Information Technology & Cybersecurity Training and Consulting

Menu

Artificial Intelligence (AI) Risk Management Framework

AI Risk Management Framework

The Artificial Intelligence (AI) Risk Management Framework by NIST enables organizations designing, developing, deploying, or using AI systems to incorporate comprehensive AI Testing, Evaluation, Validation, and Verification (TEVV) practices, thereby managing the many risks of AI and promoting trustworthy and responsible development and use of AI systems.

The AI Risk Management Framework functions (GOVERN, MAP, MEASURE, MANAGE) can be applied to fit the interests and needs for organizations of all sizes and in all sectors.

GOVERN
The GOVERN function ensures policies, processes, procedures and practices across the organization related to the mapping, measuring and managing of AI risks are in place, transparent, and implemented effectively.

MAP
The MAP function establishes the context to frame risks related to an AI system. The AI lifecycle consists of many interdependent activities involving a diverse set of actors. The information gathered while carrying out the MAP function enables negative risk prevention and informs decisions for processes such as model management, as well as an initial decision about appropriateness or the need for an AI solution.

MEASURE
The MEASURE function employs quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor AI risk and related impacts.

MANAGE
The MANAGE function entails allocating risk resources to mapped and measured risks on a regular basis and as defined by the GOVERN function. Risk treatment comprises plans to respond to, recover from, and communicate about incidents or events.

← Go back

AID7
FunctionGOVERN
FIDGOV-1
Description

Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively.

Category

AI Deployment, Operation and Monitoring

GIDGovern 1.7
Guidance

Irregular or indiscriminate termination or deletion of models or AI systems may be inappropriate and increase organizational risk. For example, AI systems may be subject to regulatory requirements or implicated in future security or legal investigations. To maintain trust, organizations may consider establishing policies and processes for the systematic and deliberate decommissioning of AI systems. Typically, such policies consider user and community concerns, risks in dependent and linked systems, and security, legal or regulatory concerns. Decommissioned models or systems may be stored in a model inventory along with active models, for an established length of time.

Recommendations

- Establish policies for decommissioning AI systems. Such policies typically address:
- User and community concerns, and reputational risks.
- Business continuity and financial risks.
- Up and downstream system dependencies.
- Regulatory requirements (e.g., data retention).
- Potential future legal, regulatory, security or forensic investigations.
- Migration to the replacement system, if appropriate.
- Establish policies that delineate where and for how long decommissioned systems, models and related artifacts are stored.
- Establish policies that address ancillary data or artifacts that must be preserved for fulsome understanding or execution of the decommissioned AI system, e.g., predictions, explanations, intermediate input feature representations, usernames and passwords, etc.

Documentation

Organizations can document the following
- What processes exist for data generation, acquisition/collection, ingestion, staging/storage, transformations, security, maintenance, and dissemination?
- To what extent do these policies foster public trust and confidence in the use of the AI system?
- If anyone believes that the AI no longer meets this ethical framework, who will be responsible for receiving the concern and as appropriate investigating and remediating the issue? Do they have authority to modify, limit, or stop the use of the AI?
- If it relates to people, were there any ethical review applications/reviews/approvals? (e.g. Institutional Review Board applications)

AI Transparency Resources
- GAO-21-519SP: AI Accountability Framework for Federal Agencies & Other Entities. [URL](https://www.gao.gov/products/gao-21-519sp)
- Intel.gov: AI Ethics Framework for Intelligence Community - 2020. [URL](https://www.intelligence.gov/artificial-intelligence-ethics-framework-for-the-intelligence-community)
- Datasheets for Datasets. [URL](http://arxiv.org/abs/1803.09010)

Tasks

Decommission, Governance

Reference(s)

Michelle De Mooy, Joseph Jerome and Vijay Kasschau, “Should It Stay or Should It Go? The Legal, Policy and Technical Landscape Around Data Deletion,” Center for Democracy and Technology, 2017. [URL](https://cdt.org/wp-content/uploads/2017/02/2017-02-23-Data-Deletion-FNL2.pdf)

Burcu Baykurt, "Algorithmic accountability in US cities: Transparency, impact, and political economy." Big Data & Society 9, no. 2 (2022): 20539517221115426. [URL](https://journals.sagepub.com/doi/full/10.1177/20539517221115426)

“Information System Decommissioning Guide,” Bureau of Land Management, 2011. [URL](https://www.blm.gov/sites/blm.gov/files/uploads/IM2011-174_att1.pdf)