Using the NIST AI Risk Management Framework // Applied AI Meetup October 2023

R. Schwarz, a research scientist at the National Institute of Standards and Technology (NIST), introduces the organization's role in promoting U.S. innovation and competitiveness. NIST is known for developing standards and metrics to ensure technology is secure and trustworthy. Schwarz's work focuses on the Trustworthy and Responsible AI team, where she contributed to the AI Risk Management Framework (AI RMF) and its companion playbook. The AI RMF, developed under a Congressional mandate, is a voluntary and non-regulatory framework aimed at managing AI risks with a rights-preserving approach, emphasizing the protection of individual rights. The framework is designed to adapt to the evolving tech landscape and includes the development of an AI RMF Playbook, which is continuously updated based on feedback.

The AI RMF is a dynamic tool designed to help organizations manage the risks associated with AI technologies. It adopts a rights-preserving approach, ensuring individual rights are prioritized in AI development and use. The framework is not a static checklist but a guide to align organizational practices with societal values. It encourages a practical approach that evolves with AI technology. The AI RMF has been developed through extensive public feedback, involving over 240 organizations from various sectors. The framework operationalizes seven trustworthy characteristics of AI systems, which go beyond accuracy to include safety, security, resilience, and fairness, among others. It also addresses the challenges of AI risk management, such as measuring risk in real-world contexts and setting risk tolerance levels that align with organizational objectives and legal requirements.

The AI RMF incorporates an AI life cycle approach, emphasizing the iterative nature of AI development and the importance of continuous test, evaluation, validation, and verification. The framework adapts the life cycle from the OECD, focusing on socio-technical dimensions and the involvement of various AI actors. These actors include not only the people directly involved in the AI life cycle but also end-users, civil society organizations, and researchers. The framework stresses the shared responsibility of all AI actors in designing, developing, and deploying trustworthy AI systems. It also highlights the need for external voices to be included from the outset to ensure a comprehensive consideration of potential impacts.

The core of the AI RMF is structured around four functions: Govern, Map, Measure, and Manage. These functions provide a systematic approach for organizations to move from principles to practice in AI risk management. The Govern function focuses on fostering a risk culture within an organization, setting policies and procedures that align with societal values and legal requirements. The Map function establishes the context for framing AI-related risks, ensuring organizations have the necessary expertise to identify and evaluate contextual factors. The Measure function involves setting up objective and scalable measures to track the trustworthy characteristics of AI systems. The Manage function is about allocating resources to treat identified risks, responding to AI system failures, and communicating negative impacts.

Profiles are a key component of the AI RMF, allowing organizations to share real-life examples of implementing the framework. These profiles can be industry-specific or cross-sectoral, providing guidance that can be used within a company or across an industry. The AI RMF also includes a roadmap for future activities, prioritizing the alignment with international standards, expanding test and evaluation efforts, and developing the NIST Trustworthy and Responsible AI Resource Center. This resource center serves as a hub for foundational content, technical documents, and community engagement.

The AI RMF is designed to address unintended consequences and emerging properties in AI systems, particularly in generative AI. A public working group with over 2,600 participants is focused on developing best practices for managing generative AI risks. The framework encourages interdisciplinary approaches and testing in real-world contexts to identify and manage unforeseen risks. It also includes mechanisms for decommissioning systems and managing incidents swiftly when necessary.

The voluntary nature of the AI RMF provides organizations with the flexibility to adopt as much of the framework as they find beneficial. The development of the framework involved extensive input from various stakeholders, including private industry, academia, and government agencies. While there may be challenges for small and medium-sized organizations, the framework aims to provide a culture change that can lead to better risk management and cost savings. The AI RMF is applicable across various sectors, including research, and its adoption can be a strategic decision for organizations to ensure responsible AI practices.