New AI Guidance: NIST Reveals First Version of AI Risk Management Framework

The Framework is divided into two parts, with part 1 describing the intended audience, explaining how organizations can best frame AI risk, and outlining what trustworthy AI systems look like.¹ Trustworthy systems, according to the Framework, are characterized by valid, reliable, secure, accountable, transparent AI that is explainable and privacy enhanced, with any harmful biases managed. Part 2 of the Framework is the core of the guidance, laying out four categories of functions that organizations should adopt to address risks of AI systems.² These functions are:

• Govern – This function is about cultivating a risk management culture, including implementing appropriate structures, policies and processes to identify and manage AI risks. Risk management must be a priority for senior leadership, who set the tone for organizational culture, and for management, who align the technical aspects of AI risk management with organizational policies. The technical aspects of AI risk management must be aligned to organizational polices and operations. Unlike the other functions that are specific to certain parts of the AI lifecycle, this function applies to all stages of an organization’s AI risk management process.
• Map – This function is intended to enhance an organization’s ability to identify AI risks and their broader contributing factors. After documenting the intended purposes and expectations of the AI system, the organization should weigh its benefits and risks compared to the status quo to individuals, communities and other organizations. Contextual information must be considered, along with the specific methods used to complete tasks that the AI system will support, and information on the system’s knowledge limits. The outcome of this function serves as the basis for the subsequent two functions.
• Measure – This function uses the information identified in the Map function, employing quantitative, qualitative or mixed-method risk assessment methods and input of independent experts to analyze and benchmark AI risks and their impacts. AI systems should be analyzed for trustworthy characteristics, social impact and human-AI configurations. The outcome of this functions will serve as the basis for the Manage function.
• Manage – This function involves allocating resources to the mapped and measured risks, on a basis defined by the Govern function. Identified risks must be managed to increase transparency and accountability, prioritizing higher-risk AI systems. After determining whether the AI system achieves its intended purpose, treatment of risks must be allocated based on their impact. The systems showing outcomes inconsistent with the intended purpose should be superseded, disengaged or deactivated. Organizations should continue to apply risk management over time as new and unforeseen methods, needs, risks or expectations emerge.

Comments on the Framework will be accepted until February 27, 2023, with an updated version set to launch in spring 2023.

¹ In this Framework, “AI system” is defined as “an engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments” designed to operate with varying levels of autonomy.

² Dep’t of Com., NIST, Artificial Intelligence Risk Management Framework (January 26, 2023), available at https://www.nist.gov/itl/ai-risk-management-framework.