On January 26, 2023, NIST unveiled the inaugural version of its Artificial Intelligence Risk Management Framework 1.0 (AI RMF 1.0), a tool designed to help organizations navigate and evaluate the risks and integrity of AI development and deployment. Mandated by Congress, this framework was developed through extensive collaboration with both the private and public sectors, offering flexible guidelines to stay in sync with the fast-paced advancements in AI. It recommends fundamental practices for crafting reliable AI systems, focusing on governance, risk evaluation, and risk mitigation strategies.
The framework outlines four key organizational roles or functions that are crucial for effective implementation of the framework. These roles are designed to ensure that security and privacy risks are managed consistently across an organization. The functions are:
- Govern (set up institutional structures and processes)
- Map (understand context and identify risks)
- Measure (assess and monitor risks and impacts)
- Manage (prioritize, prevent, and respond to incidents)
These four organizational structures help ensure that risk management is effectively implemented at all levels, from the organization-wide governance down to the specific information systems, creating a unified and comprehensive approach to managing cybersecurity and privacy risks.
NIST AI RMF: Generative Artificial Intelligence Profile
In support of President Biden’s AI Executive Order (October 2023), NIST released NIST-AI-600-1 Artificial Intelligences Risk Management Framework: Generative Artificial Intelligence Profile (July 2024), to improve the safety, security and trustworthiness of AI systems, as a companion resource to the AI RMF1.0. The profile is designed to help organizations identify risks posed by generative AI and proposes actions for generative AI risks management that best aligns with their goals and priorities.
The framework is aligned with the four organizational functions described in AI RMF 1.0: govern, map, measure, and manage risks.
“As GAI covers risks of models or applications that can be used across use cases or sectors, this document is an AI RMF cross-sectoral profile. Cross-sectoral profiles can be used to govern, map, measure, and manage risks associated with activities or business processes common across sectors, such as the use of large language models (LLMs), cloud-based services, or acquisition”
The framework describes the unique risks of GAI, which can vary along dimensions such as stage of the AI lifecycle, scope, source of risk, and time scale. It defines, maps, and suggests actions to manage the following risks:
- CBRN Information or Capabilities
- Confabulation
- Dangerous, Violent, or Hateful Content
- Data Privacy
- Environmental Impacts
- Harmful Bias or Homogenization
- Human-AI Configuration
- Information Integrity
- Information Security
- Intellectual Property
- Obscene, Degrading, and/or Abusive Content
- Value Chain and Component Integration
Navigate NIST’s risk management frameworks with ease
Implementing NIST’s RMF 1.0 and its companion resources is crucial for organizations aiming to strengthen their AI security posture. However, navigating the complexities of the framework and tailoring it to your organization’s unique needs can be challenging.
Our team of experts specializes in helping organizations implement and optimize the NIST RMF 1.0 and companion resources. Through our tailored services and comprehensive training programs, we empower your team to effectively manage risk, enhance cybersecurity resilience, and build a culture of security and trust.
