NIST AI Risk Management Framework 1.0

GOVERN sets the conditions: policy, legal alignment, documentation and trustworthy-AI characteristics integrated into how the organisation works.

1. 1Map your legal and regulatory landscape into policy.
2. 2Integrate the trustworthy-AI characteristics (valid, safe, secure, accountable, explainable, privacy-enhanced, fair).
3. 3Document risk-management processes and outcomes.

Accountability lines: who decides, who escalates, who signs.

1. 1Document roles, responsibilities and lines of communication.
2. 2Make senior leadership formally accountable for AI risk outcomes.
3. 3Define decision rights for go/no-go and override.

People, skills, and the awareness that AI risk is everyone's job.

1. 1Drive AI risk awareness across the organisation.
2. 2Train people on the AI tasks they actually perform.

Most teams integrate AI rather than build it. GOVERN 6 ensures vendor and supply-chain risk is treated as AI risk.

1. 1Inventory third-party AI, models and data.
2. 2Set due-diligence and contract requirements for AI suppliers.

MAP is where you frame the system: purpose, users, deployers, context - so risk analysis is grounded.

1. 1Establish context - purpose, users, deployment environment.
2. 2Identify categories and capabilities of the AI system.

Data is in MAP because you have to know what you're training on before you can quantify risk in MEASURE.

1. 1Catalogue training and operational data, sources, limits.

Confirm the people, partners and tooling needed exist before you commit.

1. 1List people, third parties, tools and infrastructure required.

Identify potential benefits, costs, and impacts on people and the environment.

1. 1Map likelihood and magnitude of harms.
2. 2Map impacts to affected individuals and groups.

Pick metrics appropriate to the risks you mapped. You cannot manage what you do not measure.

1. 1Select metrics, methods, and acceptance thresholds.

Quantitative and qualitative evaluation: validity, reliability, safety, security, explainability, privacy, fairness.

1. 1Test accuracy, robustness, reliability and security.
2. 2Test explainability and interpretability.
3. 3Test privacy and fairness.

Continuous monitoring of identified and emergent risks in production.

1. 1Track risks and feedback signals in operation.

Decide what to do about the risks: accept, mitigate, transfer, avoid.

1. 1Prioritise risks against context.
2. 2Plan and execute treatment.
3. 3Confirm human oversight points.

Manage risks of third-party AI and execute residual-risk treatments.

1. 1Treat residual risks and third-party AI risks operationally.

Post-deployment: monitor, detect, respond and improve.

1. 1Monitor in production.
2. 2Run incident response.
3. 3Report and learn.