On May 21, 2026, the New York Department of Financial Services issued two warnings on a single day to the banks, insurers, mortgage servicers, and money transmitters it licenses.
One flagged a heightened cyber threat environment; the other warned that “frontier AI” models can now find exploitable vulnerabilities at a pace human patching cycles were never designed to match. Neither document changed a single word of the rulebook.
That paradox explains why searches for the NYDFS cybersecurity regulation AI amendment keep climbing: compliance teams are hunting for a rule change that does not exist as a formal amendment.
The AI obligations arrived instead through three instruments: the Second Amendment to 23 NYCRR Part 500, an October 2024 industry letter, and the May 2026 advisory. Every one of them is enforceable today.
This guide maps each AI expectation to its Part 500 section, the deadlines that have already passed, and the enforcement record behind them. Read it alongside the 23 NYCRR 500 compliance guide covering the regulation’s baseline requirements; the focus here stays on the AI overlay that examiners now test.
| Key Takeaways: NYDFS Cybersecurity Regulation AI Amendment |
| No standalone NYDFS cybersecurity regulation AI amendment exists as a numbered rule change. The AI obligations arrived through the Second Amendment to 23 NYCRR Part 500 (November 2023), the October 16, 2024 AI industry letter, and the May 21, 2026 frontier AI advisory. All three are enforceable now. |
| NYDFS expects covered entities to assess four AI risk categories in every risk assessment: AI-enabled social engineering, AI-enhanced cyberattacks, exposure or theft of nonpublic information, and supply chain dependencies introduced by AI vendors. |
| The universal MFA and asset inventory deadline passed on November 1, 2025. NYDFS specifically warns against SMS, voice, and video authentication because deepfakes defeat them; digital certificates, physical security keys, and liveness-tested biometrics are the preferred factors. |
| April 15, 2026 marked the first annual certification covering the fully phased-in amended regulation. Certifying compliance while AI risks sit outside the risk assessment creates personal exposure for the CEO and CISO who sign. |
| Enforcement is established practice, not theory: Robinhood Crypto paid $30 million (2022), OneMain Financial $4.25 million (2023), and PayPal $2 million (January 2025) for Part 500 failures. The 2026 examination cycle treats the AI guidance as a benchmark. |
| Shadow AI breaches cost an average of $4.63 million ($670,000 above the global average), and 97% of organizations with AI-related breaches lacked proper AI access controls, according to IBM’s 2025 Cost of a Data Breach Report. |
| Map Part 500’s AI expectations onto NIST AI RMF functions and ISO/IEC 42001 clauses to run one control library instead of three parallel compliance programs. |
The “AI Amendment” Everyone Searches For, and What NYDFS Actually Issued

Figure 1. The NYDFS cybersecurity regulation AI amendment is really three instruments layered onto Part 500 between 2023 and 2026.
Start with what the search term gets wrong. When commenters asked NYDFS to add a dedicated AI section during the Second Amendment rulemaking, the Department declined, stating it expects covered entities to address AI risks through existing risk assessments and cybersecurity programs. The regulation’s risk-based architecture already reaches AI, so no new article was needed.
Superintendent Adrienne A. Harris made that position explicit on October 16, 2024, when DFS published its industry letter on cybersecurity risks arising from artificial intelligence. “AI has improved threat detection abilities while creating opportunities for cybercriminals to operate at greater scale and speed,” Harris said in the accompanying press release. The letter tells you how examiners will read the existing rules rather than creating new ones.
| Instrument | Date | Legal status | What it did for AI |
| 23 NYCRR Part 500 | Effective Mar 1, 2017 | Binding regulation | Risk-based framework that AI expectations now attach to |
| Second Amendment | Adopted Nov 1, 2023; phased to Nov 1, 2025 | Binding regulation | Universal MFA, asset inventories, governance, and certification: the controls AI risks are tested against |
| AI industry letter | Oct 16, 2024 | Guidance interpreting Part 500 | Named four AI risks and mapped mitigations to existing sections |
| Dual guidance incl. frontier AI advisory | May 21, 2026 | Advisory; examination benchmark | Directed entities to recalibrate vulnerability management for AI-speed attacks |
The practical consequence matters more than the terminology. Because the AI expectations ride on existing sections, there was no transition period and there is no future effective date to wait for.
A cyber security risk management plan that ignores AI today is already out of step with how DFS reads its own regulation, as Mayer Brown’s analysis of the letter confirmed.
Four AI Risks NYDFS Expects Covered Entities to Assess
The October 2024 letter organizes the threats into four categories, and each one must appear in the §500.9 risk assessment. Two categories cover attacks by threat actors using AI; two cover exposures created by your own AI adoption. The distinction drives which controls apply.
| AI risk category | What NYDFS describes | Primary control anchor |
| AI-enabled social engineering | Realistic, interactive deepfake audio, video, and text used to extract credentials or trigger fraudulent wire transfers | §500.7 access controls; §500.14 training |
| AI-enhanced cyberattacks | AI used to scan for vulnerabilities, accelerate malware and ransomware deployment, and evade detection | §500.5 monitoring; §500.16 incident response |
| Theft of nonpublic information | Large NPI stores, including biometric data, that attackers can use to defeat MFA and build deepfakes | §500.13 data management; §500.12 MFA |
| Supply chain dependencies | AI vendors and data suppliers whose compromise becomes a gateway into the covered entity | §500.11 third-party service provider policy |

Figure 2. Reported deepfake-related fraud losses in Q1 2025 alone exceeded the combined 2019–2023 total. This trend sits behind NYDFS’s AI focus.
The social engineering category is where the loss data concentrates. Deepfake-related fraud losses passed $200 million in the first quarter of 2025 (more than 2019 through 2023 combined) and exceeded $410 million by mid-year.
Signicat’s fraud research recorded a 2,137% increase in deepfake fraud attempts over three years.
Federal regulators see the same pattern. FinCEN’s alert on deepfake media fraud schemes directed institutions to tag suspicious activity reports with “FIN-2024-DEEPFAKEFRAUD” after observing a surge in fraudulent identity documents built with generative AI.
Feed those typologies into an AI risk assessment framework so each of the four categories gets scored against your actual exposure, not a generic checklist.
Section by Section: Mapping AI Obligations to 23 NYCRR 500
Examiners will not ask whether you read the guidance. They will ask where AI appears in each required program element. The table below consolidates every Part 500 section the October 2024 letter references, with the AI-specific action DFS describes for each.
| Part 500 section | Requirement | AI-specific action NYDFS expects |
| §§500.2–500.3 | Cybersecurity program and policies | Address AI threats in program design; update policies for AI use by the entity and its vendors |
| §500.4 | CISO and senior governing body | Board or equivalent must understand AI cybersecurity risks and oversee the response |
| §500.5, §500.14 | Monitoring and training | Monitor for unusual query behavior suggesting NPI extraction; block malicious content; run deepfake simulation exercises |
| §500.7, §500.12 | Access controls and MFA | Deploy authentication factors deepfakes cannot impersonate; restrict privileges to job need; annual reviews |
| §500.9 | Risk assessment | Cover the entity’s own AI use, vendors’ AI technologies, and AI-related vulnerabilities; update on material change |
| §500.11 | Third-party service provider policy | Due diligence on TPSP AI exposure; contract clauses for secure NPI use and breach notice |
| §500.13 | Asset and data management | Inventory AI-enabled systems; dispose of NPI no longer needed, including AI training data |
| §500.16 | Incident response and BCDR | Plans must address AI-related cybersecurity events explicitly |
Treat this mapping as a living register rather than a one-time memo. The risk management lifecycle logic applies: identify AI exposures, score them, assign owners per section, and re-assess when models, vendors, or use cases change.
- 500.9(d) requires the risk assessment to be updated whenever a material change in business or technology occurs, and deploying a new AI tool qualifies.
Entities running NIST-based programs can shortcut the work. Each row above corresponds to controls already catalogued in a NIST CSF 2.0 implementation, so tagging existing controls with an AI dimension is usually faster than drafting new ones.
The full regulation text sits on the DFS cybersecurity resource center for clause-level verification.
Deepfake-Resistant MFA Under the NYDFS Cybersecurity Regulation
November 1, 2025 was the compliance date for universal MFA: every authorized user accessing any information system, not just privileged accounts or remote access. Most coverage stopped there.
The AI guidance goes a step further and grades authentication factors by whether generative AI can defeat them.
DFS is unusually specific. The letter advises entities to “avoid authentication via SMS text, voice, or video, and use forms of authentication that AI deepfakes cannot impersonate,” language that aligns with CISA’s phishing-resistant MFA guidance. Voice and video verification, still common in call centers and wire release procedures, now sit on the wrong side of a named regulatory expectation.
| Authentication method | NYDFS stance | Why |
| SMS text codes | Avoid | Interception and SIM-swap risk; socially engineered relay |
| Voice or video verification | Avoid | Real-time deepfake audio and video defeat human review |
| Push-based OTP apps | Caution | Vulnerable to MFA-fatigue prompts and AI-personalized phishing |
| Digital certificates | Preferred | Machine-bound credential a deepfake cannot reproduce |
| Physical security keys | Preferred | Phishing-resistant possession factor; no human judgment involved |
| Biometrics with liveness detection | Preferred with controls | Texture analysis and liveness checks verify a live person, not a synthetic replay |
Stolen biometric data compounds the problem: the letter notes attackers can use it to imitate authorized users and generate new deepfakes, which is why §500.13 data minimization applies to biometric stores. Employee-facing rules belong in a generative AI acceptable use policy that pairs authentication standards with query discipline for public AI tools.
AI Vendors, TPSPs, and the Supply Chain Overlay
Every AI capability most covered entities deploy arrives through a vendor: a foundation model API, an enriched data feed, or an embedded copilot. Section 500.11 therefore becomes the busiest control in the AI overlay: due diligence, contractual protections, and breach notification must all reflect the vendor’s AI exposure.
The economics justify the effort. IBM’s 2025 Cost of a Data Breach Report put the average shadow AI breach at $4.63 million, some $670,000 above the global average, and found one in five organizations suffered a breach traced to unsanctioned AI tools. Worse, 97% of organizations reporting AI-related breaches lacked proper AI access controls, and 63% had no AI governance policy at all.
Anchor the overlay in your existing third-party risk management framework rather than building a parallel AI vendor process. Add AI-specific questions to the vendor risk assessment questionnaire: which models process our NPI, where is training data stored, what happens to prompts, and how fast is breach notice contractually guaranteed?
DFS “strongly recommends” weighing the threats facing TPSPs themselves from AI. Most questionnaires skip that adversarial lens. Continuous monitoring closes the loop; several TPRM platforms now flag vendors’ AI incidents and model changes between annual reviews, which satisfies the ongoing-diligence expectation far better than a static PDF assessment.
Governance, Certification, and What Enforcement Actually Looks Like
Section 500.4 puts AI oversight in the boardroom: the senior governing body must have sufficient understanding of cybersecurity risk, AI included, to exercise real oversight. April 15, 2026 sharpened the stakes, because the annual certification signed by the CEO and CISO covered the fully phased-in amended regulation for the first time.
A certification filed while AI risks sit outside the risk assessment is not a paperwork gap. It is a personal accountability problem for the two signatories. Boards should demand AI-specific reporting: a defined risk appetite statement for AI use, plus key risk indicators tracking deepfake attempts, shadow AI discoveries, and vendor AI incidents.

Figure 3. NYDFS Part 500 settlements since 2021: the enforcement machinery the AI guidance now plugs into.
The enforcement record shows how examiners convert guidance into penalties. OneMain Financial paid $4.25 million in 2023 partly for storing administrative passwords in a shared folder literally named “PASSWORDS.”
PayPal paid $2 million in January 2025 after an access gap exposed customers’ Social Security numbers on Forms 1099-K, charged in part as a training failure.
Robinhood Crypto’s $30 million penalty in 2022 remains the ceiling-setter. The common thread across all five settlements is mundane control failure, not exotic attacks, which is exactly how AI gaps will surface.
An examiner who finds voice-verified wire releases in 2026 has both the October 2024 letter and the enforcement playbook to act on.
The May 2026 Frontier AI Advisory: A Preview of the Next Compliance Cycle
DFS’s May 21, 2026 advisory defines its target precisely: frontier AI models “amplify the potency, scale, and speed of identifying vulnerabilities and exploits in information systems.”
The advisory creates no binding requirements, but Greenberg Traurig’s analysis notes DFS will treat it as an examination benchmark: did you consider the measures, document your reasoning, and update the risk assessment?
Four expectations stand out. Reassess vulnerability management timelines, because AI-discovered flaws get exploited faster than monthly patch cycles assume, and build dependency maps with your third-party providers.
Apply extra testing and human oversight to AI-generated code, then evaluate whether logging and alerting can keep pace with machine-speed attacks.
Use the advisory as a rehearsal script. Run a tabletop from your business continuity exercise scenarios library where an AI-discovered zero-day hits a critical vendor, and time how long detection, escalation, and patching take. Defensive tooling helps here too.
Several AI risk management tools now monitor for shadow AI and model-level anomalies that traditional GRC platforms miss.
Where Part 500’s AI Expectations Meet NIST AI RMF and ISO 42001
Multi-state and multi-jurisdiction firms should not build a New York-only AI program. The NIST AI Risk Management Framework and ISO/IEC 42001 already structure the same obligations, so one control library can serve DFS examiners, federal supervisors, and certification auditors simultaneously.
| Part 500 AI expectation | NIST AI RMF anchor | ISO/IEC 42001 anchor |
| AI risks in §500.9 risk assessment | Map 1–5: context, categorization, impacts | Clause 6.1 risk and opportunity assessment |
| Board oversight (§500.4) | Govern 1–2: policy, accountability chain | Clause 5 leadership and commitment |
| AI vendor diligence (§500.11) | Govern 6: third-party AI risk | Clause 8 + Annex A supplier controls |
| Deepfake-resistant MFA (§500.7/500.12) | Manage 1–2: prioritized risk response | Annex A access control objectives |
| AI monitoring (§500.5/500.14) | Measure 2: continuous evaluation | Clause 9 performance evaluation |
| AI incident response (§500.16) | Manage 4: incident response integration | Clause 10 improvement and nonconformity |
Sequencing matters less than consistency. Firms in scope for European rules can reuse the same library; the crosswalk logic mirrors the EU AI Act versus NIST AI RMF comparison, and financial entities juggling operational resilience rules will recognize the pattern from DORA and NIS2. One inventory, one control set, multiple regulatory outputs.
Where cybersecurity frameworks are already embedded, extend rather than replace. The NIST CSF and ISO 27001 comparison shows how control families overlap; adding the AI dimension to each family costs weeks, while a standalone AI compliance program costs quarters and drifts from the controls examiners actually test.
Frequently Asked Questions
Is there a formal NYDFS cybersecurity regulation AI amendment?
No. NYDFS declined to add a dedicated AI section during the Second Amendment rulemaking, stating that Part 500’s risk-based framework already covers AI. The AI obligations come from the amended regulation itself, the October 16, 2024 industry letter, and the May 21, 2026 frontier AI advisory, which is why the phrase “NYDFS cybersecurity regulation AI amendment” describes a body of guidance rather than a numbered rule.
Does the October 2024 NYDFS AI guidance create new legal obligations?
Technically no: the letter interprets existing Part 500 requirements rather than imposing new ones. Practically yes: it tells covered entities how examiners will evaluate risk assessments, MFA, vendor management, training, and monitoring against AI threats.
An entity that ignores the guidance is betting its certification on an interpretation DFS has already rejected in writing.
Who must comply with the Part 500 AI expectations?
Every covered entity licensed under New York Banking, Insurance, or Financial Services Law: banks, insurers, mortgage servicers, money transmitters, and virtual currency firms.
Class A companies (over $20 million in New York revenue plus either 2,000 employees or $1 billion global revenue) face additional obligations. The May 2026 advisories address all DFS-regulated organizations regardless of exemption status.
Which authentication methods does NYDFS say to avoid?
SMS text, voice, and video authentication, because generative AI deepfakes defeat all three. The guidance points instead to digital certificates and physical security keys, and to biometrics hardened with liveness detection and texture analysis. Call-center voice verification and video identity checks for wire releases are the highest-priority replacements.
What did the May 2026 frontier AI advisory change?
Nothing in the binding rule, and that is the point. The advisory warns that frontier AI models accelerate vulnerability discovery and directs entities to reassess patching timelines, map third-party dependencies, oversee AI-generated code, and test whether logging matches machine-speed attacks. DFS signaled it will use the advisory as an examination benchmark for risk assessment updates.
How does 23 NYCRR 500 apply to third-party AI vendors?
Section 500.11 requires due diligence before granting any TPSP access to systems or nonpublic information, and the AI guidance extends that to the vendor’s own AI exposure. Contracts should mandate secure NPI handling in AI systems, timely breach notification, and minimum controls like MFA and encryption. DFS also recommends assessing threats facing the vendors themselves from AI.
What penalties has NYDFS imposed for cybersecurity failures?
Robinhood Crypto paid $30 million (2022), OneMain Financial $4.25 million (2023), PayPal $2 million (January 2025), Healthplex $2 million (2024), and Residential Mortgage Services $1.5 million (2021). None involved sophisticated attacks; the violations were weak access controls, poor training, and delayed reporting, the same control families the AI guidance now stresses.
How do the Part 500 AI expectations align with NIST AI RMF?
Cleanly. The §500.9 AI risk assessment maps to NIST’s Map function, board oversight to Govern, vendor diligence to Govern 6, monitoring to Measure, and incident response to Manage. Organizations already running NIST AI RMF or ISO/IEC 42001 programs can tag existing controls to Part 500 sections instead of building a separate New York compliance silo.
Common Pitfalls in NYDFS AI Compliance
| Pitfall | Root cause | Remedy |
| Waiting for a formal AI amendment | Misreading guidance as optional until codified | Treat the October 2024 letter and May 2026 advisory as examination criteria in force now |
| Annual-only AI risk assessment | §500.9(d) material-change trigger overlooked | Re-assess whenever a new AI tool, model, or vendor is deployed |
| Voice or video identity verification retained | Legacy call-center and wire-release procedures | Replace with digital certificates, security keys, or liveness-tested biometrics |
| AI vendor contracts silent on NPI | Questionnaires never updated for AI | Add model, training data, prompt handling, and breach-notice clauses to §500.11 diligence |
| No monitoring for NPI extraction queries | SIEM rules built for network events, not AI queries | Flag unusual query patterns; block NPI submissions to public AI tools |
| Shadow AI outside the asset inventory | Business units adopting tools without intake | Extend the §500.13 inventory to AI systems; scan SaaS telemetry monthly |
| Certifying without AI evidence | Compliance framed as an IT task, not an attestation risk | Brief CEO and CISO signatories on AI gaps before each April 15 filing |
Looking Ahead
Formal rulemaking remains the open question. DFS told Second Amendment commenters that AI risks belong in existing risk assessments, but the May 2026 advisory shows the Department’s attention intensifying. A Third Amendment with explicit AI provisions, or a standalone AI regulation like New York’s insurance circular on AI underwriting, is a realistic 2027 scenario.
The 2026 examination cycle is the nearer-term test. With every phase-in complete and the first full-scope certifications filed on April 15, 2026, examiners have shifted from implementation support to enforcement. Expect AI questions in the risk assessment review: which of the four risk categories you scored, what changed after the frontier AI advisory, and who signed off.
Agentic AI will force the next expansion. As covered entities deploy AI agents that access nonpublic information autonomously, §500.7 access controls and §500.6 audit trails must capture agent identity and operation-level activity, questions the current guidance only gestures at. Position the enterprise risk management framework to treat AI as a standing risk category with its own owner, appetite, and KRIs.
Cross-jurisdiction convergence is already visible: Colorado’s AI Act, the EU AI Act’s extraterritorial reach, and interagency deepfake warnings all pull toward the same control set Part 500 now tests. Firms that consolidated AI governance early will absorb each new rule as a mapping exercise; everyone else will run it as another program.
Turn the NYDFS AI Guidance Into a Working Compliance Program
Risk Publishing helps financial services risk teams operationalize the NYDFS cybersecurity regulation AI amendment guidance: AI risk assessments mapped to §500.9, deepfake-resistant authentication standards, TPSP questionnaire upgrades, and board reporting packs grounded in ISO 31000, NIST CSF 2.0, and NIST AI RMF.
Explore our risk advisory services, or contact us to scope a Part 500 AI readiness review before the next examination cycle reaches your file.

Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.