers while supporting innovation." That is the whole idea. Give the sector a shared vocabulary and a workable governance model, and let institutions apply it.
What Treasury actually released
Start with the Lexicon, because it does more work than it looks like it does. When a regulator, a technology vendor, a compliance officer, and a general counsel all use the word "model" or "explainability" to mean slightly different things, governance falls apart at the seams. The Lexicon sets common definitions for key AI concepts, capabilities, and risk categories so that regulatory, technical, legal, and business teams can actually talk to each other. That kind of shared language is what makes consistent supervision and consistent internal controls possible in the first place.
The FS AI RMF is the heavier document. It adapts the NIST AI Risk Management Framework, which is itself voluntary, into something built for financial services. It gives institutions practical tools and reference material to evaluate AI use cases, manage risk across the full AI lifecycle, and build accountability, transparency, and resilience into the decision to deploy a model. In its detail, the framework sets out roughly 230 control objectives mapped to different stages of AI adoption, so a firm just starting out and a firm running AI in production are not held to the same checklist.
None of this arrives as a rule. It is guidance and reference material. The control objectives are things the framework recommends and offers as a structure, not obligations imposed by law. A financial institution that ignores the FS AI RMF has not broken a Treasury regulation, because there is no Treasury regulation here to break.
Voluntary framework, not a rule
I want to be precise, because it is easy to see "Treasury" and "framework" in the same sentence and assume something became mandatory. Nothing did.
These are resources meant to guide AI use, developed jointly with the industry through a coordinating council, adapting a framework that was voluntary to begin with. They impose no filing duty, no examination standard, and no disclosure requirement. No CPA, RIA, or finance team took on a new legal obligation on February 19 because these documents went out. What the framework asks of institutions, it asks by recommendation, not by law.
That said, voluntary is not the same as ignorable. When the federal department that sits over the financial system publishes a common vocabulary and a tailored governance framework, that becomes the reference point everyone else reaches for. Bank examiners, auditors, counterparties, and eventually your own board will start asking whether your AI governance lines up with it. This is the baseline you get measured against long before anything like it is ever written into a binding rule. Treating it as a floor now is a good deal cheaper than being told to retrofit to it later.
What this means for CPAs and finance teams
This is a US federal framework for the financial sector, which puts it squarely in the path of TLY's core audience. If you are a CPA advising financial clients, a financial advisor or RIA using AI in your practice, or a finance leader deploying models inside a regulated institution, the FS AI RMF and the Lexicon are the language and the structure your work will be judged against.
The practical move is to adopt the vocabulary first. Use the Lexicon's terms in your own AI policies, model inventories, and vendor questionnaires so that when a regulator or an auditor asks about a "high-risk use case" or "model governance," you are already speaking their dialect. Then map your existing AI controls against the FS AI RMF's lifecycle structure and its control objectives. You are not obligated to hit all 230, and the framework itself scales them to your stage of adoption, but the gaps you find are exactly the questions a sharp examiner or an audit committee will ask.
The through-line is governance, and it is the same discipline that keeps AI-assisted work defensible in any setting: know where your data came from, know who reviewed the model output, keep a named person accountable for every AI-assisted decision, and be able to show your work. The FS AI RMF does not force you to build those controls. It tells you, in a federal voice, what good ones look like.
What to do now
Read the two documents for what they are, guidance rather than a rule, and do not let anyone in your shop describe them as a new mandate. Pull the Lexicon into your AI policy language so your definitions match the federal ones. Run your current AI use cases against the FS AI RMF lifecycle and note where you have no control, no owner, or no documentation. Keep a named person accountable for every model that touches a client decision, a filing, or a number that leaves the building. And if you change a control or a disclosure, base that change on your own applicable standards, your regulator, and your auditor's advice, not on the assumption that this framework requires it, because it does not.
Questions professionals are asking
Did Treasury make an AI rule for banks?
No. Treasury released two voluntary resources on February 19, 2026: an AI Lexicon and the Financial Services AI Risk Management Framework. They are guidance and reference material developed with the industry. They do not create, change, or remove any rule, filing requirement, examination standard, or legal duty.
What are the two resources?
A shared Artificial Intelligence Lexicon that sets common definitions for AI concepts, capabilities, and risk categories, and the Financial Services AI Risk Management Framework, or FS AI RMF, which adapts the voluntary NIST AI Risk Management Framework to financial services and sets out roughly 230 control objectives mapped to different stages of AI adoption.
Does this affect US CPAs, RIAs, and financial advisors?
Yes, as guidance. This is a US federal framework for the financial sector, so it is directly relevant to CPAs advising financial clients, RIAs and advisors using AI, and finance leaders inside regulated institutions. It binds no one today, but it is the vocabulary and governance structure examiners, auditors, and boards will increasingly measure your AI work against.
Is the FS AI RMF mandatory?
No. It is voluntary. It adapts a framework, NIST's AI RMF, that was itself voluntary, and it was built through a public-private coordinating council. Its control objectives are recommendations and a structure, not obligations imposed by law. Ignoring it does not violate a Treasury regulation, because there is no binding regulation here.
Should we change our AI governance because of this?
Adopt the Lexicon's language and map your controls against the framework, since that is low cost and puts you ahead of scrutiny. But any change to a control or a disclosure should rest on your own applicable standards, your regulator, and your auditor's advice, not on the assumption that this framework requires it.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal, accounting, or audit advice. Confirm how any framework or requirement applies to your situation with qualified professionals in the relevant jurisdiction.