Notes
N.001 · Architecture

The Five Layer Blueprint for Institutional AI

A NIST aligned reference architecture for hedge funds and alternative asset managers, with the use cases that actually compound alpha in 2026.

Agim Lolovic May 2026 ~8 min read

If you are building the AI program at a hedge fund or an alternative asset manager in 2026, the work in front of you is genuinely exciting. The frameworks have arrived. The models are good enough. The use cases are clear. What separates the firms that compound this advantage from the firms that stall is not the choice of vendor. It is the architecture beneath the choice.

This is the five layer blueprint I would build if you asked me to start one tomorrow. It is grounded in the NIST AI Risk Management Framework1 and the Treasury and Cyber Risk Institute Financial Services AI Risk Management Framework2 that landed in February 2026. It is opinionated where the work demands an opinion. It is open to revision where the field is still moving. The intent is to give you a shared vocabulary, a working diagram, and enough specificity that the people on your team can act on Monday morning.

One more thing before we start. I do not have an ego invested in any of this being your only path. If you have already shipped something working, I want to learn from it. If you have not started yet, I want you to start well. Take what is useful here. Leave the rest.

* * *

The Frameworks the Sector Is Already Aligning To

Two documents anchor the conversation. Both are public, both are free, and both were written specifically for the work in front of you.

The first is NIST AI RMF 1.0, published in January 2023 by the National Institute of Standards and Technology. It defines four functions that organize the entire risk management practice around AI systems. Govern. Map. Measure. Manage. The framework is voluntary, sector agnostic, and structured as a living document that NIST plans to revisit through formal community input no later than 2028.1 A companion document, the Generative AI Profile (NIST AI 600-1), was published in July 2024 and catalogs twelve risk categories specific to generative AI alongside hundreds of suggested mitigation actions.3

The second is the Financial Services AI Risk Management Framework (FS AI RMF), released February 19, 2026 by the U.S. Department of the Treasury in partnership with the Cyber Risk Institute and the Financial Services Sector Coordinating Council. It was developed with input from more than 100 financial institutions and translates the NIST functions into 230 control objectives tailored to banks, insurers, asset managers, and their third party providers.2 Treasury simultaneously released an AI Lexicon that establishes shared terminology across regulators, technical teams, legal teams, and business teams.4

These are not abstract documents. The FS AI RMF includes an Adoption Stage Questionnaire that classifies an organization as Initial, Minimal, Evolving, or Embedded based on business impact, technology sophistication, and scalability. Controls scale with stage. The framework explicitly resists one size fits all compliance.2

Govern
Culture and accountability
Policies, roles, oversight, and the council that approves use cases. Always on. Sits above the other three.
Map
Context and risk
For each AI system, identify the workflow, the data, the stakeholders, and the failure modes before you build.
Measure
Evidence and evaluation
Eval sets, ongoing metrics, drift detection, red teams. The discipline that prevents shipping vibes.
Manage
Operational response
Gateway controls, incident playbooks, model upgrades, continuous improvement based on Measure signal.

If you are anywhere in a hedge fund, family office, or private capital firm and your board has asked what framework are we following, the answer is here. You are not inventing the standard. You are applying it correctly.

* * *

The Five Layers

Here is what I would build. Read it top to bottom, then we will walk each layer.

5. Use Cases
Domain copilots that compound alpha. Diligence agents, IC memo drafting, cross portfolio pattern matching, alternative data overlays, IR and DDQ automation. Each one is a thin agent loop calling the layers beneath it.
4. Gold
Pre computed answers and semantic cache. The top hundred questions your investment team asks, materialized and refreshed nightly. Eval golden sets live here. Speed and cost optimization.
3. Silver
Multiple projections of the source of truth. Vector database for semantic search. Knowledge graph for entities and relationships. Structured warehouse for extracted financials. Full text search for exact phrase recall. Each engine answers a different question shape.
2. Bronze
The source of truth. Every document from every source system replicated to immutable object storage. Classified at ingest. Source ACLs preserved as metadata. Versioned, lineage tracked. The only layer that cannot be regenerated.
1. Source
Your systems of record. DealCloud, eFront, SharePoint, Box, email, loan documents, Bloomberg, PitchBook, internal Slack. Not modified. Replicated outbound to Bronze.

Around all five sit the four NIST functions. Govern at the top. Map, Measure, and Manage running continuously per use case. Bronze, Silver, Gold is borrowed from data engineering and adapted for AI. The pattern is decades old in lakehouse architecture. What is new is treating it as the load bearing structure for institutional AI.

"The model commoditizes. The query log, the eval set, and the knowledge graph, tuned to your investment process over eighteen months. That is the durable asset." Working principle

Layer 2: Why Bronze is the Decision That Decides the Others

This is the layer most firms skip, and skipping it is what creates the regret cycle. If your firm's documents are chunked, embedded, and indexed inside a vendor's proprietary system before they exist anywhere you control, you have outsourced the source of truth. Every embedding upgrade, every chunking improvement, every framework change forces a re extraction from production source systems. Eighteen months of tuning lives inside someone else's data structures.

Bronze fixes this. The pattern is simple. Before any chunking, before any embedding, before any model call, every document from every source system is replicated to immutable, object based storage that you control. Classified at ingest. Four tiers, sized for the work: Public, Internal, Confidential, Restricted. ACLs propagated from source. If the deal team cannot see a document in SharePoint today, the retrieval system must not surface it tomorrow. Versioned and lineage tracked. Every chunk you eventually serve traces back to a Bronze document with a date, an owner, a classification, and a permission set.

The FS AI RMF expects this. The framework is built around evidence, not assertion. Regulators will not ask whether you have a policy. They will ask for logs and dashboards.5 Bronze is what makes the answer fast.

Layer 3: Why Silver is Plural

Institutional questions do not all have the same shape. Show me every credit agreement that includes a most favored nation clause is a structured query against extracted clauses. Summarize operational risks across our energy portfolio is semantic search across narrative. What is the EBITDA trend for ABC Holdings over six quarters is a warehouse query. Find deals we passed on in 2023 where the founder is back fundraising is a knowledge graph traversal joined to a deal database.

Four question shapes. Four retrieval engines. Vector for semantic recall, knowledge graph for entities and relationships, structured warehouse for financial data, BM25 for exact phrase. Hybrid retrieval merges them and consistently outperforms any single engine. The Silver layer is plural because the question is plural.

Layer 4: Why Gold is Earned, Not Anticipated

Gold holds the answers you know will be asked over and over. The top fifty internal questions across the investment team. The standard IR DDQ responses. The portfolio monitoring snapshots that get pulled every Monday morning. Pre compute them. Cache them. Serve them in milliseconds at a fraction of the cost of running the full pipeline.

The mistake firms make here is building Gold first, trying to anticipate the high value questions before they have production traffic to learn from. Resist this. Let usage teach you what to materialize. The Bronze and Silver layers are stable infrastructure. Gold is a continuously refined collection of materialized views informed by what your team actually asks.

Layer 5: Where Alpha Lives

This is the layer that justifies the program. Below it is infrastructure. Here is where the investment team feels the difference.

Diligence Velocity
Review three to five times more deals at the same headcount
Thesis driven filtering on every inbound CIM and teaser. Auto generated comp set from prior deals the firm has seen. Pre populated diligence question list ranked by materiality. Every claim cited to source. The associate spends time on judgment. Anthropic released a credit memo agent template in May 2026 specifically for this work, validated on the Vals AI Finance Agent benchmark where Opus 4.7 scored 64.4 percent.6
Cross Portfolio Synthesis
Pattern matching no human team can hold in working memory
A weekly synthesis across every portco board package and KPI dashboard. Covenant proximity flagged. Sector wide signals affecting multiple portcos at once surfaced before they hit a board meeting. Three of your software portcos report NRR decline this quarter. Common cause? That is the question the firm could not previously ask at scale.
Alternative Data Overlay
The signal most firms have access to but never join
Patent filings, supply chain telemetry, hiring data, regulatory filings, sentiment, satellite imagery. The data has been available for years. The unlock is joining it to your own deal pipeline, your own portfolio, your own thesis. Goldman Sachs has been candid about three sequential waves of AI deployment, and the third, the one Marco Argenti described as the most exciting in the long term, is using AI to make better risk and investment decisions.7
Institutional Memory
What happens when a senior partner retires
Every IC memo. Every post mortem. Every deal we passed on and why. Every clause we negotiated and why we held the line. The firm's accumulated judgment becomes queryable. What did we underwrite for this comp three deals ago. That question, answered in seconds, is the most underrated source of edge in alts.
IR and LP Servicing
DDQs and RFPs drafted at fundraise velocity
The agent drafts answers from prior approved responses. Net new questions are flagged for human review. The IR team becomes meaningfully more leveraged without expanding. This is the workstream most firms underestimate. Faster, sharper LP servicing drives re ups and fundraise velocity. That is direct AUM growth.
* * *

What Makes the Architecture Hold Together

Three things sit alongside the five layers and make the whole system trustworthy.

The AI Gateway. A single egress point for every model call your firm makes. Authentication, classification check, semantic cache lookup, model routing by data tier, audit logging, cost attribution. Multi provider on the back end so you can route Claude for the work where it leads and have a fallback ready. Anthropic's Claude Opus 4.7, released April 2026, is the strongest financial reasoning model on the market today, leading the Vals AI Finance Agent benchmark and the GDPval AA benchmark for economically valuable knowledge work.6 That is the model I would build around as the primary. The gateway makes Claude your preference, never your dependency.

Zero Data Retention. Contractual guarantee from the model provider that your prompts and completions are not retained beyond the request lifecycle. Required for anything touching confidential or restricted data. The gateway enforces it per call. Procurement signs it on the master agreement.

Observability and Evals. Every gateway request is a trace. Every trace feeds a dashboard. Every prompt change, every retrieval change, every model swap goes through an eval harness before promotion. Your eval set is a hand curated collection of questions with known good answers, written by your senior investment professionals. That eval set is the most important asset you will build. The model commoditizes. The eval set tuned to your firm's standards over eighteen months does not.

* * *

The Adoption Stages, Honestly

The FS AI RMF four stages are useful because they let you scope the work to where you actually are.2 An honest read for most alts firms in mid 2026:

  1. Initial. Sanctioned ChatGPT licenses, no gateway, no classification, no evals. The policy is six months old and written defensively.
  2. Minimal. A pilot or two has shipped. Some team is using Claude or Copilot for drafting. There is no single source of truth and no audit trail.
  3. Evolving. Gateway in place, classification policy live, first Bronze ingest running. One or two production copilots with eval scores. AI Council meeting monthly.
  4. Embedded. Bronze and Silver fully populated across major source systems. Five or more production copilots. Evals gating every deploy. Gateway routing Claude as primary with documented multi provider redundancy. AI Council reviewing aggregate metrics quarterly.

Most firms I look at sit between Initial and Minimal. A few are Evolving. None are Embedded yet. That is not a critique. The field is twenty four months old in serious form. The opportunity for any firm willing to do the work is to lead the sector through this transition, not to chase it.

* * *

One Structural Point About the Role

If your firm is hiring a Head of AI or Chief AI Officer to lead this, that role should report to the Chief Executive Officer or Chief Operating Officer. Not the CIO. Not into IT.

The reason is simple. The work described here is not an IT delivery function. It touches the investment process, the LP relationship, the operating model, the regulatory posture, and the firm's institutional memory. It is a cross platform leadership role with alpha and value creation in its mandate. When it reports into IT, it inherits an IT cost center frame, and it gets sized, budgeted, and evaluated as automation. That is how the program becomes a one trick pony. That is how it stalls.

When it reports to the CEO or COO, with a dotted line into the executive committee, the role can sit at the table where investment, operations, IR, compliance, and technology converge. That is the only seat from which the program can actually be built.

* * *

Where to Start

You do not need to build everything at once. The work sequences naturally.

  1. Pick one source system. The one with the highest density of valuable institutional knowledge. For most alts firms that is SharePoint, Box, or DealCloud. Replicate every document to immutable object storage with classification and lineage. This is Bronze. Nothing else moves until this lands.
  2. Draft the classification taxonomy with Legal. Four tiers. Defined criteria. The GC signs the page. The Treasury AI Lexicon is a useful starting reference for shared terminology with Legal and Compliance.4
  3. Stand up the gateway. Single egress. Auth, classification check, routing, audit log. Claude Opus 4.7 as the primary model with multi provider redundancy on the back end.
  4. Stand up the AI Council. Monthly, not quarterly. The CEO or COO at the head. The GC, the CCO, the CISO, each platform head, the Head of AI. Three approval tiers and an incident escalation path.
  5. Build one copilot end to end. One use case, one platform, one named business sponsor. Eval gated before promotion. The first one is expensive because you are building the loop. The fifteenth is cheap because the loop becomes the franchise.

That is the first ninety days. Foundation plus one shipped thing. The rest follows.

* * *

What I find energizing about this moment is that the field has matured to the point where serious institutions can do this work with confidence. The frameworks are public. The models are good enough. Anthropic, Blackstone, Hellman and Friedman, and Goldman Sachs launched an enterprise AI services firm in May 2026 specifically to fill the implementation gap, backed by a consortium that includes Apollo, General Atlantic, GIC, Leonard Green, and Sequoia.8 Treasury and CRI have given the sector the operational backbone. The question is no longer whether. It is how well.

If you are the CEO or the operating partner thinking through your firm's 2026 AI roadmap, I hope this is useful. If you are the Head of AI or the CIO mapping the architecture, I hope it sharpens what you already had in mind. If you disagree with parts of it, I would like to hear where, because the work improves through that conversation.

No ego on my side. Just a real interest in seeing this done well.

If this resonates

If you are mapping out 2026 and want a thought partner, reach out.

A few of the ways I tend to engage. A maturity diagnostic, structured around the FS AI RMF adoption stages, that gives you an honest read of where your firm sits across governance, data, infrastructure, evals, and use cases. Roadmap planning across the five layers with named owners, sequenced milestones, and a defensible budget envelope. Helping you scope and hire the Head of AI or Chief AI Officer for the seat, including the interview rubric. A second set of eyes on what your team has already built. Or owning the entire layer end to end as a fractional or full time leader.

One note for the CEOs and COOs reading this. The Head of AI role should report to you, not into IT. The work touches too many parts of the firm to live inside an IT cost center. Happy to walk through why in detail if it's helpful.

Start a Conversation
References
  1. NIST. Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1. Published January 26, 2023. Available at nist.gov/itl/ai-risk-management-framework
  2. Cyber Risk Institute, in partnership with the U.S. Department of the Treasury and the Financial Services Sector Coordinating Council. Financial Services AI Risk Management Framework. Released February 19, 2026. 230 control objectives, four adoption stages. Available at cyberriskinstitute.org
  3. NIST. Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1. Published July 26, 2024. Twelve generative AI risk categories with mapped mitigations.
  4. U.S. Department of the Treasury. Artificial Intelligence Lexicon. Released February 19, 2026. Available via the Treasury press release at home.treasury.gov
  5. Lowenstein Sandler. Operationalizing the 230 Control Objectives. February 24, 2026. Discusses the evidence first design philosophy of the FS AI RMF and the alignment with FFIEC examination practice.
  6. Anthropic. Introducing Claude Opus 4.7. April 2026. State of the art on Vals AI Finance Agent benchmark (64.4 percent) and GDPval AA. Available at anthropic.com/news/claude-opus-4-7. Agents for Financial Services launched May 5, 2026 with ten ready to run agent templates including pitchbook drafting, KYC screening, credit memo, valuation review, and month end close.
  7. Fortune. Anthropic deepens push into Wall Street with new AI agents. May 5, 2026. Goldman Sachs CIO Marco Argenti's three waves framework described at Anthropic's financial services briefing.
  8. Anthropic, Blackstone, Hellman & Friedman, Goldman Sachs joint announcement. Building a new enterprise AI services company. May 4, 2026. Backed by a consortium including Apollo Global Management, General Atlantic, GIC, Leonard Green, and Sequoia Capital.
Read next
All notes