Artificial intelligence (AI) is already active inside most transportation companies. In many cases, it arrived without an intentional decision, having been bolted on by vendors to existing platforms. These tools are now processing your operational data with no internal policy governing how it is used, who owns the output, or what to do when it gets something wrong.
That gap between the speed of AI adoption and our organizational readiness to manage it is what the National Motor Freight Traffic Association Inc. (NMFTA) Cybersecurity AI Governance Framework is designed to close. Released this month and available at no charge, this resource gives both practitioners and leaders a structured, trucking-specific set of controls for deploying AI securely and with clear accountability.
The AI conversation in transportation has historically focused on external threats: AI-enabled cyberattacks arriving faster, at greater scale, and with less technical sophistication required from the attacker. These threats are real, but this framework isn't primarily about defending against external attackers. Its focus is on the other side of the coin — the risks from AI present inside our organizations right now.
Internal AI risk is not a future concern. It is a current one, and it compounds the external threat. Organizations without a complete picture of what AI-enabled tools are actually running in their environment, along with robust governance and security controls around them, are exposed on both fronts simultaneously.
Ben Wilkens, NMFTA’s director of cybersecurity, put the internal access problem plainly. AI tools, he said, are "a lot like overeager interns with a bit too many permissions in their profile, because they will try to accomplish the task any way they can, and that may be through using data in a way you don't expect or intend."
The practical implications reach across the operation. Is telematics data feeding a vendor's model for other customers? Are quotes generated by an AI-enabled platform the carrier's proprietary information, or can the vendor use them for its own purposes? Is sensitive customer data properly isolated in a multi-tenant SaaS environment? These are not edge cases. They are the questions carriers are currently navigating without a framework with which to structure the conversation.
"Shadow AI" adds another layer of risk. Employees are using generative tools on corporate networks whether a policy exists or not. Wilkens was direct on this during the June 18 webinar accompanying the framework's release: Shadow AI is "typically a symptom of a need not being met in the organization." Prohibiting tools does not solve it. Providing approved, properly configured alternatives, and being explicit about why unauthorized tools carry specific risks, does.
Most existing AI governance guidance was written for organizations building or training their own models — a category that excludes nearly all trucking companies. Carriers, brokers, and shippers are overwhelmingly consumers of AI through third-party platforms. This is a fundamentally different governance challenge that existing frameworks do not address well.
NMFTA built this resource from that starting point. The framework's 50 controls span five domains: governance and oversight, data and privacy, security and access, safety and reliability, and risk and compliance.
Erica Brigance, vice president of strategic products and analytics at ArcBest, who also spoke on the webinar, framed the data discussion in terms that reflect how most trucking companies actually operate. Carriers hold decades of proprietary pricing logic, customer profiles, and operational data. The AI tools being integrated today want access to that data to function. "Our data is one of the most proprietary things we have," Brigance said. "I have to be very choosy about what I'm willing to share with a partner and what I'm not."
She also pointed out that AI is probabilistic, not deterministic. Traditional software follows defined rules and produces consistent outputs. AI systems produce outputs based on statistical likelihood. "If 85% accuracy isn't an acceptable outcome," Brigance said, "then I need a person to verify it." The framework addresses this issue with controls designed to clarify when "human-in-the-loop" safety measures are required.
In the webinar, Wilkens clarified that the framework is designed to be flexible enough that a small carrier can take practical guidance from it and complete enough that an enterprise operation can use it as a governance foundation. The goal is to provide a single resource that does not leave small operators behind while still serving larger fleets with more complex environments.
The framework and its accompanying implementation checklist are available at nmfta.org. NMFTA's annual Cybersecurity Conference, the only event dedicated exclusively to trucking cybersecurity, takes place Sept. 29 through Oct. 1 in Long Beach, California. Feedback on the framework is welcome at [email protected].

























