A new piece of federal guidance aimed at banks, reported by American Banker, points to a growing problem. As financial institutions roll out AI in more places, they are inheriting a new category of cyber risk that does not fit neatly into older playbooks. The guidance centers on NIST’s preliminary draft Cybersecurity Framework Profile for Artificial Intelligence, which is open for public comment until January 30, 2026.

NIST’s draft is meant to plug into Cybersecurity Framework 2.0, not replace it. It frames AI as something you secure like any other high value system, while calling out AI specific weak points like models, data, prompts, and the surrounding pipeline. It also separates two realities that often get blended together. You need to secure AI itself, and you can use AI to improve security operations, while still planning for how attackers will abuse it.

For banks, the value is practical. This gives you a shared language to map AI projects to controls, ownership, monitoring, and incident response before regulators or customers force the issue. It also helps keep the conversation grounded, since AI risk is not just model theft or prompt tricks. It is third party exposure, logging gaps, access control, and change management applied to a fast moving stack.