An Introduction to the NIST AI Risk Management Framework (RMF)

NIST created the AI Risk Management Framework (RMF) to help organizations creating or using AI systems manage the risks of AI and to promote the responsible development and use of AI. Much like NIST’s Cybersecurity Framework (CSF), the AI RMF is broken down into functions, categories, and subcategories.

The NIST AI RMF contains four functions:

1. Govern

2. Map

3. Measure

4. Manage

The Govern function helps organizations establish effective AI risk management. Implementing the processes and tools specified in the Govern function will help your organization implement a strategy for managing risks presented by AI.

The Map function details how organizations can gather data related to their AI use to identify associated risks. The risks identified in the Map function in turn inform the Measure and Manage functions.

The Measure function quantifies AI-related risks and establishes benchmarks for you to reference. You’re then able to use these benchmarks to monitor identified risks for progression or regression, as well as more easily identify new risks. The Measure function then takes its quantified risk measurements and informs the Manage function.

The Manage function seeks to address risks that were previously mapped and measured. The Manage function helps organizations prioritize risk mitigation activities, monitor risk, and improve the organization's overall risk posture.

Also, like the NIST CSF, the NIST AI RMF is intended to foster a culture of continuous improvement with respect to AI risk. In other words, a single pass at the NIST AI RMF shouldn’t be your goal but, instead, you should iterate through the NIST AI RMF’s functions continuously.