AI Risk

NIST AI 600-1: The Generative AI Profile and Its 12 Risk Categories Explained

April 14, 2026 Rebecca Leung
NIST AI 600-1 generative AI risk AI governance
Table of Contents

TL;DR:

  • NIST AI 600-1 is the Generative AI Profile — published July 2024, still active — and it defines 12 risk categories that SR 11-7 and the original AI RMF were never designed to address
  • Financial services institutions are “deployers” under the framework and cannot outsource TEVV obligations to their GenAI vendors; you’re accountable for your use case regardless of who built the model
  • Three categories are immediate financial services priorities: Confabulation (your chatbot can be held liable for what it hallucinates), Harmful Bias (ECOA and UDAAP exposure), and Value Chain (your third-party foundation model dependencies require TPRM treatment)
  • Federal banking regulators are already applying 600-1 principles under existing SR 11-7 authority — OCC Bulletin 2025-26 signals formal AI model risk guidance is coming

SR 11-7 was published in 2011. GPT-3 launched in 2020. There’s a 9-year gap in regulatory vocabulary for what generative AI actually introduces — and that gap is where your examination exposure lives.

NIST filled part of that gap with NIST AI 600-1, the Generative AI Profile, finalized July 26, 2024. It’s not a replacement for SR 11-7 or the NIST AI RMF 1.0. It’s the layer on top — the framework that names what traditional model risk management can’t adequately address when the model is a large language model generating probabilistic outputs in real time.

Here’s what it says and what you need to do about it.

What NIST AI 600-1 Actually Is

AI 600-1 is formally a “cross-sectoral profile” of the AI RMF 1.0 — meaning it takes the four core functions (Govern, Map, Measure, Manage) and applies them specifically to generative AI and foundation models. It adds three things the parent framework lacks:

  1. A GenAI-specific risk taxonomy — 12 risk categories that are either novel to GenAI or substantially amplified compared to traditional AI
  2. 200+ suggested actions — organized under the four RMF functions, scoped specifically to generative AI
  3. A clearer developer/deployer/operator accountability structure — which matters enormously for financial institutions relying on third-party foundation models

The document was published pursuant to Section 4.1(a)(i)(A) of Executive Order 14110. That EO was revoked by the Trump administration on January 20, 2025. But NIST AI 600-1 itself was never rescinded — it remains accessible, widely cited by financial services regulators, and operationalized in the FS AI RMF published in February 2026 by the Cyber Risk Institute with 108 financial institution members.

The 12 Risk Categories

These aren’t theoretical concerns. Each one maps to a real failure mode that financial institutions are already experiencing.

#Risk CategoryCore Threat
1CBRN Information or CapabilitiesGenAI lowers barriers to dangerous dual-use synthesis information
2ConfabulationConfident, factually false outputs — “hallucinations” with legal liability attached
3Dangerous, Violent, or Hateful ContentScale content generation; jailbreaks make filtering continuous, not one-time
4Data PrivacyTraining data memorization, PII leakage, inference attacks, de-anonymization
5Environmental ImpactsSignificant compute/energy costs from training and operating GenAI systems
6Harmful Bias and HomogenizationAmplified historical bias from training data; discriminatory outputs at scale
7Human-AI ConfigurationAutomation bias, over-reliance, degraded human decision-making quality
8Information IntegrityDeepfakes, synthetic media, disinformation generation at industrial scale
9Information SecurityPrompt injection, data poisoning, adversarial attacks, AI-enabled cyberattacks
10Intellectual PropertyCopyright infringement from memorized training data in outputs
11Obscene, Degrading, and/or Abusive ContentSynthetic CSAM, NCII, deepfake harassment
12Value Chain and Component IntegrationThird-party model opacity; errors or vulnerabilities from components you can’t audit

For financial services, three of these deserve immediate program attention.

The Air Canada case (2024) is the benchmark. The airline’s chatbot told a passenger he could get a bereavement fare refund after travel — a policy that didn’t exist. Air Canada argued it wasn’t responsible for the bot’s outputs. The British Columbia Civil Resolution Tribunal disagreed, holding the company fully liable for what its AI said.

The analogy to financial services is direct. A GenAI-powered customer service tool that hallucinates loan terms, fee schedules, account balances, or regulatory disclosures creates UDAAP exposure and potential Regulation B adverse action issues. A GenAI underwriting assistant that generates a factually false rationale for a denial creates a compliance artifact you cannot walk back.

Confabulation controls under AI 600-1 include: Retrieval-Augmented Generation (RAG) to ground outputs in verified internal knowledge (Morgan Stanley’s approach — they built a RAG system over 350,000 proprietary documents with multi-stage citation verification before deploying to 98% of advisor teams), output confidence scoring, human review requirements for high-stakes outputs, and systematic benchmarking of confabulation rates before deployment.

Harmful Bias (#6): The ECOA/UDAAP Exposure You Already Have

GenAI systems amplify whatever biases are in their training data. In financial services, that means any GenAI system making or informing credit decisions — underwriting support, credit policy explanations, marketing targeting, collection communications — is a potential fair lending exposure point.

AI 600-1 explicitly calls out demographic parity and disparate impact monitoring as controls under the Measure function. This connects directly to the CFPB’s UDAAP examination authority and ECOA’s requirements on adverse action. The Massachusetts AG’s $2.5 million settlement with Earnest Operations in July 2025 for AI underwriting disparate impact was brought under existing ECOA and state UDAP statutes — no new AI law required.

For a deeper look at the AI fair lending compliance picture, see AI and Fair Lending: UDAAP Risk in Algorithmic Decisioning.

Value Chain (#12): Third-Party GenAI Is Still Your Risk

This is the category most institutions are underweighting. If you’re deploying an Azure OpenAI instance, a vendor’s GenAI API, or any foundation model you didn’t train yourself, you’re in the middle of a value chain you can’t fully audit. AI 600-1 makes clear that sitting in that position doesn’t reduce your accountability.

The framework explicitly states that deployer-banks cannot simply rely on the foundation model vendor’s testing. You must conduct your own TEVV against your specific use case, user population, and regulatory context. The vendor’s SOC 2 report and general bias disclosures are not a substitute for your own evaluation.

This connects directly to OCC Bulletin 2023-17 and FDIC FIL-29-2024 on third-party risk management — GenAI vendors require the same enhanced due diligence as any critical service provider. More detail on building that due diligence process is in Third-Party AI Vendor Risk Assessment.

Developer, Deployer, Operator: Where Does Your Institution Sit?

AI 600-1 assigns different responsibilities based on where you sit in the AI value chain.

Developers build and train the model. They own training data governance, bias controls in the training process, and transparency about model limitations.

Deployers take a developer’s model and build products or services on top of it. They own post-deployment evaluation, production monitoring, and consumer-facing transparency. A deployer becomes a developer only through “transformative and extensive” model modification — fine-tuning alone doesn’t cross that line.

Integrators are intermediate actors who may function as developer, deployer, or both. Banks building custom applications on top of Azure OpenAI or AWS Bedrock typically sit here.

Operators run deployed systems in production.

Most financial institutions are deployers or integrators — which means they sit in the accountability tier that TEVV requirements, bias monitoring, incident response, and consumer transparency obligations attach to. The foundation model vendor’s practices are relevant context, not a defense.

How AI 600-1 Connects to SR 11-7 and the AI RMF

DimensionSR 11-7NIST AI RMF 1.0NIST AI 600-1
ScopeAll bank modelsAll AI systemsGenAI / foundation models
Published2011January 2023July 2024
Risk taxonomyConceptual soundness, data quality, ongoing monitoringGeneral AI risks12 GenAI-specific categories
Testing approachValidation by independent partyTEVV conceptsRed-teaming, confabulation benchmarks, prompt injection
Third-party AITPRM principles applyGeneral third-party guidanceValue chain transparency requirements
RolesModel owner, developer, userGeneral AI actorsDeveloper/deployer/integrator with explicit shared TEVV

None of these replace each other. SR 11-7 remains the examination baseline. AI RMF 1.0 provides the governance architecture. AI 600-1 adds the GenAI-specific implementation layer. All three apply simultaneously to a bank deploying an LLM in a customer-facing or decision-support context.

TEVV Under AI 600-1: What Testing Actually Requires

TEVV (Test, Evaluate, Verify, Validate) is continuous under AI 600-1 — not a one-time pre-deployment check.

Pre-deployment minimum:

  • Confabulation/hallucination benchmarking against domain-specific scenarios (not generic public benchmarks)
  • Bias assessments across race, sex, age, national origin — the ECOA-relevant attributes
  • Adversarial red-team testing: prompt injection attempts, jailbreak scenarios, data extraction probes
  • Privacy leakage testing: does the model reproduce PII from training data in outputs?
  • Content safety screening for the risk categories most relevant to your use case

Post-deployment continuous monitoring:

  • Output drift: are confabulation rates changing as the underlying model updates?
  • Demographic performance monitoring: are protected class groups experiencing different outcomes over time?
  • Periodic re-red-teaming: model behavior can shift with vendor updates you don’t control
  • Incident response readiness for GenAI-specific failure modes

The LLM hallucination risk management guide covers confabulation testing techniques in more depth.

The Regulatory Pressure Building Behind 600-1

AI 600-1 is voluntary. But the regulatory trajectory is clear.

The GAO-25-107197 report confirmed that OCC, Federal Reserve, FDIC, and NCUA examiners are already incorporating AI into safety-and-soundness and compliance examinations under existing authorities. OCC Bulletin 2025-26, published in 2025, is explicitly described as a “first step” in a broader review of model risk management guidance — a clear signal that updated formal guidance is coming and that SR 11-7 gaps for GenAI are on the agenda.

The Financial Services AI RMF, published in February 2026 by the Cyber Risk Institute with 108 financial institution participants, builds directly on AI 600-1 and maps its 230 control objectives to existing financial services regulations. That document is effectively what examiner expectations will be grounded in as the formal guidance develops.

Institutions that build AI 600-1-aligned programs now — risk categories mapped, TEVV documented, value chain due diligence in place — will have a material head start when “voluntary” becomes “expected.”

So What? Implementation Priorities for Financial Services Teams

This week:

  • Add the 12 AI 600-1 risk categories to your AI model inventory and tag each deployed GenAI system against the relevant categories
  • If you have customer-facing GenAI (chatbots, document processors, underwriting support), run a confabulation rate assessment against your specific use cases
  • Identify whether each GenAI vendor has provided transparency on training data, testing methodology, and demographic bias assessment — and document the gap if they haven’t

Next 30 days:

  • Build a GenAI-specific TEVV protocol for any system in scope for SR 11-7
  • Add Value Chain risk to your existing third-party AI due diligence questionnaire — specifically: zero data retention policies, bias disclosure, and contractual risk allocation for model failures
  • Establish demographic performance monitoring for any GenAI system that influences credit, pricing, or customer communications

Next 90 days:

  • Run a red-team exercise against your highest-risk GenAI deployments (prompt injection, jailbreak, data extraction attempts)
  • Document your deployer/integrator role explicitly in model documentation — this is what an examiner will ask about
  • Align your acceptable use policy to the AI 600-1 categories, not just general AI governance principles

Start with the AI Risk Assessment Template to document your model inventory and map your GenAI systems against the 12 risk categories — get it here.

FAQ

What is NIST AI 600-1? NIST AI 600-1, published July 26, 2024, is the Generative AI Profile — a companion resource to the NIST AI RMF 1.0 that identifies 12 risk categories unique to or amplified by generative AI and provides 200+ suggested controls under the Govern, Map, Measure, and Manage functions.

What are the 12 generative AI risk categories? CBRN Information or Capabilities, Confabulation, Dangerous/Violent/Hateful Content, Data Privacy, Environmental Impacts, Harmful Bias and Homogenization, Human-AI Configuration, Information Integrity, Information Security, Intellectual Property, Obscene/Degrading/Abusive Content, and Value Chain and Component Integration.

Does NIST AI 600-1 apply to financial institutions using third-party GenAI? Yes. Deployer institutions cannot outsource TEVV obligations to the model vendor. You are accountable for testing against your specific use case, regulatory context, and customer population.

How does NIST AI 600-1 relate to SR 11-7? SR 11-7 governs the model risk management structure; AI 600-1 adds the GenAI-specific risk taxonomy. Both apply simultaneously to banks deploying LLMs in credit, compliance, or customer-facing contexts.

Is NIST AI 600-1 mandatory? Voluntary guidance, but regulators are already applying its principles under SR 11-7 and safety-and-soundness authorities. OCC Bulletin 2025-26 signals formal AI model risk guidance is forthcoming.

What does TEVV require under AI 600-1? Pre-deployment: confabulation benchmarking, bias testing, adversarial red-teaming, privacy leakage testing. Post-deployment: continuous output drift monitoring, demographic performance tracking, periodic re-red-teaming, and GenAI-specific incident response readiness.

Frequently Asked Questions

What is NIST AI 600-1?
NIST AI 600-1, published July 26, 2024, is the Generative AI Profile — a companion resource to the NIST AI RMF 1.0 that identifies 12 risk categories unique to or amplified by generative AI and provides 200+ suggested controls under the Govern, Map, Measure, and Manage functions. It remains active guidance despite the revocation of the executive order that mandated it.
What are the 12 generative AI risk categories in NIST AI 600-1?
The 12 categories are: (1) CBRN Information or Capabilities, (2) Confabulation, (3) Dangerous, Violent, or Hateful Content, (4) Data Privacy, (5) Environmental Impacts, (6) Harmful Bias and Homogenization, (7) Human-AI Configuration, (8) Information Integrity, (9) Information Security, (10) Intellectual Property, (11) Obscene, Degrading, and/or Abusive Content, and (12) Value Chain and Component Integration.
Does NIST AI 600-1 apply to financial institutions that use third-party GenAI tools?
Yes. Institutions that deploy GenAI tools to customers or in business processes are 'deployers' under NIST AI 600-1 and cannot delegate risk management obligations to the model vendor. The framework requires deployers to conduct their own TEVV testing against their specific use case, regulatory context, and customer population — the vendor's testing is not a substitute.
How does NIST AI 600-1 relate to SR 11-7?
SR 11-7 governs model risk management structure; AI 600-1 adds the GenAI-specific risk taxonomy that SR 11-7 wasn't designed to handle — confabulation, prompt injection, value chain opacity, content provenance, and emergent behavior in probabilistic systems. The two frameworks are complementary, not competing.
Is NIST AI 600-1 mandatory for US financial institutions?
It is voluntary guidance. However, OCC, Federal Reserve, FDIC, and NCUA examiners are applying its principles under existing SR 11-7 and safety-and-soundness authorities. OCC Bulletin 2025-26 signals that updated AI model risk guidance is forthcoming. Institutions aligned to AI 600-1 now are better positioned for current examinations and any formal rule that follows.
What does TEVV require under NIST AI 600-1?
TEVV (Test, Evaluate, Verify, Validate) for GenAI includes pre-deployment confabulation benchmarking, bias testing across protected class attributes, adversarial red-team testing (prompt injection, jailbreaks), and privacy leakage testing. Post-deployment, TEVV must be continuous — monitoring output drift, demographic performance disparities, and periodic re-red-teaming as model behavior can shift with updates.
Rebecca Leung

Rebecca Leung

Rebecca Leung has 8+ years of risk and compliance experience across first and second line roles at commercial banks, asset managers, and fintechs. Former management consultant advising financial institutions on risk strategy. Founder of RiskTemplates.

Related Framework

AI Risk Assessment Template & Guide

Comprehensive AI model governance and risk assessment templates for financial services teams.

See What's Included → Buy Now — $49

Keep Reading

AI Risk

NIST AI RMF MAP Function: How to Frame AI Risk Context Before You Build or Deploy

The MAP function is where NIST AI RMF risk management actually starts. Learn what MAP 1-5 require, how financial institutions implement them, and why most teams get this wrong.

Apr 21, 2026

AI Risk

Agentic AI Governance: The Compliance Gap Nobody's Talking About

SR 11-7, Reg E, and UDAAP weren't built for AI that acts autonomously. Here's where your compliance program has a blind spot—and what to build before regulators close it.

Apr 20, 2026

AI Risk

Continuous Monitoring for AI Models: Drift, Degradation, and Compliance Triggers

SR 11-7 ongoing monitoring for AI models — drift detection, PSI thresholds, re-validation triggers, and what OCC examiners check in 2026.

Apr 19, 2026

Immaterial Findings ✉️

Weekly newsletter

Sharp risk & compliance insights practitioners actually read. Enforcement actions, regulatory shifts, and practical frameworks — no fluff, no filler.

Join practitioners from banks, fintechs, and asset managers. Delivered weekly.