AI Governance for Financial Services: The 4-Tier NIST AI RMF

· 3 min read

The NIST AI Risk Management Framework (AI RMF) is the de-facto US standard for AI governance. This article explains how to implement it for financial-services AI agents, using the 4-tier model I developed at Neul Labs, applied at a UK fintech and presented to the FCA sandbox.

The NIST AI RMF in one paragraph

The NIST AI RMF has four functions: Govern (establish culture and accountability), Map (identify AI systems and their context), Measure (assess risks), Manage (respond to risks). The framework is voluntary in the US but is becoming the baseline for financial-services AI governance globally.

The 4-tier Agentic Profile

The standard NIST AI RMF does not address AI agents specifically. The 4-tier Agentic Profile I developed extends it:

TierAgent capabilityNIST functionsEU AI Act mapping
T0Read-only (no actions)MapBelow threshold
T1Advise (human approves)Map + MeasureBelow threshold
T2Act under supervision (reversible)All four, elevatedLimited risk
T3Act autonomously (audited after)All four, highestHigh-risk

The implementation: Regulus

Regulus is the implementation of this profile. It is an EU + UK compliance plane for Google ADK (Agent Development Kit) with:

  • 6 plugins (one per governance area: risk, data, model, deployment, monitoring, incident)
  • 10 regulations (EU AI Act, GDPR, DORA, NIS2, EHDS, UK GDPR, FCA SYSC, PRA SS1/23, PRA SS2/21, NHS DSPT)
  • 6 governance frameworks (NIST AI RMF, ISO/IEC 42001, 23894, 23053)
  • 4 GRC adapters (ServiceNow IRM, OneTrust, MetricStream, custom)
  • Vertex AI Agent Engine deploy in 60 seconds

Regulus was open-sourced by Neul Labs and Skelf Research, not at any employer.

How to apply this to your bank/insurer/asset manager

  1. Classify your AI systems: go through every AI system and classify it T0-T3. Most will be T0 or T1. Some will be T2. Few will be T3.

  2. Apply the right controls: for each tier, apply the corresponding NIST AI RMF functions and the regulatory requirements. T0 needs minimal governance. T3 needs the full EU AI Act high-risk system package.

  3. Build the audit trail: every action is logged with identity, timestamp, parameters, and model reasoning. This is the evidence you show the regulator.

  4. Deploy Regulus (or equivalent): the compliance plane automates the governance checks. Instead of manual review for every agent action, the runtime enforces the policy.

What I learned in production

In my most recent role as Principal AI Architect at a UK fintech, I built an internal agentic AI platform and presented agent guardrails to the FCA sandbox. The open-source frameworks below were developed at Neul Labs and Skelf Research:

  • Regulus (the compliance plane)
  • The 4-tier NIST AI RMF Agentic Profile
  • The Tiered Governance Model
  • Production agent systems with the Substrate Pattern and Defence in Depth

The biggest lesson: compliance is not a blocker. It is a feature. The banks that won the AI race in 2025-2026 were the ones that built compliance into the runtime from day one, not the ones that bolted it on after launch.

— Dipankar Sarkar, Founder of Neul Labs

Related Articles