Focuses on providing security and risk management training specific to AI systems and the SDLC. This control ensures that all relevant personnel are equipped with the knowledge and skills to manage AI-related risks effectively, promoting a culture of security awareness and compliance throughout the organization.

• Security Awareness against AI and SDLC [9.1.1]

  The "Security Awareness Against AI and SDLC [9.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on enhancing the security awareness of individuals involved in the AI system development lifecycle (SDLC). This subcontrol aims to ensure that personnel are well-informed about security risks associated with AI technologies and understand best practices for mitigating these risks throughout the SDLC.

Manages the secure removal of AI systems from operation, including planning and risk management. This control ensures that AI systems are decommissioned in a manner that protects data, mitigates risks, and complies with regulatory requirements, followed by a review to confirm that all risks and issues have been addressed.

• Post-Decommissioning Review [8.1.2]

  The "Post-Decommissioning Review [8.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on evaluating the decommissioning process after the AI system has been retired. This review aims to assess the effectiveness of the decommissioning activities, identify any issues encountered, and derive lessons learned to improve future decommissioning practices.

• Decommissioning Planning and Risk Management [8.1.1]

  The "Decommissioning Planning and Risk Management [8.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the development of a comprehensive plan for decommissioning AI systems, including managing the associated risks. This subcontrol ensures that the decommissioning process is conducted in a structured manner, addressing potential risks and ensuring that all aspects of the AI system’s lifecycle are properly concluded.

Ensures ongoing management of AI system risks through continuous monitoring, incident response, and process improvement. This control focuses on maintaining system security and performance by addressing new risks, managing incidents effectively, and regularly updating processes based on operational feedback and evolving requirements.

• Feedback and Process Improvement [7.2.1]

  The "Feedback and Process Improvement [7.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the collection, analysis, and integration of feedback to drive continuous improvement in the AI system’s operations and risk management processes. This subcontrol ensures that organizations actively seek input from stakeholders, evaluate the effectiveness of current processes, and make necessary adjustments to enhance system performance and risk management.

• Incident Response and Risk Mitigation [7.1.2]

  The "Incident Response and Risk Mitigation [7.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the development and implementation of processes for responding to incidents and mitigating risks that arise during the operational phase of an AI system. This subcontrol ensures that organizations are prepared to address security breaches, system failures, or other incidents that may impact the AI system’s performance and security.

• Ongoing Risk Monitoring and Management [7.1.1]

  The "Ongoing Risk Monitoring and Management [7.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) emphasizes the continuous monitoring and management of risks associated with AI systems throughout their operational lifecycle. This subcontrol ensures that risks are actively tracked and managed to maintain system security, performance, and compliance over time.

• Update and Refinement of AI System [7.2.2]

  The "Update and Refinement of AI System [7.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the regular updating and refinement of AI systems to ensure they continue to meet operational requirements, address emerging risks, and incorporate improvements. This subcontrol ensures that AI systems are maintained effectively through systematic updates and refinements that enhance their functionality, performance, and security.

Focuses on planning and managing risks associated with deploying AI systems. This control ensures that deployment processes are well-organized, risks are effectively managed, and post-deployment monitoring is conducted to address any issues that arise, ensuring the AI system operates securely and efficiently in its intended environment.

• Deployment Planning and Risk Management [6.1.1]

  The "Deployment Planning and Risk Management [6.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the development and execution of a comprehensive plan for deploying AI systems, including the identification and management of associated risks. This subcontrol ensures that deployment activities are well-planned, risks are assessed and mitigated, and deployment processes are executed effectively to ensure a secure and successful deployment of the AI system.

• Post-Deployment Monitoring and Risk Management [6.1.2]

  The "Post-Deployment Monitoring and Risk Management [6.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the continuous monitoring and management of risks after the AI system has been deployed. This subcontrol ensures that the AI system is effectively monitored in its operational environment, potential risks are identified and managed, and necessary adjustments are made to maintain system security and performance.

Focuses on implementing risk mitigation strategies, monitoring the effectiveness of these strategies, and incorporating feedback mechanisms. This control ensures that AI systems are developed with effective risk management practices, continuously refined based on feedback, and adapted to address emerging risks throughout the development lifecycle.

• Update and Refinement of Risk Management Processes [4.2.2]

  The "Update and Refinement of Risk Management Processes [4.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on systematically updating and refining risk management processes based on insights gained from feedback, monitoring activities, and evolving risk environments. This subcontrol ensures that risk management practices are continuously improved and adapted to effectively address new and emerging risks throughout the development phase of an AI system.

• Feedback Mechanisms for Risk Management Practices [4.2.1]

  The "Feedback Mechanisms for Risk Management Practices [4.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on establishing and utilizing feedback mechanisms to continuously improve risk management practices throughout the development phase of an AI system. This subcontrol ensures that insights and lessons learned from risk management activities are systematically captured, analyzed, and used to refine and enhance risk management strategies.

• Development and Implementation of Risk Mitigation Strategies [4.1.1]

  The "Development and Implementation of Risk Mitigation Strategies [4.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the creation and application of strategies to address and mitigate identified risks during the development phase of an AI system. This subcontrol ensures that risk mitigation measures are effectively integrated into the AI system’s design and development processes to minimize potential threats and vulnerabilities.

• Monitoring and Review of Risk Treatment Effectiveness [4.1.2]

  The "Monitoring and Review of Risk Treatment Effectiveness [4.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on systematically monitoring and evaluating the effectiveness of implemented risk treatment measures throughout the development phase of an AI system. This subcontrol ensures that risk mitigation strategies are continuously assessed to confirm their effectiveness and to make necessary adjustments based on performance data and evolving risks.

Emphasizes evaluating AI system performance through metrics, analyzing performance data, and monitoring risk indicators. This control ensures that AI systems undergo rigorous testing to validate their effectiveness, identify potential issues, and adjust risk management strategies based on monitoring results to maintain system security and performance.

• Reporting and Analysis of Performance Data [5.1.2]

  The "Reporting and Analysis of Performance Data [5.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the systematic reporting and analysis of performance data collected from risk management activities. This subcontrol ensures that performance data is effectively communicated and analyzed to assess the effectiveness of risk management practices and inform decision-making.

• Performance Metrics and Monitoring [5.1.1]

  The "Performance Metrics and Monitoring [5.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on defining and implementing performance metrics to monitor the effectiveness and efficiency of risk management practices throughout the testing phase of an AI system. This subcontrol ensures that performance metrics are established, tracked, and analyzed to evaluate how well risk management strategies are functioning and to identify areas for improvement.

• Risk Indicators and Monitoring [5.2.1]

  The "Risk Indicators and Monitoring [5.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on identifying, tracking, and analyzing risk indicators to proactively monitor and manage potential risks associated with an AI system. This subcontrol ensures that organizations establish effective mechanisms for detecting early signs of risk and monitoring them to mitigate potential threats.

• Adjustment of Risk Management Strategies Based on Monitoring Results [5.2.2]

  The "Adjustment of Risk Management Strategies Based on Monitoring Results [5.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on adapting and refining risk management strategies in response to insights gained from monitoring activities. This subcontrol ensures that risk management strategies are continuously updated based on real-time monitoring results to effectively address emerging risks and maintain system resilience.

Establishes an organizational framework for managing AI risks, defining roles, responsibilities, and oversight mechanisms. It ensures effective leadership and accountability by integrating AI risk management into overall governance practices, including committees and reporting lines to oversee and address AI-related risks throughout the system’s lifecycle.

• Governance Structure for AI Risk Management [1.1.1]

  The "Governance Structure for AI Risk Management [1.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on establishing an organizational framework that ensures effective oversight and management of AI-related risks. This subcontrol is essential for creating a structured approach to identify, assess, monitor, and mitigate risks associated with AI systems.

• Risk Management Strategy for AI Systems [1.1.2]

  The "Risk Management Strategy for AI Systems [1.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) involves developing a comprehensive strategy to manage risks associated with AI systems. This subcontrol ensures that the organization’s approach to AI risk management aligns with its overall risk management strategy, objectives, and regulatory requirements. It focuses on identifying, assessing, and mitigating risks throughout the AI lifecycle, from development to deployment and decommissioning.

• Management of AI System Lifecycle [1.2.2]

  The "Management of AI System Lifecycle [1.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) emphasizes the importance of managing AI systems throughout their entire lifecycle. This subcontrol focuses on implementing policies, processes, and practices that ensure AI systems are developed, deployed, monitored, maintained, and decommissioned in a controlled and secure manner. Effective lifecycle management helps mitigate risks, ensure compliance with regulatory and ethical standards, and maintain the quality and reliability of AI systems.

• Resource Allocation for AI Risk Management 1.2.1]

  The "Resource Allocation for AI Risk Management [1.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on the effective allocation of resources—such as funding, personnel, technology, and time—to support AI risk management activities. This subcontrol ensures that sufficient resources are dedicated to developing, implementing, and maintaining AI risk management practices, enabling the organization to manage AI-related risks effectively and achieve its strategic objectives.

Involves identifying and understanding AI system components, functionality, and behavior. It includes stakeholder identification, impact analysis, and analyzing use cases and operational environments. This control ensures that requirements are clearly defined and risks are assessed early in the planning phase to inform development and deployment.

• Identification of AI System Components [2.1.1]

  The "Identification of AI System Components [2.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on identifying and documenting all components of an AI system throughout its lifecycle. This subcontrol ensures that organizations have a comprehensive understanding of the elements that make up their AI systems, including data sources, algorithms, models, hardware, software, and interfaces. Proper identification of these components is essential for effective risk management, enabling organizations to address potential vulnerabilities, ensure compliance, and maintain system integrity.

• Understanding System Functionality and Behavior [2.1.2]

  The "Understanding System Functionality and Behavior [2.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on comprehensively analyzing and documenting how an AI system functions and behaves under various conditions. This subcontrol ensures that organizations have a thorough understanding of the AI system’s intended capabilities, expected outputs, and potential failure modes. By gaining insights into the system's functionality and behavior, organizations can better manage risks, optimize performance, and ensure compliance with ethical standards and regulatory requirements.

• Stakeholder Identification and Impact Analysis [2.2.1]

  The "Stakeholder Identification and Impact Analysis [2.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on identifying all relevant stakeholders of an AI system and analyzing the potential impacts of the system on these stakeholders. This subcontrol ensures that organizations consider the needs, expectations, and concerns of all parties affected by the AI system, including users, developers, regulators, and those indirectly impacted by its outcomes. Understanding the implications for stakeholders is crucial for managing risks, enhancing user trust, and ensuring that the AI system operates ethically and transparently.

• Use Case and Operational Environment Analysis [2.2.2]

  The "Use Case and Operational Environment Analysis [2.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) involves analyzing the specific use cases and the operational environment in which an AI system will function. This subcontrol ensures that the AI system is designed, developed, and deployed with a clear understanding of how it will be used and the context in which it will operate. This analysis helps to identify potential risks, operational challenges, and compliance issues, allowing for more effective risk management and system performance optimization.

Focuses on identifying potential threats and vulnerabilities, applying risk assessment methodologies, and prioritizing risks based on impact and likelihood. This control ensures that AI system designs incorporate robust risk mitigation strategies, facilitating secure and resilient systems by addressing risks and vulnerabilities during the design phase.

• Likelihood Assessment and Risk Prioritization [3.2.2]

  The "Likelihood Assessment and Risk Prioritization [3.2.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on evaluating the probability of identified risks occurring and prioritizing them based on their likelihood and impact. This subcontrol ensures that organizations can systematically determine which risks pose the greatest threat and allocate resources effectively to address the most critical risks.

• Risk Assessment Methodology and Application [3.1.2]

  The "Risk Assessment Methodology and Application [3.1.2]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on establishing and applying a structured methodology for assessing risks associated with AI systems during the design phase. This subcontrol ensures that a consistent and systematic approach is used to evaluate and manage risks throughout the AI system’s lifecycle, allowing organizations to identify, prioritize, and address potential issues effectively.

• Risk Impact Assessment [3.2.1]

  The "Risk Impact Assessment [3.2.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on evaluating the potential impact of identified risks on the AI system, its components, and its stakeholders. This subcontrol ensures that risks are assessed not only for their likelihood but also for their potential consequences, enabling organizations to prioritize risk management efforts and design effective mitigation strategies.

• Identification of Potential Threats and Vulnerabilities [3.1.1]

  The "Identification of Potential Threats and Vulnerabilities [3.1.1]" subcontrol under the NIST AI Risk Management Framework (AI RMF) focuses on systematically identifying and documenting potential threats and vulnerabilities associated with an AI system during its design phase. This subcontrol ensures that potential risks are considered and addressed early in the design process, helping to create a robust and secure AI system that can effectively manage and mitigate risks throughout its lifecycle.