A Checklist for the NIST AI Risk Management Framework

The NIST AI Risk Management Framework was created to offer a voluntary guide for organizations aiming to improve their management of AI-related risks. It helps simplify integrating trust into AI product design, development, deployment, and use.

The core principle of the AI RMF is that risk management must be an ongoing process throughout the entire AI lifecycle. This approach underscores the importance of consistently addressing and mitigating risks from the initial stages of development through deployment and beyond.

For a downloadable version of this checklist, click here.

Adopting the NIST AI Risk Management Framework (AI RMF) involves a series of steps to integrate its principles into your organization’s processes. Here’s a checklist to help you get started:

1.  Familiarize yourself with the framework & relevancy for your organizationAction: Review the NIST AI RMF documentation thoroughly to understand its core principles, functions, and recommendations. Determine if your organization is designing, developing, deploying, or using AI systems. If yes, continue. Outcome: A solid grasp of the framework’s objectives and if/how it aligns with your organization’s goalsResources to review:Artificial Intelligence Risk Management FrameworkNIST AI RMF PlaybookAI RMF RoadmapAI RMF Explainer Video
2. Action: Review the NIST AI RMF documentation thoroughly to understand its core principles, functions, and recommendations. Determine if your organization is designing, developing, deploying, or using AI systems. If yes, continue. 
3. Outcome: A solid grasp of the framework’s objectives and if/how it aligns with your organization’s goals
4. Resources to review:Artificial Intelligence Risk Management FrameworkNIST AI RMF PlaybookAI RMF RoadmapAI RMF Explainer Video
5. Artificial Intelligence Risk Management Framework
6. NIST AI RMF Playbook
7. AI RMF Roadmap
8. AI RMF Explainer Video
9. Identify current AI usage Action: Take inventory of all current uses of AI at your organization.
   Identify all AI capabilities being deployed within your organizationIdentify use cases being supported or executed by AI capabilitiesIdentify data leveraged for AI use cases  Outcome: Establish clear oversight of the scope of AI usage at your organization. 
10. Action: Take inventory of all current uses of AI at your organization.
    Identify all AI capabilities being deployed within your organizationIdentify use cases being supported or executed by AI capabilitiesIdentify data leveraged for AI use cases  
11. Identify all AI capabilities being deployed within your organization
12. Identify use cases being supported or executed by AI capabilities
13. Identify data leveraged for AI use cases  
14. Outcome: Establish clear oversight of the scope of AI usage at your organization. 
15. Assess Current AI PracticesAction: Conduct an audit of your existing AI policies and procedures to identify your current state and any gaps.Outcome: A clear picture of your current AI risk management landscape and specific areas that need alignment with the framework.
16. Action: Conduct an audit of your existing AI policies and procedures to identify your current state and any gaps.
17. Outcome: A clear picture of your current AI risk management landscape and specific areas that need alignment with the framework.
18. Establish a Cross-Functional TeamAction: Form a team with representatives from various departments, such as IT, legal, compliance, risk management, and AI development.Outcome: A diverse group that can provide a comprehensive perspective on AI risk management and ensure all relevant aspects are covered.
19. Action: Form a team with representatives from various departments, such as IT, legal, compliance, risk management, and AI development.
20. Outcome: A diverse group that can provide a comprehensive perspective on AI risk management and ensure all relevant aspects are covered.
21. Develop a Strategy for framework adoptionAction: Create a strategy for the implementation of the NIST AI RMF. Define how decisions will be made and who will be accountable.Outcome: A structured plan for how your organization will address AI risks tailored to your specific needs. A defined timeline and goal for AI RMF adoption.
22. Action: Create a strategy for the implementation of the NIST AI RMF. Define how decisions will be made and who will be accountable.
23. Outcome: A structured plan for how your organization will address AI risks tailored to your specific needs. A defined timeline and goal for AI RMF adoption.
24. Begin working through the NIST AI RMF Playbook for specific guided actions your organization can take to implement the framework successfully. Action: Work through the four core functions
    GovernManageMapMeasureOutcomes: Informed policy creation, thorough AI risk management practices, and in-depth risk identification and management strategies.
25. Action: Work through the four core functions
    GovernManageMapMeasure
26. Govern
27. Manage
28. Map
29. Measure
30. Outcomes: Informed policy creation, thorough AI risk management practices, and in-depth risk identification and management strategies.

This checklist aims to help develop responsible, innovative use of AI intelligence. To do this, focus on one of the primary goals of the NIST AI risk management framework: harm reduction. This applies to reducing potential risk impacts on people, organizations, and ecosystems. This framework makes it easier to assign process ownership, develop clear workflows, and help audit, risk, and compliance leaders assess risk tolerance, prioritization, measurement, and integration/management.

Of course, it’s critical to remember that compliance is not a one-and-done endeavor. Instead, AI risk management is an iterative process. This checklist serves as a springboard to prompt the constant evolution of your organization’s processes. 

About the authors

Celene Ennia is a Product Marketing Manager of ITRC Solutions at AuditBoard with a robust background in IT audit and compliance. Previously at A-LIGN, she held a range of IT audit roles and oversaw a team to conduct audits for SOC 2, SOC 1, HIPAA, and other key standards, and now applies her expertise to develop data-driven, customer-focused marketing strategies at AuditBoard.