The National Institute of Standards and Technology (NIST) has released the second draft of its Risk Management Framework (RMF) for Artificial Intelligence (AI) for comments. Comments are due by September 29, 2022.
NIST, part of the US Department of Commerce, helps individuals and businesses of all sizes better understand, manage and reduce their respective “risk footprints”. Although the NIST AI RMF is a voluntary framework, it has the potential to impact legislation. NIST frameworks have previously served as the basis for state and federal regulations, such as the New York State Department of Financial Services Cybersecurity Regulations of 2017 (23 NYCRR 500).
The RMF AI was designed and is intended for voluntary use to address potential risks in “the design, development, use and evaluation of AI products, services and systems”. NIST envisions the AI RMF as a “living document” that will be updated regularly as technology and approaches to AI reliability evolve and change over time.
According to the proposed RMF AI, the specific goal of this new framework is an AI system designed on a machine-based system that can, “for a given set of human-defined goals, generate outcomes such as predictions, recommendations or decisions influencing real or virtual environments.
Amid the growth of artificial intelligence, the AI RMF provides guidance on how to use AI respectfully and responsibly. Cybersecurity frameworks are designed to secure and protect data, and the AI RMF project appears to complement this goal.
One of the many goals of the AI RMF is to better clarify and design NIST’s “AI lifecycle.” The current AI lifecycle focuses on general risk management issues. The primary audience for this framework, as written, are those with responsibility for commissioning or funding an AI system as well as those who are part of the “corporate management structure” that governs the cycle life of AI.
For example, as part of the AI RMF project, NIST has defined “stages” for the new AI lifecycle model. These elements include:
- Plan and design
- Collect and process data
- Model of construction and use
- Check & Validate
- Operate and monitor
- Used or impacted by
AI will impact many critical aspects of society over the next few years, including the way we live and work. According to World Economic Forumup to 97 million new AI-related jobs could be created by the end of 2025. As AI continues to grow, having a workable risk management framework is essential.
A companion NIST AI RMF Playbook (Playbook) has been released in conjunction with the AI RMF’s second draft. The game book is an online resource and “…includes suggested actions, references, and documentation guidance for stakeholders” to implement RMF AI recommendations.
NIST will host a third and final virtual workshop on October 18-19, 2022, with leading AI experts and interested parties, and expects the final RMF and AI Playbook to be released in January 2023.
We will continue to monitor these developments and notify you of updates as appropriate.