NIST Expands AI Risk Management Framework for Critical Infrastructure

NIST has released significant updates to its AI Risk Management Framework, explicitly targeting the risks of generative AI and supply chain vulnerabilities in critical infrastructure, setting a new benchmark for AI governance in regulated sectors NIST.

On June 10, 2024, the National Institute of Standards and Technology (NIST) published a revised version of its AI Risk Management Framework (AI RMF), expanding its guidance to address the deployment of AI—including generative AI—in critical infrastructure sectors such as energy, healthcare, and finance. The update introduces new provisions for identifying and mitigating supply chain risks and offers sector-specific guidance to support trustworthy and resilient AI adoption in essential services NIST Tech Policy Review.

NIST’s expanded framework is a direct response to the growing adoption of generative AI in regulated industries and the increasing complexity of AI supply chains. The update aligns with recent regulatory trends, including the EU AI Act’s focus on high-risk use cases and the White House Executive Order on Safe, Secure, and Trustworthy AI, which both emphasize critical infrastructure protection and supply chain integrity White House EO. For enterprises subject to HIPAA, SEC, or FDA oversight, the revised AI RMF provides a more granular approach to risk identification, documentation, and mitigation—especially for generative AI models that can introduce novel vulnerabilities or amplify existing ones Tech Policy Review.

CTOs, CISOs, and Compliance Officers in regulated sectors should immediately review the updated NIST AI RMF and map its new requirements to their existing AI governance programs. Over the next 30-90 days, organizations should conduct a gap analysis focused on generative AI use cases and supply chain dependencies, update risk registers, and ensure that third-party AI vendors align with the revised framework. Early alignment with NIST’s guidance will be critical as regulators and industry bodies increasingly reference the AI RMF as a baseline for compliance and due diligence NIST.

What This Means for Enterprise AI

NIST’s explicit inclusion of generative AI and supply chain risk management in its AI RMF raises the bar for operational oversight in critical infrastructure sectors. Enterprises deploying generative AI—such as large language models for diagnostics, trading, or grid management—must now document model provenance, monitor for emergent behaviors, and implement controls for downstream risks introduced by third-party components NIST.

For organizations regulated under HIPAA, SEC, or FDA, the updated framework provides a clear structure for integrating AI risk management into existing compliance workflows. This includes requirements for continuous monitoring, incident response planning, and supplier risk assessments—mirroring the EU AI Act’s obligations for high-risk AI systems Tech Policy Review. Failure to align with NIST’s guidance could increase exposure to regulatory scrutiny, operational disruptions, and reputational damage.

Action items for enterprise leaders: update AI risk inventories to include generative AI and supply chain vectors, revise vendor due diligence checklists to reflect NIST’s new criteria, and train relevant staff on the expanded framework. Proactive adoption of these measures will position organizations to meet evolving regulatory expectations and strengthen AI system resilience across critical infrastructure domains.