Compliance
NY DFS Part 500 compliance for AI workloads
23 NYCRR Part 500 applies to AI used by covered financial entities. Prism produces the evidence each section asks for, and Prism X covers third-party AI tool risk.
- Cybersecurity program documentation with AI-specific controls
- Third-party AI tool risk assessment and continuous monitoring
- 72-hour incident reporting evidence pack
- CISO-level reporting on AI risk posture
About this framework
23 NYCRR Part 500 is the New York Department of Financial Services cybersecurity regulation. It applies to all entities licensed by NY DFS — banks, insurers, money services businesses, and lenders operating in New York. The 2023 amendments expanded scope to cover AI systems explicitly, requiring CISO oversight, third-party AI tool risk assessment, and 72-hour incident reporting for AI-related events.
Who needs to comply
Industries this applies to
Banking
All NY-licensed banks and BHCs operate AI under Part 500.
Insurance
NY-licensed insurance carriers and producers fall in scope.
Fintech / MSBs
Money transmitters and BNPL operating in NY are covered entities.
Asset Management
NY-licensed advisers using AI for research or trading.
Obligations
What Part 500 requires for AI
- §500.2 — written cybersecurity program covering AI systems
- §500.3 — written policies for AI development, use, and decommissioning
- §500.9 — periodic risk assessment, with AI-specific risks called out
- §500.11 — third-party service provider security policy (covers vendor AI tools and consumer-AI usage)
- §500.16 — incident response plan, AI incidents in scope
- §500.17(a) — 72-hour notice to DFS for cybersecurity events affecting AI systems
Mapping
How Prism produces the evidence
| Obligation | Capability | Evidence |
|---|---|---|
| §500.2 cybersecurity program — AI in scope | Prisms + Audit Export | Continuous trace log of every AI interaction, exportable as immutable audit pack |
| §500.9 risk assessment for AI | Prism Model Audits + Red Teaming | Pre-deployment audit reports; adversarial test findings with severity |
| §500.11 third-party AI tool oversight | Prism X Audit Events | Per-employee log of every prompt sent to ChatGPT, Claude, Gemini, Copilot, with redactions |
| §500.16 / §500.17 incident response | Prism Sessions + Prism X Audit Events | Conversation-level reconstruction of any AI incident; redacted snippets within minutes |
Obligation
§500.2 cybersecurity program — AI in scope
Capability
Prisms + Audit Export
Evidence
Continuous trace log of every AI interaction, exportable as immutable audit pack
Obligation
§500.9 risk assessment for AI
Capability
Prism Model Audits + Red Teaming
Evidence
Pre-deployment audit reports; adversarial test findings with severity
Obligation
§500.11 third-party AI tool oversight
Capability
Prism X Audit Events
Evidence
Per-employee log of every prompt sent to ChatGPT, Claude, Gemini, Copilot, with redactions
Obligation
§500.16 / §500.17 incident response
Capability
Prism Sessions + Prism X Audit Events
Evidence
Conversation-level reconstruction of any AI incident; redacted snippets within minutes
Evidence pack
One click in Prism produces: the AI cybersecurity program document, the latest risk assessment, the third-party AI tool register from Prism X, and the last 90 days of guardrail-blocked or warned events. Hand it to DFS examiners as-is.
Read the source
Go straight to the regulator
Not familiar with this framework? These are the authoritative sources, opened in a new tab.
Built for: Covered entities under NY DFS 23 NYCRR 500: banks, insurers, MSBs, lenders
Related
Prism
PRISMtrace is the observability and governance platform for teams running LLMs and AI agents in production. Capture traces, enforce guardrails, evaluate quality, and generate compliance evidence from one platform.
AI Model Audits
Model audits give you a structured review of model behavior, risk profile, and readiness for production, before deployment, not after incidents.
Prism X
Prism X enforces data loss prevention policy in the browser, before prompts and uploads reach third-party AI services. Signed policy, real-time enforcement, audit-grade events.
Shadow AI Audit Log
Structured events back to your tenant support security operations, compliance review, and regulatory evidence, at the granularity your privacy model allows.
Model Risk Management for AI — SR 11-7 Revised Guidance
The interagency Revised Guidance on Model Risk Management supersedes SR 11-7 and SR 21-8. The three-pillar discipline carries forward, scaled to each bank's model risk profile. Prism produces the evidence at every tier.
NAIC AI Model Governance
The NAIC Model Bulletin sets expectations for insurer use of AI. Prism produces the documentation, monitoring, and audit artifacts each pillar requires.
AI Compliance for Lenders: CFPB / ECOA / Reg B — Prism
The CFPB has confirmed ECOA and Reg B apply to AI-driven credit decisions. Adverse-action notices need specific reasons. Prism Agent Trajectories and Model Audits produce them.
AI compliance and risk management for banks
From underwriting copilots to fraud-screening agents, banks need the same model risk discipline they have for traditional models. Prism is built around it.
AI governance for insurance
Insurers face NAIC's Model Bulletin and a patchwork of state-level AI rules. Prism gives carriers one platform to produce the evidence each one demands.
AI risk management for fintech
Sponsor banks expect SR 11-7 hygiene. CFPB and state AGs care about ECOA. Prism makes both legible without slowing your release pace.
Start tracing in 5 minutes
One SDK. Five minutes. Full audit trails, PII redaction, and guardrail enforcement, from day one.