NIST published a concept note on April 7, 2026 for an “AI RMF Profile on Trustworthy AI in Critical Infrastructure.” The document is described as providing sector-specific AI risk management guidance for energy, water, and transportation operators, extending the existing AI Risk Management Framework into domains where the consequences of AI failure are measured in service disruptions, not just compliance violations.
Let’s be precise about what this document is. A concept note is pre-final guidance, not a published profile, not an enforceable standard, and not a formal update to the AI RMF. It represents NIST’s current thinking and an invitation for stakeholder input before a final profile is developed. Treating it as a requirement is premature. Ignoring it is unwise.
For critical infrastructure operators, the practical significance is in the direction it signals. The original AI RMF is a voluntary framework built for general organizational use. A sector-specific critical infrastructure profile, if and when finalized, would make “align with the AI RMF” a more concrete and auditable expectation for utilities, water systems, and transportation authorities. Federal contractors subject to NIST framework requirements would likely face direct applicability.
According to reporting from ABA Banking Journal, the profile addresses safety and reliability requirements specific to these sectors, areas where the AI RMF’s general risk management categories require adaptation to account for operational technology environments and physical-world consequences.
The agentic AI thread
A second development warrants attention. According to Pillsbury Law, NIST is also initiating an AI Agent Standards Initiative, with sector-specific listening sessions reportedly scheduled for April 2026. This has not been independently confirmed via NIST.gov in this cycle. If accurate, it represents NIST’s first formal signal on agent-specific standards, a development that would affect every organization deploying autonomous AI systems in operational environments.
The agentic AI connection to the critical infrastructure profile matters: autonomous agents operating on industrial control systems represent a risk category the original AI RMF wasn’t designed to address. If NIST is building both a critical infrastructure profile and an agent standards initiative simultaneously, those two workstreams will need to converge.
What to watch
NIST’s comment and input process for the concept note is the immediate next step. Organizations in energy, water, and transportation with AI deployments should consider engaging the comment process, NIST’s sector-specific profiles tend to reflect the operational realities that practitioners surface during that phase. Watch also for any formal NIST announcement of the AI Agent Standards Initiative listening sessions, which would confirm Pillsbury Law’s reporting.
TJS synthesis
NIST is moving from aspirational framework to sector-specific operationalization. For critical infrastructure operators who’ve treated the AI RMF as a general reference document, the concept note is a preview of what “alignment” will mean when it becomes auditable. Start the gap analysis now, against the concept note’s categories, while the profile is still in draft, that’s when input shapes the final requirements, not after.