Understanding The NIST AI Risk Management Framework & Why It Matters
As artificial intelligence (AI) advances and becomes more integrated into our daily lives, organizations need to understand the potential risks and challenges associated with its use. To effectively manage these risks, the National Institute of Standards and Technology (NIST) has developed a comprehensive AI Risk Management Framework.
These new NIST guidelines are designed to help companies of any size and in any sector use AI safely and responsibly, while helping reduce the risks these tools introduce. In this blog, our risk advisory experts will explore the key components of this framework and how it can help your organization safely implement and use this rapidly evolving technology.
What Is The NIST AI Risk Management Framework?
The NIST AI Framework is a set of general guidelines and a tailored approach for managing the risks associated with AI systems. It is based on the well-established NIST Risk Management Framework, which is used to manage risk areas associated with developing systems, including cybersecurity risks.
The specific framework provides a structured approach for organizations to identify, assess, and mitigate potential risks related to the development, deployment, and use of advanced AI systems. However, our team also expects that the application of these guidelines will continue evolving quickly in light of the marketplace race to develop AGI (artificial general intelligence) tools.
Why Is The NIST AI Framework Important?
By aligning with the NIST AI Risk Management Framework, organizations can help ensure compliance with data regulations and standards regarding cybersecurity and privacy related to AI. This includes the General Data Protection Regulation (GDPR) and the ISO/IEC 27001 standard for information security. In the words of our IT Risk and Cybersecurity Practice leader:
“This framework is also a key tool to help your organization identify and mitigate potential risks before they become major issues, reducing the likelihood of costly data breaches or other security incidents.”
— Rich Sowalsky, Managing Director
AI vs. Traditional Software: A Risk Management Perspective
Both Artificial Intelligence (AI) and traditional software use involve navigating potential pitfalls, but the nature of the risks and their management differ in several key ways.
| AI Risks | Traditional Software Risks | |
| Human Error & Bias | Susceptible to human errors and biases in development and data | Susceptible to human errors and biases in design and coding |
| Data & Algorithm Dependency | High risk from poor data quality, flawed algorithms, and unforeseen interactions | Moderate risk from data errors, flawed algorithms, and integration issues |
| Opacity & Complexity | Opaque models with complex logic, making risk identification and mitigation challenging | More transparent structure and logic flow, simplifying risk assessment and mitigation |
| Emerging Risks & Adaptability | Non-static, adaptable nature of AI can introduce new, unforeseen risks | Static nature limits risk emergence making assessment and mitigation more predictable |
| Societal & Ethical Implications | High risk of privacy violations, discrimination, and societal impacts | Lower risk of societal impacts, primarily technical failures and financial losses |
| Risk Management Focus | Continuous monitoring, adaptation, and ethical considerations | Established practices, less need for ongoing adaptation, limited ethical considerations |
4 Key Components Of The Framework
The NIST AI Risk Management Framework (RMF) consists of four key components. It’s helpful to start with these and then build a culture of active risk management where you’re actively cycling through these and re-assessing how they apply to your company.
Below we’ll provide a high-level overview, but if you want a detailed breakdown please visit the official NIST AI RMF documentation here.
Governance
Before implementing AI, work on establishing a governance structure and risk management processes for AI systems. This includes identifying roles and responsibilities, establishing policies and procedures, and a program for conducting risk assessments.
Having clear ownership of responsibilities will lay the foundation for a strong culture of AI risk management. This structure will ensure everyone is empowered to take ownership of watching out for and addressing risks.
Map
This piece of the framework addresses the risks associated with the development and deployment of AI systems. It hones in on the context of how they will be used. For example, what are the implications of using AI in collecting, storing, and using data? How will it affect the quality of that data, as well as its confidentiality, privacy, and security?
You’ll want to consider all facets of your organization. Having a diverse team involved in this process (different backgrounds, areas of expertise, and demographics) is important to fully understand and maintain an unbiased view of the impacts of using this technology.
For example, you’ll need to consider AI data risks that could potentially happen from third-party software partners or how AI affects supply chains. Including different stakeholders from within your organization will help ensure you don’t have any blind spots as you start to identify the side effects that come with the systems and people using them.
Measure
Once you begin leveraging this technology, you’ll want to ensure there are processes for testing, validation, and verification of your AI systems. Putting this structure around measurement in place will allow you to verify your AI systems to make sure they’re functioning as intended and limiting risk exposure. You’ll also be able to catch any active issues that arise and counteract them.
Make sure to use a mix of qualitative and quantitative methods to analyze and measure. In this stage, the steps you take should provide meaningful and transparent insights that you can use to feed into the next step of the framework, managing.
Manage
This final component of the NIST AI RMF is about prioritizing and managing resources to address your risks. This includes developing incident response, recovery, and continuity plans, which are informed by what you gathered in the Govern and Map processes. The goal is to decrease the chances of a system failure and negative effects.
In completing this component, AI stakeholders are empowered to prioritize and resolve risks effectively. They’re also better equipped each time to change their approach, methods, and contexts as the technology and its usage develop.
Seeing the NIST AI Framework In Action
NIST has provided two great case studies looking at two different organizations that adhered to this risk management framework.
Workday
This enterprise software company leverages the NIST AI Risk Management Framework to strengthen its responsible AI approach. This framework helps them map, measure, and manage potential risks, ultimately earning and maintaining customer trust in their AI tools. Read the NIST case study on Workday here.
The City Of San Jose
San Jose uses the NIST AI RMF to identify gaps in their AI governance. They found their old approach lacked a formal citywide policy, user feedback mechanisms, and comprehensive testing procedures. To address these gaps, they plan to develop an AI policy, provide staff training, and improve system evaluation. Read the City of San Jose case study here.
Don’t Wait to Prioritize Your AI Security & Risk Management
No matter what type of company you are or where you are in your business lifecycle, a strong risk management approach can set you up for success. Implementing AI should enhance, not hinder, your business. However, implementing it without caution can lead to detrimental consequences.
Navigating this emerging technology can be complicated and overwhelming, but you don’t have to face it alone. Centri’s IT Risk & Cybersecurity team is well-versed in NIST standards and the latest emerging trends and challenges around AI. Our experts are here to support you with implementing the NIST AI Risk Management Framework to ensure you get the best possible results from the latest technology.
Want to implement AI technology safely into your business? Find the expertise you need on demand from Centri.
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Eight Penn Center
1628 JFK Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree Street NE
Suite 1000
Atlanta, GA 30361
50 Milk Street
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
8310 South Valley Highway
3rd Floor
Englewood, CO 80112
1-855-CENTRI1
virtual@CentriConsulting.com
Index