Texas's AI law took effect January 1, 2026 — and substantial NIST AI RMF compliance is the statutory affirmative defense. Get documented

Frameworks · NIST AI Risk Management Framework

You shipped AI.
Now govern it.

Your product has AI in it, your employees have AI tabs open, and your customers' procurement teams just added an AI-governance section to the questionnaire. The NIST AI RMF — Govern, Map, Measure, Manage — is the most stable anchor in a chaotic regulatory landscape: Texas law makes alignment an affirmative defense, and federal buyers now require governance artifacts in AI procurements. Lionfish builds yours in the Cyber Tackle Box™.

AI RMF 1.0GenAI ProfileTexas TRAIGA defenseFederal AI procurementISO 42001-adjacent

AI governance stopped being optional

0
GenAI risk categories in NIST's Generative AI Profile — from confabulation to data leakage
0+
suggested actions in the profile — the operational layer buyers actually implement
0
AI use cases reported across 56 federal agencies — 445 of them high-impact, all needing governed vendors
0 defense
substantial NIST AI RMF compliance is the affirmative defense under Texas's AI law (effective Jan 1, 2026)

Sources: NIST AI 600-1; April 2026 federal agency AI inventories; Texas HB 149 (TRAIGA). State AI law is volatile — Colorado's act was delayed and narrowed, a federal preemption EO is in litigation — which is exactly why the NIST framework is the safe anchor.

Who this is for

For teams whose AI outran their governance

The regulatory map changes monthly. The NIST AI RMF is the one fixed point every regime references — align there and you're defensible everywhere.

  • Companies deploying AI in consequential decisions — hiring, lending, healthcare, insurance — especially with Texas exposure, where AI RMF alignment is the statutory defense.
  • Vendors selling AI to the federal government — OMB's procurement rules apply to solicitations since September 30, 2025, with governance flow-down terms in the contract.
  • Enterprises with GenAI sprawl — copilots, chatbots, and shadow AI everywhere, and a board asking who's accountable. (Our own AI research is IEEE-published — we govern what we build.)

Sound familiar?

The pain we hear on every first call

  • !You can't govern what you can't inventory. Shadow AI is the asbestos of 2026 — an AI system inventory is the first artifact every regulator and questionnaire asks for.
  • !Frameworks without a checklist. 4 functions, 12 GenAI risk categories, 200+ suggested actions — knowing which subset applies to your systems is the actual work.
  • !Regulatory whiplash. Colorado rewritten twice, a federal preemption order in court, EU AI Act deadlines marching on — you need a baseline that doesn't move.

The platform

How the Cyber Tackle Box™ runs your AI RMF program

The same GRC backbone that runs your security frameworks runs your AI governance — one platform, one evidence library, one team accountable.

AI Policy Templates

Acceptable-use, model documentation, human-oversight, and vendor-AI policies — the document set every AI governance questionnaire requests.

Map & Measure Objectives

Every AI system inventoried, risk-categorized, and tracked against the RMF functions with owners and dates.

Findings → Action

Impact-assessment findings become assigned remediation items — evidence of managing AI risk, not just acknowledging it.

AI System Inventory & Intel

The living inventory regulators ask for first — plus intelligence on the moving regulatory map, from Texas to the EU.

Impact Assessment Playbooks

Repeatable runbooks for AI impact assessments and procurement responses — answer the governance section once, reuse it every deal.

AI Literacy Training

Workforce training on responsible AI use — built by a team with four IEEE-published papers on AI and security, tracked per person.

Why Lionfish

A platform with humans attached

Practitioners, not just software

Checkbox tools leave you alone with the checklist. Our compliance advisors — the same team that trains certified CMMC assessors — work your program by, with, and through your people.

One system of record

Controls, policies, tasks, evidence, POA&Ms, and your workforce training in one platform — mapped across frameworks so one piece of evidence satisfies many requirements at once.

Veteran-owned & battle-tested

SDVOSB founded by a Green Beret, 4 IEEE-published papers, Purdue CERIAS partner, and multi-tenant for MSPs — trusted where security actually matters.

Straight answers

AI governance questions we answer every week

What is the NIST AI RMF?

The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is a voluntary framework for managing AI risk across four functions: Govern, Map, Measure, and Manage. Its Generative AI Profile (July 2024) adds 12 GenAI-specific risk categories with 200+ suggested actions. It's the reference point most US AI regulation and procurement now builds on — which makes it the most durable place to anchor your program.

Why does Texas matter to my AI program?

The Texas Responsible AI Governance Act took effect January 1, 2026, with attorney-general enforcement against AI misuse in consequential decisions — and it names substantial compliance with the NIST AI RMF as an affirmative defense. Documented AI RMF alignment is currently the cleanest legal ROI in AI governance: it's not just best practice, it's a statutory shield.

We sell AI to the government — what do we need?

Federal AI procurement under OMB's 2025 memoranda applies to solicitations issued since September 30, 2025: expect contract terms on training-data use, IP and data portability, and documented risk management. Agencies reported 3,611 AI use cases (445 high-impact) as of April 2026 — the market is real, and governance artifacts are the entry fee. We build the artifact set.

Isn't the AI regulatory landscape too unsettled to invest in?

That's exactly backwards. Colorado's law was delayed and narrowed, a December 2025 executive order put state AI laws in litigation, and the EU AI Act marches on regardless — the landscape is unsettled, but every version of it references the same NIST foundation. An AI RMF program is the one investment that pays off under every scenario, including the one where your biggest customer just wants the questionnaire answered.

Get in touch

Get your AI governance documented

Tell us where AI lives in your business — product features, internal tools, or both — and what's driving the ask. Straight scope within one business day.

  • 1We reply within one business day — usually faster.
  • 2A 30-minute call with someone who can actually answer your questions.
  • 3A straight recommendation — even if it's that you don't need us yet.

Prefer to skip the form? Book a time directly or call 1-877-732-6772.

Book a Free Call