NIST published the AI Risk Management Framework in January 2023. Most organizations I work with have heard of it. Few have actually read it. Fewer still have operationalized any part of it. That gap is a real problem — because it's genuinely one of the most useful AI governance documents available, and it's free.
I've been a NIST consumer for a long time, going back to my time at USCYBERCOM working with 800-53 and the Cybersecurity Framework in their DoD applications. The AI RMF follows a similar structure — principles and practices organized into functions — and it translates well into program design the same way the CSF did for cybersecurity programs.
The Four Functions, In Plain Terms
The AI RMF is organized around four functions: Govern, Map, Measure, Manage. If that sounds familiar, it's because it mirrors the structure of the CSF — which is intentional and useful.
Govern is about building the organizational structure, policies, and culture that make responsible AI use possible. Who makes decisions about AI systems? What values guide those decisions? How are accountability and oversight assigned? This is where most organizations are the least mature — they have technology before they have governance.
Map is about context: understanding what the AI system is, what it's supposed to do, who it affects, and what can go wrong. The mapping step is where you surface risks that product teams often don't see because they're focused on what the model does well, not what it does badly in edge cases.
Measure is where you get quantitative — or at least structured — about risk. How do you assess AI trustworthiness? What metrics matter for the specific use case? This is harder than it sounds because AI systems fail in different ways than traditional software, and the measurement approaches are still maturing.
Manage is ongoing operations: monitoring, responding to incidents, updating models, and maintaining documentation that reflects what's actually deployed rather than what was approved two years ago.
How I've Been Using It
I've started using the AI RMF as a conversation scaffold with clients who are trying to get their arms around AI governance. It gives a shared vocabulary that isn't vendor-specific, and the profiles concept — tailoring the framework to your specific organizational context — works well for organizations at different maturity levels.
It's not perfect. The Measure function is the weakest area — the guidance on how to actually quantify AI trustworthiness is more aspirational than prescriptive, and practitioners are still figuring out the tooling. But it's the best starting point I've found, and NIST is actively evolving it based on feedback.
Worth a Saturday afternoon. Seriously.
Comments
No comments yet.