NIST has moved the AI Risk Management Framework into critical infrastructure territory, and the timing matters.
The agency published a concept note titled “AI RMF Profile on Trustworthy AI in Critical Infrastructure” on approximately April 7, 2026, per the NIST website. The profile extends AI RMF 1.0, the voluntary framework NIST released in 2023, into sector-specific guidance for critical infrastructure operators. It maps NIST’s four AI RMF functions (Govern, Map, Measure, Manage) to the specific risk contexts faced by energy, water, and transportation operators deploying AI-enabled capabilities, as confirmed by Industrial Cyber’s coverage of the profile.
The word “concept note” is doing real work here. This isn’t a finalized profile, it’s a consultative document that outlines the framework’s direction before NIST completes it. For critical infrastructure operators, that’s an invitation. NIST profiles are shaped by practitioner input during the concept and draft stages; the final document tends to reflect the concerns and operational realities that stakeholders surface during that window. If the sectors covered by this profile have views about how AI risk management should translate to operational practice, the concept note stage is the time to express them.
The profile’s voluntary status is accurate and important. NIST confirms the framework is voluntary, it’s guidance, not a regulation. But voluntary and consequential aren’t mutually exclusive. The original AI RMF 1.0 has been incorporated by reference in federal contracting contexts, and NIST profiles have historically moved from voluntary guidance into procurement language as agencies specify their expectations for AI system providers. Whether this specific profile follows that path hasn’t been announced, that trajectory is what analysts expect, not what NIST has stated.
For critical infrastructure operators in energy, water, and transportation: the practical question is how your organization’s current AI risk management practices map to the four RMF functions as applied in this profile. “Govern” covers organizational accountability and policy structure. “Map” addresses AI risk identification. “Measure” covers evaluation and testing. “Manage” addresses risk response and treatment. Those aren’t new concepts, but the profile’s sector-specific applications may surface gaps between your current practices and what the framework expects in your operational context.
One practical step worth taking now: confirm whether NIST has opened a formal public comment period for this concept note. If a comment deadline has been set, it belongs on your compliance calendar. Comment periods are typically 60-90 days from publication, which would put a deadline in late June or early July 2026 if one has been announced.
Watch the NIST website for draft profile publication following the concept note phase. The draft is where the specific guidance becomes actionable enough to assess compliance gap implications in detail.
TJS perspective: The critical infrastructure AI risk profile fills a genuine gap. The original AI RMF was built for general applicability; it doesn’t fully account for the operational technology environments and physical safety consequences that define AI risk in energy grids, water systems, and transportation networks. This profile’s sector specificity is the point. For federal contractors and regulated operators in the covered sectors, getting ahead of the profile, by mapping your current AI governance posture against the four functions now, is lower-cost than scrambling when the final profile lands.