A Checklist for the NIST AI Risk Management Framework

The NIST AI Risk Management Framework was created to offer a voluntary guide for organizations aiming to improve their management of AI-related risks. It helps simplify integrating trust into AI product design, development, deployment, and use.

The core principle of the AI RMF is that risk management must be an ongoing process throughout the entire AI lifecycle. This approach underscores the importance of consistently addressing and mitigating risks from the initial stages of development through deployment and beyond.

For a downloadable version of this checklist, click here.

Adopting the NIST AI Risk Management Framework (AI RMF) involves a series of steps to integrate its principles into your organization’s processes. Here’s a checklist to help you get started:

1.  Familiarize yourself with the framework & relevancy for your organization
   
   Action: Review the NIST AI RMF documentation thoroughly to understand its core principles, functions, and recommendations. Determine if your organization is designing, developing, deploying, or using AI systems. If yes, continue. 
   
   
   
   Outcome: A solid grasp of the framework’s objectives and if/how it aligns with your organization’s goals
   
   
   
   Resources to review:
   
   Artificial Intelligence Risk Management Framework
   
   
   
   NIST AI RMF Playbook
   
   
   
   AI RMF Roadmap
   
   
   
   AI RMF Explainer Video
   
   
   
   
2. Action: Review the NIST AI RMF documentation thoroughly to understand its core principles, functions, and recommendations. Determine if your organization is designing, developing, deploying, or using AI systems. If yes, continue. 
3. Outcome: A solid grasp of the framework’s objectives and if/how it aligns with your organization’s goals
4. Resources to review:
   
   Artificial Intelligence Risk Management Framework
   
   
   
   NIST AI RMF Playbook
   
   
   
   AI RMF Roadmap
   
   
   
   AI RMF Explainer Video
   
   
5. Artificial Intelligence Risk Management Framework
6. NIST AI RMF Playbook
7. AI RMF Roadmap
8. AI RMF Explainer Video
9. Identify current AI usage 
   
   Action: Take inventory of all current uses of AI at your organization.
   
   Identify all AI capabilities being deployed within your organization
   
   
   
   Identify use cases being supported or executed by AI capabilities
   
   
   
   Identify data leveraged for AI use cases  
   
   
   
   
   
   Outcome: Establish clear oversight of the scope of AI usage at your organization. 
   
   
10. Action: Take inventory of all current uses of AI at your organization.
    
    Identify all AI capabilities being deployed within your organization
    
    
    
    Identify use cases being supported or executed by AI capabilities
    
    
    
    Identify data leveraged for AI use cases  
    
    
11. Identify all AI capabilities being deployed within your organization
12. Identify use cases being supported or executed by AI capabilities
13. Identify data leveraged for AI use cases  
14. Outcome: Establish clear oversight of the scope of AI usage at your organization. 
15. Assess Current AI Practices
    
    Action: Conduct an audit of your existing AI policies and procedures to identify your current state and any gaps.
    
    
    
    Outcome: A clear picture of your current AI risk management landscape and specific areas that need alignment with the framework.
    
    
16. Action: Conduct an audit of your existing AI policies and procedures to identify your current state and any gaps.
17. Outcome: A clear picture of your current AI risk management landscape and specific areas that need alignment with the framework.
18. Establish a Cross-Functional Team
    
    Action: Form a team with representatives from various departments, such as IT, legal, compliance, risk management, and AI development.
    
    
    
    Outcome: A diverse group that can provide a comprehensive perspective on AI risk management and ensure all relevant aspects are covered.
    
    
19. Action: Form a team with representatives from various departments, such as IT, legal, compliance, risk management, and AI development.
20. Outcome: A diverse group that can provide a comprehensive perspective on AI risk management and ensure all relevant aspects are covered.
21. Develop a Strategy for framework adoption
    
    Action: Create a strategy for the implementation of the NIST AI RMF. Define how decisions will be made and who will be accountable.
    
    
    
    Outcome: A structured plan for how your organization will address AI risks tailored to your specific needs. A defined timeline and goal for AI RMF adoption.
    
    
22. Action: Create a strategy for the implementation of the NIST AI RMF. Define how decisions will be made and who will be accountable.
23. Outcome: A structured plan for how your organization will address AI risks tailored to your specific needs. A defined timeline and goal for AI RMF adoption.
24. Begin working through the NIST AI RMF Playbook for specific guided actions your organization can take to implement the framework successfully. 
    
    Action: Work through the four core functions
    
    Govern
    
    
    
    Manage
    
    
    
    Map
    
    
    
    Measure
    
    
    
    
    
    Outcomes: Informed policy creation, thorough AI risk management practices, and in-depth risk identification and management strategies.
    
    
25. Action: Work through the four core functions
    
    Govern
    
    
    
    Manage
    
    
    
    Map
    
    
    
    Measure
    
    
26. Govern
27. Manage
28. Map
29. Measure
30. Outcomes: Informed policy creation, thorough AI risk management practices, and in-depth risk identification and management strategies.

This checklist aims to help develop responsible, innovative use of AI intelligence. To do this, focus on one of the primary goals of the NIST AI risk management framework: harm reduction. This applies to reducing potential risk impacts on people, organizations, and ecosystems. This framework makes it easier to assign process ownership, develop clear workflows, and help audit, risk, and compliance leaders assess risk tolerance, prioritization, measurement, and integration/management.

Of course, it’s critical to remember that compliance is not a one-and-done endeavor. Instead, AI risk management is an iterative process. This checklist serves as a springboard to prompt the constant evolution of your organization’s processes. 

About the authors

Celene Ennia is a Product Marketing Manager of ITRC Solutions at AuditBoard with a robust background in IT audit and compliance. Previously at A-LIGN, she held a range of IT audit roles and oversaw a team to conduct audits for SOC 2, SOC 1, HIPAA, and other key standards, and now applies her expertise to develop data-driven, customer-focused marketing strategies at AuditBoard.

Daniil Karp is a SaaS business professional with over a decade helping
organizations bring revolutionary new practices and technologies into
the fields of IT security and Compliance, HR/recruiting, and collaborative
work management. Prior to joining AuditBoard Daniil worked in go-to-market at companies including Asana and 6sense.