NYDFS Part 500 Cybersecurity Regulation: AI System Compliance Requirements for F

The New York State Department of Financial Services (NYDFS) overhauled 23 NYCRR Part 500 in November 2023. The revised regulation — the most significant update since the original 2017 rule — added new requirements for CISO accountability, governance, third-party service provider oversight, and incident notification. While the rule does not use the words "artificial intelligence," every substantive change touches the infrastructure that financial institutions use to deploy AI systems.

For compliance officers, CISOs, and risk teams at banks, insurance companies, mortgage servicers, and other DFS-licensed entities, the practical question is: how do your AI and LLM deployments map to the 2023 amendment obligations? This article answers that question section by section, with specific attention to audit trail requirements that DFS examiners are already asking about.

Part 500 Coverage: Which Entities and Which AI Systems

Part 500 applies to any entity holding a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law, or Financial Services Law — collectively, "Covered Entities." This includes commercial banks, savings institutions, credit unions, insurance companies, licensed lenders, mortgage companies, money transmitters, and cryptocurrency businesses licensed under BitLicense.

The regulation governs "Information Systems" — any interconnected system or subsystem of resources under the same direct management that shares common functionality. AI systems deployed in production qualify unambiguously as information systems when they process, store, or transmit "Nonpublic Information" (NPI), which includes personally identifiable financial and health information.

Scope Clarification

A chatbot that accesses customer account information, a fraud-detection model that processes transaction data, a credit-scoring system that ingests applicant records, and an LLM-powered document analyzer that reads loan files are all information systems processing NPI under Part 500. The form of the system (AI, ML, traditional software) is irrelevant to coverage.

Section 500.2: Cybersecurity Program — AI Risk Assessment Obligations

The foundational requirement is Section 500.2(a): covered entities must maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems. The 2023 amendments added new specificity about what the program must include, including a formal risk assessment process under Section 500.9.

For AI systems, the risk assessment dimension is critical. Section 500.9 requires covered entities to conduct periodic risk assessments of their information systems and use the results to inform the cybersecurity program, controls, and policies. AI-specific risks that belong in that assessment include:

  • Prompt injection attacks — adversarial inputs that manipulate AI system behavior
  • Model inversion attacks — attempts to extract training data or sensitive information from AI model outputs
  • Third-party AI API dependency — service availability, security posture, and data handling of AI vendors
  • Data exfiltration via AI outputs — AI systems generating outputs that contain sensitive information in unintended ways
  • Unauthorized access to AI decision records — access control weaknesses in AI audit trails
  • AI model drift — degradation of model behavior over time that creates compliance risk

Risk assessments must be reviewed and updated when there are material changes to information systems — which means AI model updates, new AI vendors, expanded AI use cases, and changes to data inputs all trigger a re-assessment obligation.

Section 500.4: CISO Obligations — AI Governance Accountability

The 2023 amendments substantially elevated the role and responsibilities of the Chief Information Security Officer. Section 500.4 now requires the CISO to:

  • Report to the senior governing body or a senior officer at least annually on the cybersecurity program's effectiveness
  • Report promptly on material cybersecurity issues
  • Have adequate resources and authority to fulfill the CISO function
  • Have authority to implement the cybersecurity program

The annual CISO report must cover material cybersecurity risks and the overall effectiveness of the cybersecurity program. If the organization deploys AI systems that process NPI or make consequential decisions about customers, those systems create cybersecurity risks that belong in the CISO's report. A CISO who cannot demonstrate visibility into AI system behavior, decision records, and policy controls will face questions during DFS examination.

CISO Reporting Requirement

DFS examiners have asked covered entities to produce the CISO's annual board report and demonstrate that it addresses AI-related cybersecurity risks. CISOs whose reports treat AI systems as generic "third-party applications" without AI-specific risk discussion have received examination findings. A governance layer that produces board-ready metrics on AI decision volume, policy enforcement rate, and audit trail integrity gives the CISO the data to satisfy this requirement.

Section 500.6: Audit Trails — The Core AI Compliance Obligation

Section 500.6 is the most directly relevant provision for AI governance. It requires covered entities to implement and maintain audit trails designed to detect and respond to cybersecurity events that would have a material impact on normal operations. The audit trail requirements have two components:

  • 500.6(a): Audit trails that detect and respond to cybersecurity events affecting normal operations, retained for at least three years
  • 500.6(b): Audit trails of financial transactions sufficient to reconstruct material financial transactions, retained for at least five years

For AI systems deployed in financial services, Section 500.6(a) requires records sufficient to detect anomalous AI behavior — a system generating unusual outputs, an unexpected pattern of policy enforcement failures, or unauthorized access to AI decision infrastructure. Section 500.6(b) reaches AI systems that participate in financial transactions — for example, an AI that approves loan applications, authorizes payments, or generates trading signals.

What an AI Audit Trail Must Contain

The regulation specifies that audit trails must be "designed to detect and respond to" cybersecurity events. Operationally, this means the trail must contain enough information for forensic investigation. For an AI system processing financial transactions, a compliant audit trail record should contain at minimum:

// Minimum Section 500.6(a) AI audit record fields
{
  "record_id":         "uuid-v4",          // Unique immutable identifier
  "timestamp_utc":     "ISO-8601",         // Millisecond precision
  "entity_id":         "dfs_licensee_id",  // Covered entity identifier
  "system_id":         "ai_system_name",  // Which AI system
  "model_version":     "v2.3.1",          // Model version at time of decision
  "requester_id":      "user/service_id", // Who invoked the AI
  "requester_role":    "loan_officer",    // Access control context
  "input_hash":        "sha256:...",      // Hash of input (not plaintext)
  "policy_set":        "lending_v3",      // Which policies evaluated
  "decision":          "ALLOW|BLOCK|MODIFY",
  "decision_reason":   "policy_id_list",  // Which rules triggered
  "output_hash":       "sha256:...",      // Hash of output delivered
  "signature":         "hmac-sha256:...", // Tamper-evident signature
  "retention_class":   "500-6-a|500-6-b" // Which retention schedule applies
}

The cryptographic signature field is critical. Section 500.6 requires that audit trails be protected from modification. A record without a tamper-evident signature cannot prove that it has not been altered after the fact — which means it cannot satisfy the "detect and respond" purpose of the requirement. HMAC-SHA256 signatures computed at the time of the AI decision, using a key managed in a hardware security module, provide the integrity protection the regulation requires.

Section 500.11: Third-Party Service Providers — AI Vendor Risk

Section 500.11 requires covered entities to implement policies and procedures for third-party service provider security. The 2023 amendments significantly strengthened these requirements, adding explicit requirements to:

  • Identify, assess, and monitor third-party service providers with access to information systems or NPI
  • Implement multi-factor authentication or equivalent security controls for third-party access
  • Include cybersecurity requirements in written contracts with third-party service providers
  • Conduct periodic risk assessments of third parties

For financial institutions using third-party AI APIs — including generative AI services, fraud detection platforms, credit scoring providers, and document processing systems — Section 500.11 creates specific obligations that many organizations have not yet addressed.

Third-Party AI Scenario Section 500.11 Obligation Governance Approach
Generative AI API for customer communications Security assessment of AI vendor; contractual data handling protections; MFA for API access Pre-execution governance intercepts requests, enforces content policy, logs every interaction before reaching third-party API
Third-party fraud detection model Periodic vendor risk assessment; access controls; audit of data shared with vendor Governance layer controls data scope, logs data inputs shared, produces signed record of each query
Cloud-hosted credit scoring AI Written contract with cybersecurity requirements; monitoring of vendor access to NPI Governance wrapper enforces contractual data restrictions, produces audit record of every scoring request with data fields accessed
AI document analysis service Security assessment; data residency verification; incident notification requirements Pre-execution governance validates document content before transmission, logs classification decisions, flags policy violations

Section 500.14: Training — AI Security Awareness

Section 500.14 requires covered entities to implement cybersecurity awareness training for all personnel that addresses their cybersecurity responsibilities. The 2023 amendments added a new requirement: training must be updated as necessary to reflect actual and attempted cybersecurity events that the covered entity experiences.

For organizations deploying AI systems, this means training programs should address AI-specific cybersecurity threats, including prompt injection, social engineering attacks that leverage AI, and safe practices for handling AI-generated outputs. Personnel who use AI systems in their daily work — loan officers reviewing AI recommendations, compliance staff using AI document review, customer service agents using AI-assisted responses — need training that addresses AI-specific risks, not just generic phishing awareness.

Section 500.17: Notices — AI-Related Incident Reporting

The 2023 amendments significantly changed the notice requirements in Section 500.17. Covered entities must now notify DFS within 72 hours of a "cybersecurity event" — defined broadly to include unauthorized access to information systems or NPI. The amendments added a new category: notification within 24 hours of extortion payments related to a cybersecurity event.

AI-related incidents that could trigger notification obligations include:

  • Unauthorized access to AI decision records or training data
  • A successful prompt injection attack that caused the AI to output NPI
  • Compromise of an AI API key providing access to NPI
  • Discovery that a third-party AI vendor experienced a breach that exposed NPI
  • An AI system making decisions outside its authorized policy envelope at scale
72-Hour Clock

The 72-hour notification clock starts when the covered entity "becomes aware" of a cybersecurity event. Organizations without AI-specific monitoring infrastructure may not detect AI-related incidents until long after they occur — which means the notification clock starts late, increasing regulatory risk. A governance layer that generates real-time alerts on policy violations, anomalous AI behavior, and access control failures gives the security operations function the visibility to start the clock accurately.

CoreGuard → NYDFS Part 500 Mapping

CoreGuard's pre-execution AI governance architecture addresses each of the core Part 500 AI compliance obligations:

NYDFS Section 500.2(b) — Risk Assessment
CoreGuard policy packs encode institutional risk tolerances as deterministic rules. Each deployment generates a policy inventory that maps directly to the risk assessment categories DFS examiners review.
CoreGuard — Policy Pack Architecture
Versioned policy configurations with change history. Each rule set maps to a risk category. Policy pack updates generate audit records showing which rules changed, when, and by whom.
NYDFS Section 500.6 — Audit Trails
Requires immutable, tamper-evident records of cybersecurity events and AI decisions touching NPI. Three-year minimum retention for 500.6(a); five-year for 500.6(b) financial transactions.
CoreGuard — Decision Certificates
Every AI interaction produces an HMAC-SHA256 signed decision certificate with timestamp, policy evaluation result, and disposition. Certificates are append-only and cryptographically tamper-evident. Configurable retention periods.
NYDFS Section 500.4 — CISO Reporting
Requires CISO to report annually on cybersecurity program effectiveness, including material AI-related risks. Board must receive meaningful data.
CoreGuard — Governance Dashboard
Real-time dashboard and exportable reports covering AI decision volume, block rate, policy enforcement by rule, anomaly detection alerts, and third-party AI API usage. Board-ready metrics generated automatically.
NYDFS Section 500.11 — Third-Party Controls
Requires oversight of third-party AI vendor security, access controls for third-party API access, and written contractual protections.
CoreGuard — API Gateway Enforcement
Acts as mandatory gateway for all third-party AI API calls. Every request is evaluated against policy before transmission. Data scope controls limit what NPI is sent to third-party AI APIs.

What DFS Examiners Are Asking About AI

Based on examination trends and DFS published guidance, covered entities should anticipate the following AI-specific questions during technology examinations:

1
AI System Inventory
Examiners will request a complete inventory of AI and ML systems in production that process NPI or make consequential decisions about customers or transactions. Organizations without a current, maintained AI inventory face immediate findings. The inventory should include system purpose, data inputs, NPI scope, third-party vendors, and oversight mechanisms.
2
AI Governance Policies
Examiners will ask to see written policies governing AI use, covering approval processes, monitoring requirements, and decommissioning procedures. Policies that address AI in a single paragraph within a broader technology policy will be scrutinized. AI-specific policy sections addressing model risk, vendor oversight, and audit trail requirements demonstrate mature governance.
3
Audit Trail Samples
Examiners will request sample audit records from AI systems that process NPI. They will verify that records contain sufficient detail for forensic review, are tamper-evident, and are retained for the required periods. Records that consist only of application-level logs without cryptographic integrity protection will be questioned.
4
Third-Party AI Vendor Contracts
Examiners will review contracts with AI API vendors for cybersecurity provisions: data handling requirements, breach notification obligations, audit rights, and access control requirements. Contracts that treat AI APIs like generic SaaS applications without AI-specific security terms will generate findings.
5
Incident Response Procedures
Examiners will ask how the organization would detect and respond to AI-specific incidents: a compromised AI API key, a prompt injection attack, or a third-party AI vendor breach. Incident response playbooks that lack AI-specific scenarios will be noted as gaps.

Practical Compliance Steps for 2024–2026

Given the examination trends and the 2023 amendment requirements, DFS-covered entities deploying AI systems should prioritize the following actions:

  1. Complete an AI system inventory — document every AI system in production that touches NPI, including third-party AI APIs, with data flows and decision scope for each
  2. Update the Section 500.9 risk assessment to include AI-specific risk categories (prompt injection, model drift, vendor concentration, data exfiltration via output)
  3. Implement pre-execution AI governance — deploy a governance layer that intercepts AI requests, enforces policy controls, and generates signed audit records before AI systems receive NPI
  4. Update third-party vendor contracts for AI API providers to include cybersecurity requirements, breach notification timelines, and audit rights
  5. Develop AI-specific incident response playbooks covering the scenarios most likely to trigger the 72-hour notification obligation
  6. Include AI cybersecurity in CISO board reporting — produce quantified metrics on AI system governance, policy enforcement, and anomaly detection
  7. Conduct AI penetration testing as part of the Section 500.9 penetration testing program, including prompt injection and adversarial input testing
Examination Readiness

Covered entities that can produce, within 24 hours of an examination request: (1) a complete AI system inventory, (2) sample signed audit records from each AI system, (3) AI governance policies, and (4) third-party AI vendor contracts with cybersecurity provisions — will be substantially better positioned than peers who address these items reactively. DFS examination findings on AI governance are increasingly treated as material deficiencies, not minor observations.

Show DFS Examiners Your AI Audit Trail

CoreGuard generates HMAC-SHA256 signed decision certificates for every AI interaction — the tamper-evident audit records Section 500.6 requires. Deployed in front of any AI API in under a day.

Request Demo Read the Docs

Frequently Asked Questions

Does NYDFS Part 500 explicitly cover AI and LLM systems?
NYDFS Part 500 does not use the term "artificial intelligence" or "large language model" in its text. However, the 2023 amendments broadened the regulation's scope in ways that squarely capture AI systems. Section 500.9 now requires covered entities to conduct penetration testing and vulnerability assessments of "information systems" — and AI inference endpoints, API gateways, and model-serving infrastructure qualify as information systems. Section 500.6 requires an audit trail of cybersecurity events and access to sensitive data, and AI systems that access customer data or make consequential decisions generate exactly the kind of events the regulation targets. DFS examiners have begun asking covered entities to produce AI system inventories and governance documentation as part of routine examinations.
What does Section 500.6 require for AI system audit trails?
Section 500.6 requires covered entities to implement and maintain audit trails designed to detect and respond to cybersecurity events. For AI systems, this translates to maintaining immutable records of: which AI system was invoked, by whom, at what time, what input was provided, what policy controls evaluated the request, what decision was rendered (and the reasoning), and what output was delivered. The audit trail must be protected from alteration and retained for at least three years. A pre-execution governance layer that generates HMAC-SHA256 signed decision certificates for every AI interaction produces exactly the audit record format that satisfies Section 500.6 — the cryptographic signature ensures the record cannot be altered after the fact.
How does the NYDFS 2023 amendment change AI governance obligations for CISOs?
The 2023 amendments to Part 500 significantly increased CISO accountability. Section 500.4 now requires the CISO to provide an annual report to the senior governing body (board or senior officer equivalent) covering material cybersecurity risks and the effectiveness of the cybersecurity program. If the organization deploys AI systems that create material cybersecurity risk — including through third-party AI APIs, prompt injection vulnerabilities, or data exfiltration risk — the CISO must assess and report on those risks. Section 500.3 now also requires covered entities to implement policies and procedures specifically governing access controls for third-party service providers, which includes AI API vendors. CISOs who cannot demonstrate a structured governance process for AI API access and decision audit trails face examination findings.
Does NYDFS Part 500 apply to third-party AI vendors used by covered entities?
Yes. Section 500.11 requires covered entities to implement written policies and procedures for third-party service provider security, and the 2023 amendments strengthened these requirements. A covered entity that uses a third-party AI API must assess the third party's cybersecurity practices, ensure the third party implements appropriate cybersecurity controls, and include cybersecurity-related contractual protections in the agreement. Critically, the covered entity remains responsible for the security of data processed by the third-party AI system. Organizations that route requests through a governance layer before they reach the AI API can demonstrate to DFS examiners that third-party AI usage is controlled, audited, and policy-compliant.
What should a covered entity expect during a DFS AI governance examination?
DFS examiners increasingly include AI-specific questions in technology examinations. Covered entities should expect requests for: (1) an inventory of AI and ML systems in production that touch consumer data or make consequential decisions; (2) policies governing the use, monitoring, and decommissioning of AI systems; (3) access control records showing who can invoke AI systems and with what permissions; (4) audit trail samples demonstrating that AI decisions are logged with sufficient detail for forensic review; (5) incident response procedures that address AI-specific failures; and (6) board-level reporting on AI cybersecurity risks. Organizations that have deployed a structured AI governance layer with cryptographically signed audit records will be materially better positioned than those relying on application-level logging alone.

Related Articles

Regulation

SR 11-7: Model Risk Management Guidance for AI Systems

Read Article →
Compliance

AI Governance for Credit Decisions: ECOA, FCRA, and Fair Lending

Read Article →
Financial Services

LLM Compliance in Regulated Industries

Read Article →
EU Regulation

EU AI Act Compliance and Enforcement Guide

Read Article →