The New York Department of Financial Services supervises AI through a cybersecurity lens, not as a separate AI-model-governance regime. 23 NYCRR Part 500 is the binding rule. NYDFS expects covered entities to fold AI-related cyber risk into the Part 500 risk assessment and controls they already run, with the final provisions of the 2023 amendment effective November 1, 2025.
The October 2024 and May 2026 AI letters are guidance and advisory. They interpret how Part 500 applies to AI. They do not create new binding requirements or new deadlines. This page maps each AI cyber risk to the Part 500 control it touches and the evidence a DFS examiner expects to see.
If you are a CISO or CCO at a NY-licensed bank, insurer, or other DFS-covered entity, here is the distinction that matters before you brief your board.
Part 500 is the enforceable rule. 23 NYCRR Part 500, the NYDFS Cybersecurity Regulation, is the binding obligation for covered entities. The 2023 Second Amendment phased in over two years, and its final provisions became effective November 1, 2025, including the expanded asset inventory requirement, broader multi-factor authentication, and enhanced governance. There is no separate New York AI rule. NYDFS does not examine your models the way a model-risk function would. It examines whether your cybersecurity program, the one Part 500 already mandates, accounts for the new ways AI changes the threat surface.
The AI letters are guidance, not new requirements. NYDFS has published two pieces of AI-specific writing, and neither is a rule. The October 2024 guidance and the May 2026 frontier-AI advisory both work the same way: they tell covered entities to read AI-related threats into the Part 500 risk assessment and controls already on the books. Treating either letter as a fresh compliance mandate with its own deadline is a misread. The mandate is Part 500. The letters describe how Part 500 reaches AI.
So the practical question for a covered entity is not "do we need a new AI compliance program for NYDFS." It is "does our existing Part 500 program account for AI as a threat, and can we show the evidence." That is a readiness exercise across the controls you already operate, and it is where this page, and our work, focuses.
Both letters interpret Part 500. Read them as direction on where to point your existing risk assessment, not as new rules.
October 16, 2024 guidance: "Cybersecurity Risks Arising from Artificial Intelligence and Strategies to Combat Related Risks." This is guidance, not a new rule. It directs covered entities to fold AI-related threats into their existing Part 500 risk assessments and controls. NYDFS calls out four AI-related risk areas: AI-enabled social engineering and deepfakes, AI-enhanced cyberattacks, theft of nonpublic information used to train AI models, and third-party and vendor risk introduced by AI. None of those are new control families. They are new threat scenarios that your existing risk assessment, third-party policy, access controls, and training program are expected to address. You can read the full letter on the NYDFS site: Cybersecurity Risks Arising from Artificial Intelligence ↗.
May 21, 2026 Industry Letter: "Heightened Cybersecurity Risks Associated with Frontier AI Models." This advisory is explicit that it does not impose new requirements. It warns that frontier AI models can amplify the speed and scale at which vulnerabilities are discovered and exploited, and it directs covered entities to strengthen the Part 500 practices that blunt that acceleration: vulnerability management, third-party coordination, secure programming practices, and monitoring and reporting. A companion same-day guidance on highly capable threat-enabling models was also published, but the frontier-AI advisory is the anchor for covered entities. Read it here: Heightened Cybersecurity Risks Associated with Frontier AI Models ↗.
The throughline is consistent. NYDFS supervises AI as a cybersecurity matter under Part 500. It is not standing up an AI-model-governance regime, and it has not created AI-specific obligations or deadlines outside the Part 500 framework. For an examiner conversation, that means the burden is to show that your Part 500 program saw these AI threats coming and has the controls and the records to prove it.
This is the practical asset: the AI risks NYDFS named, the Part 500 obligation each one lands on, and the evidence to assemble for a DFS examination. Section references describe the obligation; where a single section does not cleanly own a duty, the obligation is described rather than over-cited.
| AI risk (from the NYDFS AI letters) | Part 500 obligation it touches | Evidence to assemble |
|---|---|---|
| AI-enabled social engineering and deepfakes | 500.14 monitoring and training; 500.12 multi-factor authentication | Cybersecurity awareness training curriculum that names deepfake and AI phishing scenarios, with completion logs; MFA coverage attestation across remote, privileged, and third-party access. |
| AI-enhanced attacks (faster discovery and exploitation) | 500.9 periodic risk assessment; 500.14 monitoring controls | Updated written risk assessment that names AI-enhanced attack scenarios; monitoring and detection coverage records that show how anomalous activity is caught. |
| Theft of nonpublic information used to train AI models | 500.13 asset management and inventory; access controls over NPI | Asset inventory that includes AI systems and the data stores feeding them; access, classification, and data-handling records for the NPI those systems touch. |
| Third-party and vendor AI risk | 500.11 third-party service provider security policy | Third-party security policy that addresses AI vendors; due-diligence and contractual control records for each AI service provider in scope. |
| Frontier-AI amplified exploitation (May 2026 advisory) | 500.9 risk-assessment refresh; 500.5 penetration testing and vulnerability assessments; 500.8 application security | Documented vulnerability-management cadence, secure-development practices, and a third-party coordination and reporting process tuned for the faster exploitation NYDFS warns about. |
| Board and officer accountability for AI exposure | 500.04 CISO reporting; 500.17 notices and annual certification | CISO report to the senior governing body that covers AI risk; a 72-hour cybersecurity-event notice process that contemplates AI-enabled incidents; the annual compliance certification record. |
This map is a readiness aid, not legal advice or a certification. Section numbers reflect 23 NYCRR Part 500 as amended; confirm the current text and the application to your facts with your counsel and your examiner. DSE assembles the evidence and prepares the program for audit; it does not certify compliance.
Not a parallel AI compliance program and not a binder of templates. AI cyber risk mapped onto the Part 500 controls you already operate, with the evidence a DFS examination expects.
We start where you already are. A NY-licensed entity does not need a second compliance program for AI; it needs its Part 500 program to account for AI as a threat. We build a crosswalk from the AI risks NYDFS named to the Part 500 controls that answer them, so one control set and one evidence trail serve both your cybersecurity obligation and your AI exposure. Document once, tag twice.
On that foundation we deliver a defensible AI inventory that names every LLM, generative-AI, and machine-learning system touching nonpublic information, including the shadow-AI deployments nobody registered; a risk read against Part 500 that tiers each system by impact and threat surface and ties it to the controls in the map above; AI security testing that proves what your deployed systems do under adversarial conditions, mapped to the OWASP LLM Top 10 and MITRE ATLAS; and a remediation roadmap that sequences the highest-risk gaps first. The emphasis throughout is readiness and control-mapping. We prepare your program for audit and assemble the evidence. We do not issue certificates, we are not a certification body, and we do not guarantee that you pass an examination or avoid an enforcement action, because no honest advisor can.
If the more urgent question is whether a deployed copilot, RAG pipeline, or agent can be broken, that is our AI red teaming and LLM security testing engagement. If you want the broader supervisory picture across charters, start with the pillar overview, AI governance for financial services, which maps each AI use to the authority that governs it. Insurers carrying both the GLBA Safeguards Rule and Part 500 should also see AI governance for insurers.
NYDFS Part 500 is a cybersecurity overlay. It is a separate axis from federal model-risk guidance, and the two should not be conflated.
SR 26-2 is a different regime. SR 26-2, issued in April 2026, is the federal model-risk guidance that replaced SR 11-7, and it excludes generative and agentic AI from its model-risk scope. It is a model-risk axis, supervised by the prudential agencies, concerned with whether a model that informs a business decision is inventoried, validated, and monitored. NYDFS Part 500 is the New York cybersecurity overlay for DFS-covered entities, concerned with whether your security program protects nonpublic information and accounts for AI-driven threats. A bank with a New York charter can sit under both at once. They answer different questions, and an examiner from one is not satisfied by evidence built for the other. We map both where both apply, and we keep the two straight rather than collapsing them into a single story.
The same logic extends across the rest of your stack. Insurers also answer to the NAIC model bulletin and the GLBA Safeguards Rule; broker-dealers answer to FINRA and SEC Reg S-P; registered investment advisers answer to SEC examination priorities. Part 500 does not replace any of those. It is the New York cybersecurity layer that sits alongside them, and a defensible program treats each as its own axis with its own evidence, mapped onto the controls you run once.
NYDFS supervises AI primarily through a cybersecurity lens, not as a separate AI-model-governance regime. 23 NYCRR Part 500 is the binding rule, and covered entities are expected to fold AI-related cyber risk into the Part 500 risk assessment and controls they already operate. The October 2024 and May 2026 AI letters are guidance and advisory that interpret how Part 500 applies to AI; they are not new binding requirements.
No. The October 16, 2024 guidance is guidance, not a new rule. It directs covered entities to address AI-related threats, including AI-enabled social engineering and deepfakes, AI-enhanced attacks, theft of nonpublic information used to train AI, and third-party and vendor AI risk, within their existing Part 500 risk assessments and controls. It does not add a new control family or a new deadline.
Nothing binding. The May 21, 2026 Industry Letter on frontier AI models is an advisory that explicitly does not impose new requirements. It warns that frontier models can amplify the speed and scale of vulnerability discovery and exploitation, and it directs covered entities to strengthen vulnerability management, third-party coordination, secure programming, and monitoring and reporting under Part 500.
The 2023 Second Amendment phased in over two years, and its final provisions became effective November 1, 2025, including the expanded asset inventory requirement, broader multi-factor authentication, and enhanced governance. Part 500 is the enforceable rule; the AI letters interpret how that rule applies to AI rather than adding their own dates.
They are separate axes. SR 26-2, issued in April 2026, is federal model-risk guidance that replaced SR 11-7 and excludes generative and agentic AI from its scope. NYDFS Part 500 is the New York cybersecurity overlay for DFS-covered entities. Part 500 governs AI through cybersecurity controls and is not a model-risk regime, so a covered entity may sit under both at once and should map each separately.
No. DSE prepares your AI and cybersecurity program for audit and assembles the evidence a DFS examination expects. We do not certify, attest, or guarantee an outcome. We are not a certification body and we do not provide legal advice; we work alongside your counsel under a signed SOW or MSA.
Start with hands-on AI security testing that shows what your deployed systems do under attack and maps each finding to the Part 500 control it touches. Or pull the free Part 500 workbooks and self-assess first. A principal runs the engagement end to end.
DSE provides AI governance and cybersecurity readiness consulting and AI security testing. We prepare your program for audit and assemble evidence; we are not an accredited certification body and do not certify NYDFS Part 500, NIST, ISO/IEC 42001, or any other compliance. Only the relevant authority or an accredited body does that.
This page is informational and is not legal advice. Part 500 section references describe obligations under 23 NYCRR Part 500 as amended; confirm the current regulatory text and its application to your facts with your counsel and your examiner. The October 2024 and May 2026 NYDFS AI letters are guidance and advisory and do not create new binding requirements or deadlines.
We cannot guarantee passing an examination or avoiding enforcement, and we work alongside your counsel. All engagements are governed by a signed SOW / MSA that includes a limitation of liability and, for any testing, written authorization to test the in-scope systems.