Adoption stages determine when a control objective becomes applicable to your institution.
Initial: the absolute baseline, required regardless of AI maturity.
Minimal: structured risk management with documented policies.
Evolving: AI integrated into operational risk frameworks with advanced testing.
Embedded: AI woven into critical business functions; every control applies. Target state.
Partial view. This tool currently maps ~50 of the framework's 230 control objectives. The full Embedded-stage framework is available in the CRI Risk and Control Matrix. Expansion to all 230 objectives is in progress.
Verified accurate as of May 20, 2026.
Primary source. CRI Financial Services AI Risk Management Framework v1.0 (February 19, 2026), developed by the Cyber Risk Institute in coordination with 108 financial institutions, the Financial Services Sector Coordinating Council (FSSCC), and published with oversight from the U.S. Department of the Treasury. The full Risk and Control Matrix, Guidebook, and Control Objective Reference Guide are available at cyberriskinstitute.org.
Cross-framework mappings synthesized from: CRI Risk and Control Matrix (RCM) v1.0; KPMG, Deconstructing the Cyber Risk Institute FS AI RMF (2026); FTI Consulting, Banking's AI Rulebook: Turning the Treasury Framework Into Action (March 2026); Lowenstein Sandler LLP, Operationalizing the 230 Control Objectives Before the Market Wakes Up (February 2026); NIST AI RMF 1.0 Playbook and AI 600-1 Generative AI Profile; Federal Reserve SR 26-2 (April 17, 2026); Davis Polk, Sullivan & Cromwell, and Domino.ai analyses of SR 26-2; Norton Rose Fulbright, Davis+Gilbert, and DLA Piper analyses of Colorado SB 26-189; Morgan Lewis CFPB Guidance Tracker; Bank of England PRA SS1/23 and LIAF01/26; OSFI Guideline E-23; MAS MindForge AI Risk Toolkit; Cloud Security Alliance AI Controls Matrix v1.0.
Audit. Framework descriptions, regulatory status, and cross-mappings independently verified via comprehensive regulatory audit on May 20, 2026, cross-referencing 61 primary sources across federal, state, EU, UK, Singaporean, Canadian, and international regulatory bodies.
Limitations. This tool maps ~50 of the framework's 230 control objectives. Control objective IDs, names, and descriptions are reconstructed from public commentary on the RCM and may differ in minor respects from the official source document. Cross-framework mappings to SR 26-2 are analytical translations from the superseded SR 11-7 structure. This reference is provided for educational and professional development purposes and does not constitute legal or compliance advice.
Prepared by Invictera LLC. For corrections or updates: hello@invictera.com
Primary source. CRI Financial Services AI Risk Management Framework v1.0 (February 19, 2026), developed by the Cyber Risk Institute in coordination with 108 financial institutions, the Financial Services Sector Coordinating Council (FSSCC), and published with oversight from the U.S. Department of the Treasury. The full Risk and Control Matrix, Guidebook, and Control Objective Reference Guide are available at cyberriskinstitute.org.
Cross-framework mappings synthesized from: CRI Risk and Control Matrix (RCM) v1.0; KPMG, Deconstructing the Cyber Risk Institute FS AI RMF (2026); FTI Consulting, Banking's AI Rulebook: Turning the Treasury Framework Into Action (March 2026); Lowenstein Sandler LLP, Operationalizing the 230 Control Objectives Before the Market Wakes Up (February 2026); NIST AI RMF 1.0 Playbook and AI 600-1 Generative AI Profile; Federal Reserve SR 26-2 (April 17, 2026); Davis Polk, Sullivan & Cromwell, and Domino.ai analyses of SR 26-2; Norton Rose Fulbright, Davis+Gilbert, and DLA Piper analyses of Colorado SB 26-189; Morgan Lewis CFPB Guidance Tracker; Bank of England PRA SS1/23 and LIAF01/26; OSFI Guideline E-23; MAS MindForge AI Risk Toolkit; Cloud Security Alliance AI Controls Matrix v1.0.
Audit. Framework descriptions, regulatory status, and cross-mappings independently verified via comprehensive regulatory audit on May 20, 2026, cross-referencing 61 primary sources across federal, state, EU, UK, Singaporean, Canadian, and international regulatory bodies.
Limitations. This tool maps ~50 of the framework's 230 control objectives. Control objective IDs, names, and descriptions are reconstructed from public commentary on the RCM and may differ in minor respects from the official source document. Cross-framework mappings to SR 26-2 are analytical translations from the superseded SR 11-7 structure. This reference is provided for educational and professional development purposes and does not constitute legal or compliance advice.
Prepared by Invictera LLC. For corrections or updates: hello@invictera.com