General AI risk guidance is now giving way to something more specific. The National Institute of Standards and Technology released a concept note in early April 2026 for an AI RMF Profile on Trustworthy AI in Critical Infrastructure – a document that moves the federal framework from broad applicability toward named sectors and defined operator obligations.
NIST’s stated purpose is direct: the profile “will guide CI operators towards specific risk management practices to consider when engaging AI-enabled capabilities,” according to the NIST AI RMF page. That sentence does significant work. It names critical infrastructure operators as a specific compliance audience. It uses “AI-enabled capabilities” – not just “AI systems”, which captures a broader range of deployments, including systems that assist human decision-making rather than replacing it outright.
The document is a concept note, not a finalized profile. That distinction matters for compliance teams. A concept note establishes the framework’s direction and typically invites input before finalization. The specific risk management practices will be detailed in the profile once it clears the development process. Teams building AI governance programs should check the NIST page directly for comment or engagement opportunities, sector-specific profiles are often shaped significantly by practitioner input at this stage.
Why does a sector-specific profile matter more than the general AI RMF? The general framework applies to everyone, which means it optimizes for breadth over precision. A critical infrastructure profile can address the operational realities that distinguish utilities from financial systems from healthcare networks, the failure modes, the regulatory environments, the interdependencies. Sector-specific guidance gives compliance teams something they can actually map to their operating context rather than translating from general principles.
Critical infrastructure operators, energy, financial services, healthcare, telecommunications, transportation, are already subject to sector-specific cybersecurity frameworks (NERC CIP for energy, for example). An AI RMF profile that aligns with those frameworks would reduce the compliance burden considerably. Whether this concept note takes that approach requires reviewing the document itself, which the NIST page provides access to.
For federal contractors and government agency AI teams, this profile also signals where procurement and acquisition requirements are likely to point. NIST standards inform federal contracting. A finalized AI RMF profile for critical infrastructure will almost certainly appear in acquisition guidance.
The profile is pre-finalization. Don’t build compliance programs around the concept note specifics, those will evolve. Do engage with the process now, because the organizations that shape the comment period shape the final requirements. That’s the practical action for this week.