NYDFS Part 500 and AI: What New York’s Cybersecurity Regulation Requires of Agent Governance

New York’s financial services institutions are deploying AI agents across client reporting, underwriting, claims processing, fraud detection, and regulatory workflows. Most of these workflows access nonpublic information — the category of sensitive customer data that 23 NYCRR Part 500 was built to protect. That puts AI agent deployments squarely inside the compliance boundary that the New York Department of Financial Services has been enforcing with increasing aggression since the Second Amendment took effect in November 2023.

In October 2024, NYDFS made its position explicit. An industry letter from Superintendent Adrienne Harris clarified that the Cybersecurity Regulation already requires covered entities to assess and address AI-related cybersecurity risks — including risks from their own AI deployments. No new regulation was needed. The existing Part 500 framework applies directly to AI agent workflows that touch nonpublic information.

This post explains what Part 500 requires for AI-enabled workflows, what the October 2024 guidance adds, where AI deployments create compliance gaps, and how covered entities can build a defensible cybersecurity posture for AI agent access to nonpublic information.

Executive Summary

Main Idea: NYDFS Part 500’s core requirements — risk assessment, access controls, audit trails, third-party vendor management, and incident response — apply to AI agent deployments that access nonpublic information. The October 2024 NYDFS industry letter confirmed this interpretation, making clear that covered entities must incorporate AI-specific risks into every component of their cybersecurity program. Covered entities that have deployed AI against NPI-bearing workflows without updating their risk assessments, access control policies, and vendor management frameworks are out of compliance with Part 500 today.

Why You Should Care: NYDFS has demonstrated a pattern of multi-million dollar enforcement actions and a willingness to target individual executives. The Second Amendment introduced personal accountability at the senior governing body level — CISOs and their highest-ranking executive must sign an annual certification of material compliance. Any covered entity whose AI agents have been accessing NPI without the access controls, audit trails, and risk assessment coverage Part 500 requires is certifying compliance with controls that do not exist.

Key Takeaways

1. NYDFS Part 500 already applies to AI agent access to nonpublic information — the October 2024 industry letter confirmed this without adding new requirements. Covered entities cannot treat AI governance as a future compliance obligation. The Cybersecurity Regulation’s existing framework — risk assessment, access controls, audit trails — applies to AI systems now, and NYDFS examiners are assessing compliance against it accordingly.
2. Risk assessments must be updated to specifically address AI-related risks. Part 500’s risk assessment requirement (Section 500.9) mandates periodic updates when information systems or business operations change. Deploying AI agents against NPI-bearing workflows is a material change. Risk assessments that predate an organization’s AI deployments — or that address AI only in generic terms — do not satisfy this requirement.
3. Access controls for AI agents must address the specific threat of AI-enhanced attacks. The October 2024 guidance emphasized that MFA methods vulnerable to AI-enhanced deepfakes — SMS text, voice, and video authentication — are insufficient for protecting NPI in an AI environment. Access controls for both human users and AI agents must be capable of withstanding AI-manipulated authentication attacks.
4. Third-party AI vendors are subject to the same vendor management obligations as any other service provider touching NPI. If an AI vendor’s infrastructure processes NPI on behalf of a covered entity, that vendor is a third-party service provider under Part 500 and must meet the minimum cybersecurity standards required by Section 500.11. Covered entities cannot outsource their Part 500 compliance to an AI vendor’s attestations.
5. Annual compliance certifications must reflect actual AI governance controls, not aspirational ones. The Second Amendment requires CISOs and their highest-ranking executive to certify material compliance annually. Any covered entity whose AI agents have been accessing NPI without the access controls, audit trails, and risk assessment coverage that Part 500 requires is certifying compliance with controls that do not exist — which is itself an enforcement risk.

What NYDFS Part 500 Requires for AI-Enabled Workflows

Part 500 is a cybersecurity regulation, not a recordkeeping or disclosure framework. Its core requirements establish what a covered entity’s cybersecurity program must be able to do: protect the confidentiality, integrity, and availability of information systems; detect and respond to cybersecurity events; and demonstrate governance at the senior leadership level. Each of these requirements applies directly to AI agent deployments that interact with nonpublic information.

Risk Assessment (Section 500.9)

Part 500 requires covered entities to conduct periodic risk assessments that identify and assess cybersecurity risks to NPI, updated when information systems or business operations materially change. The October 2024 industry letter specified that risk assessments must address three AI-specific categories: the covered entity’s own AI use; AI technologies used by third-party service providers; and vulnerabilities from AI applications that could compromise NPI confidentiality, integrity, or availability. An AI deployment that was not specifically evaluated in the current risk assessment is an unassessed risk — a direct Section 500.9 deficiency regardless of how well the AI system performs operationally.

Access Controls (Section 500.7)

Part 500 requires covered entities to implement access controls, including MFA, to limit NPI access to authorized users. For AI agents, this has two dimensions. First, agents must be governed by controls that restrict NPI access to authorized workflows and operations — no agent should have broader NPI reach than its specific task requires. Second, authentication mechanisms protecting NPI-bearing systems must resist AI-enhanced attacks. The October 2024 guidance explicitly flagged that deepfakes can circumvent SMS text, voice, and video authentication, and directed covered entities to use phishing-resistant methods that AI-generated media cannot impersonate. As of November 2025, MFA is required for all users accessing NPI — a requirement that extends to the systems and pathways through which AI agents reach NPI.

Audit Trail Requirements (Section 500.6)

Part 500 requires covered entities to maintain audit trails designed to detect and respond to cybersecurity events. For AI agent deployments, the audit trail must capture what NPI was accessed, by which agent or system, under what authorization, and when — at an operation level sufficient to support incident detection and forensic investigation. Standard API call logs and LLM inference logs do not satisfy this requirement: they record system events, not the NPI-specific access data that Part 500’s audit trail obligation requires. Records supporting compliance must be retained for five years and be producible to NYDFS upon request.

Third-Party Service Provider Management (Section 500.11)

Part 500 requires covered entities to maintain written policies governing third-party service providers that access NPI, including minimum cybersecurity standards and ongoing due diligence. AI vendors whose infrastructure processes NPI — model hosting providers, API gateway operators, vector database vendors — are third-party service providers under Part 500. The October 2024 guidance added specificity: due diligence should evaluate how AI-related threats facing the vendor could affect the covered entity, and agreements should require vendors to notify the covered entity of any AI-related cybersecurity event. A covered entity that has not assessed its AI vendors under the Section 500.11 framework has a compliance gap.

Incident Response (Section 500.16)

Part 500 requires an incident response plan capable of addressing cybersecurity events. The October 2024 guidance specified that these plans must be designed to address AI-related cybersecurity events — including AI-enhanced attacks and incidents involving AI agent access to or exposure of NPI. Qualifying cybersecurity incidents must be reported to NYDFS within 72 hours. An AI agent that accesses NPI without authorization, or is compromised through prompt injection or AI-enhanced social engineering, is a cybersecurity event under Part 500. If the incident response plan does not address how to detect, contain, and report such an event, the plan is inadequate.

Where AI Deployments Create Part 500 Compliance Gaps

The Part 500 compliance gaps introduced by AI agent deployments follow a consistent pattern across covered entities. They are not failures of intent — most organizations that have deployed AI agents understand that they are regulated. They are failures of architecture: AI deployments built for operational capability without the cybersecurity program components that Part 500 requires.

Risk Assessments That Don’t Reflect the AI Environment

Most covered entities conducted their current risk assessment before AI agents became part of their operations, or updated it in generic terms when AI was deployed. Part 500 requires risk assessments to reflect the actual information systems in use. An assessment that identifies “cloud services” as a risk category but makes no mention of AI agents accessing NPI, the specific vulnerabilities those agents introduce, or the vendor dependencies they create, does not satisfy Section 500.9 for the current environment. NYDFS examiners will compare deployed AI systems against the risk assessment — and gaps between the two are findings.

Access Controls Built for Humans, Not Agents

Most covered entities have implemented MFA and access controls for human users. AI agents typically bypass these through service accounts or API keys with broad NPI access, no MFA challenge at the workflow level, and no operation-level scoping. This architecture satisfies neither the access control requirement for the agent’s NPI access nor the updated standard for authentication mechanisms resistant to AI-enhanced deepfake attacks. It treats AI agents as trusted internal processes rather than NPI accessors subject to Part 500’s access control requirements.

Vendor Management That Stops at the Contract Layer

Many covered entities have AI vendor agreements with standard cybersecurity representations but have not performed the substantive Section 500.11 assessment the October 2024 guidance requires. A vendor agreement containing a generic security warranty — without evaluating how the vendor’s AI infrastructure specifically protects NPI during model inference, and without AI-specific incident notification provisions — does not satisfy Part 500’s third-party management requirements.

Best Practices for NYDFS Part 500-Compliant AI Agent Governance

1. Conduct an AI-Specific Risk Assessment Update

Update the Part 500 risk assessment to specifically address AI deployments: inventory every AI agent or system accessing NPI, assess the cybersecurity risks each introduces (vendor dependencies, authentication vulnerabilities, NPI exposure in the event of compromise), and document the controls in place or planned. This is an update to the core risk assessment that drives the entire cybersecurity program — and it must be completed before the next annual certification cycle.

2. Extend Access Controls to AI Agent Workflows at the Operation Level

Implement access controls that govern AI agent NPI access per-operation, not just per-session. Each agent workflow should operate under a unique identity credential scoped to the specific NPI required, with access evaluated against the agent’s authorized profile and the NPI classification of the requested data. Authentication mechanisms protecting NPI-bearing systems should use phishing-resistant methods that cannot be impersonated by AI deepfakes — avoiding SMS, voice, and video factors that NYDFS has specifically flagged as insufficient in an AI threat environment.

3. Build AI-Specific Audit Trails That Support Incident Detection and Forensics

Deploy operation-level audit logging for AI agent NPI access: agent identity, authorized workflow context, specific NPI accessed, operation performed, and timestamp. Logs must be retained for five years, be tamper-evident, and feed into the organization’s SIEM so anomalous AI agent access is detected in real time. This audit trail supports both Section 500.6 detection requirements and the forensic basis for the 72-hour NYDFS incident notification if an AI-related cybersecurity event occurs.

4. Conduct Substantive AI Vendor Due Diligence Under Section 500.11

For every AI vendor whose infrastructure processes NPI, perform the third-party risk assessment Part 500 requires: evaluate how the vendor protects NPI during model inference, assess the vendor’s AI-related threat exposure and its potential impact on the covered entity, and update agreements to require notification of AI-related cybersecurity events affecting the covered entity’s NPI. Generic security warranties do not satisfy the updated third-party management standard.

5. Update Incident Response Plans to Address AI-Related Cybersecurity Events

Revise the incident response plan to specifically address AI-related cybersecurity events: unauthorized AI agent NPI access, prompt injection attacks causing NPI exfiltration, AI-enhanced social engineering resulting in NPI exposure, and vendor-side AI incidents affecting the covered entity’s NPI. Define detection criteria, containment procedures, and how the 72-hour NYDFS notification obligation is triggered and executed for each event type.

How Kiteworks Supports NYDFS Part 500 Compliance for AI Agent Deployments

The core challenge Part 500 poses for AI deployments is that the Cybersecurity Regulation requires controls to be embedded in the systems that access NPI — not layered on after deployment. AI agents accessing NPI through service accounts and system prompts are operating around the cybersecurity program, not inside it. Bringing AI agent NPI access into Part 500 compliance requires a governance layer that intercepts every agent interaction, enforcing the access controls, audit trails, and identity governance the regulation demands.

The Kiteworks Private Data Network provides NYDFS-covered entities with a data-layer governance architecture that sits between AI agents and the NPI they need to access — verifying agent identity, enforcing operation-level access policy, applying FIPS 140-3 Level 1 validated encryption, and capturing a tamper-evident, five-year-retainable audit trail for every NPI interaction. Every AI agent workflow inherits Part 500 cybersecurity controls automatically, built into the data access architecture rather than bolted on through manual review.

Operation-Level Access Controls and Identity Governance for Section 500.7

Kiteworks authenticates every AI agent before NPI access occurs, using unique per-workflow credentials linked to the human authorizer who delegated the task. Operation-level ABAC policy ensures each agent accesses only the NPI required for the specific authorized workflow. This satisfies Part 500’s access control requirements for AI agent NPI access and provides the operation-level scoping that service account deployments cannot demonstrate.

Tamper-Evident Audit Trail for Section 500.6 and 72-Hour Incident Notification

Every AI agent NPI interaction is captured in a tamper-evident, operation-level log — agent identity, human authorizer, specific NPI accessed, operation type, policy evaluation outcome, and timestamp. Logs are retained for five years and feed into the organization’s SIEM for real-time detection of anomalous access. When a qualifying AI-related cybersecurity event occurs, the complete interaction record is immediately available to support the 72-hour NYDFS notification obligation.

Third-Party Vendor Management Support for Section 500.11

Kiteworks provides covered entities with a vendor relationship built around demonstrable Part 500 compliance. The platform’s architecture ensures NPI accessed by AI agents is governed by the same access controls, encryption, and audit infrastructure as all other NPI exchange — giving covered entities a vendor relationship they can document in their Section 500.11 assessment with specificity, not generic attestations.

For NYDFS-covered entities seeking to bring AI agent deployments inside their Part 500 cybersecurity program without slowing deployment velocity, Kiteworks makes every AI agent interaction with NPI compliant by design. Learn more about Kiteworks for financial services or request a demo.

Additional Resources

• Blog Post
  Zero‑Trust Strategies for Affordable AI Privacy Protection
• Blog Post
  How 77% of Organizations Are Failing at AI Data Security
• eBook
  AI Governance Gap: Why 91% of Small Companies Are Playing Russian Roulette with Data Security in 2025
• Blog Post
  There’s No “–dangerously-skip-permissions” for Your Data
• Blog Post
  Regulators Are Done Asking Whether You Have an AI Policy. They Want Proof It Works.