On July 26, 2024, NIST released their NIST-AI-600-1, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. This framework was born out of an October 2023 Executive Order, tasking NIST with developing a new generative AI framework. The NIST AI RMF has been designed to encourage responsible development of AI. At its core, it emphasizes risk management and social responsibility to ensure that AI is developed properly and in a secure manner. It guides users through the process of identifying and managing risks associated with AI.
The framework is broken out into 4 functions: Govern, Map, Measure, and Manage. As organizations make their way through the functions, each one builds off of the last. It opens with general policies and procedures, followed by the activities to assess, address, and mitigate risks related to the use of AI systems.
- GOVERN is the first function of the framework, as it underpins the three functions that follow it. It’s all about establishing the foundations for managing AI risks. It will ensure the right policies and procedures are in place throughout the AI lifecycle, laying the groundwork for development to be done in a secure manner.
- MAP is the first function relating to the assessment of specific AI technology, as it now looks a step further than the enterprise-level procedures. It is about understanding what ways specific AI technology will operate, assessing potential impacts – both positive and negative, and deciding whether or not to proceed with AI deployment. This is the step that supports risk measurement and management efforts of an organization.
- MEASURE is a continuation of the MAP function. It is all about measuring risks and outcomes in order to set organizations up with the ability to make data-informed decisions. It focuses on assessing AI risks through quantitative, qualitative, or mixed-method approaches. It also includes testing, evaluating, verifying, and validating (TEVV) the performance of AI systems. Assessing AI through these different lenses equips organizations with the information needed to make data-informed decisions on a mix of qualitative and quantitative factors on both the risks and performance of AI technologies.
- MANAGE is where organizations are addressing and responding to the risks identified in the MAP and MEASURE functions. This is where actions around managing AI risks are addressed. Organizations will develop strategies to mitigate, transfer, avoid, or accept AI risks and prepare for incident response. This function ensures that resources are allocated properly in order to not just maximize the benefits of AI, but minimize the harm that comes with it. It also addresses AI monitoring and decommissioning to see that organizations are prepared for any risks that may come with the evolving technology.
The importance of this framework cannot be stressed enough. While AI is a technology with very high potential, it does not come without its fair share of risks. Weaving risk management measures into the AI development process is crucial in sustainable and secure deployment of any technology.
Axio is excited to share that the NIST Artificial Intelligence Risk Management Framework is now available in our Axio Assessment offering, allowing you to assess your current cyber security programs against this framework in an efficient and effective manner.
With Axio Assessment, you can:
- Bring Your Own Model: operate using any assessment model. This includes your own custom models, derivative models where you’ve modified a standard framework, or any 3rd-party models from other providers. You can also easily conduct assessments using Axio’s pre-populated library of hundreds of frameworks including C2M2, CIS 18, CMMC, CRI Profile, MAS TRMG, NIST CSF, NIST AI RMF, NIST 800-53 and many more.
- Automatically Use Completed Assessments to Conduct New Assessments: With the assessment mapping capability, you can take any of your existing assessments and use its responses to automatically populate responses for a new assessment, saving tens of hours of painstaking manual work. Axio then identifies the net new questions requiring responses, allowing you to focus efforts only where they’re truly needed.
- Bring Together Multiple Assessments for Centralized Management: Aggregate dozens or even hundreds of assessments —across departments, business units and regions—all on a single platform. With the ability to inspect and manage each security program from a centralized system, you’ll gain a strategic, unified view of your overall security stance.
To learn more about how Axio can help you assess against the NIST AI RMF and streamline management of even the most complex, multi-assessment cybersecurity environments, schedule a call today!