AI Governance for Financial Services: The 4-Tier NIST AI RMF
The NIST AI Risk Management Framework (AI RMF) is the de-facto US standard for AI governance. This article explains how to implement it for financial-services AI agents, using the 4-tier model I developed at Neul Labs, applied at a UK fintech and presented to the FCA sandbox.
The NIST AI RMF in one paragraph
The NIST AI RMF has four functions: Govern (establish culture and accountability), Map (identify AI systems and their context), Measure (assess risks), Manage (respond to risks). The framework is voluntary in the US but is becoming the baseline for financial-services AI governance globally.
The 4-tier Agentic Profile
The standard NIST AI RMF does not address AI agents specifically. The 4-tier Agentic Profile I developed extends it:
| Tier | Agent capability | NIST functions | EU AI Act mapping |
|---|---|---|---|
| T0 | Read-only (no actions) | Map | Below threshold |
| T1 | Advise (human approves) | Map + Measure | Below threshold |
| T2 | Act under supervision (reversible) | All four, elevated | Limited risk |
| T3 | Act autonomously (audited after) | All four, highest | High-risk |
The implementation: Regulus
Regulus is the implementation of this profile. It is an EU + UK compliance plane for Google ADK (Agent Development Kit) with:
- 6 plugins (one per governance area: risk, data, model, deployment, monitoring, incident)
- 10 regulations (EU AI Act, GDPR, DORA, NIS2, EHDS, UK GDPR, FCA SYSC, PRA SS1/23, PRA SS2/21, NHS DSPT)
- 6 governance frameworks (NIST AI RMF, ISO/IEC 42001, 23894, 23053)
- 4 GRC adapters (ServiceNow IRM, OneTrust, MetricStream, custom)
- Vertex AI Agent Engine deploy in 60 seconds
Regulus was open-sourced by Neul Labs and Skelf Research, not at any employer.
How to apply this to your bank/insurer/asset manager
-
Classify your AI systems: go through every AI system and classify it T0-T3. Most will be T0 or T1. Some will be T2. Few will be T3.
-
Apply the right controls: for each tier, apply the corresponding NIST AI RMF functions and the regulatory requirements. T0 needs minimal governance. T3 needs the full EU AI Act high-risk system package.
-
Build the audit trail: every action is logged with identity, timestamp, parameters, and model reasoning. This is the evidence you show the regulator.
-
Deploy Regulus (or equivalent): the compliance plane automates the governance checks. Instead of manual review for every agent action, the runtime enforces the policy.
What I learned in production
In my most recent role as Principal AI Architect at a UK fintech, I built an internal agentic AI platform and presented agent guardrails to the FCA sandbox. The open-source frameworks below were developed at Neul Labs and Skelf Research:
- Regulus (the compliance plane)
- The 4-tier NIST AI RMF Agentic Profile
- The Tiered Governance Model
- Production agent systems with the Substrate Pattern and Defence in Depth
The biggest lesson: compliance is not a blocker. It is a feature. The banks that won the AI race in 2025-2026 were the ones that built compliance into the runtime from day one, not the ones that bolted it on after launch.
— Dipankar Sarkar, Founder of Neul Labs
Related Articles
AI Agent Safety Governance: An Engineer's Playbook
The practical playbook for AI agent safety governance. Threat model, runtime policy, prompt injection defense, audit, red-team, and the tooling matrix.
Harmony Protocol in Rust: Parsing OpenAI's GPT-OSS Response Format
A deep dive into implementing OpenAI's Harmony response format in Rust. Channel semantics, streaming, comparison with ChatML, and the Rust implementation.
Rust for AI Agent Infrastructure: A Field Guide for Engineers
Why Rust dominates AI agent infrastructure. Memory safety, async runtime, the ecosystem, and the career path. A field guide from the founder of Neul Labs.