The NIST AI Risk Management Framework and Third-Party Risk Management

What Is the NIST AI Risk Management Framework?

In response to growing enterprise usage of artificial intelligence (AI) systems – and a corresponding lack of guidance on how to manage their risks – the U.S. National Institute of Standards and Technology (NIST) introduced the AI Risk Management Framework (AI RMF) in January 2023. According to NIST, the goal of the AI RMF is to, “offer a resource to the organizations designing, developing, deploying, or using AI systems to help manage the many risks of AI and promote trustworthy and responsible development and use of AI systems.” The AI RMF is a voluntary framework and can be applied across any company, industry or geography.

The RMF is divided into two parts. Part 1 includes an overview of risks and characteristics of what NIST refers to as “trustworthy AI systems.” Part 2 describes four functions to help organizations address the risks of AI systems: Govern, Map, Measure and Manage. The illustration below reviews the four functions.

The functions in the AI risk management framework. Courtesy: NIST

How Does the NIST AI Risk Management Framework Apply to Third Party Risk Management?

It is important for organizations to consider risk management principles to minimize the potential negative impacts of AI systems, such as hallucination, data privacy, and threats to civil rights. This consideration also extends to the use of third-party AI systems or third parties’ use of AI systems. Potential risks of third-party misuse of AI include:

• Security vulnerabilities in the AI application itself. Without the proper governance and safeguards in place, your organization could be exposed to system or data compromise.
• Lack of transparency in methodologies or measurements of AI risk. Deficiencies in measurement and reporting could result in underestimating the impact of potential AI risks.
• AI security policies inconsistent with other existing risk management procedures. Inconsistency results in complicated and time intensive audits which could introduce potential negative legal or compliance outcomes.

According to NIST, the RMF will help organizations overcome these potential risks.

Key Third-Party Risk Management Considerations in the NIST AI Risk Management Framework

The NIST AI RMF breaks down its four core functions into 19 categories and 72 subcategories that define specific actions and outcomes. NIST offers a handy playbook
that further explains the actions.

The table below reviews the four functions and select categories in the framework and suggests considerations to address potential third-party AI risks.

NOTE: This is a summary table. For a full examination of the NIST AI Risk Management Framework, download the full version
and engage your organization’s internal audit, legal, IT, security and vendor management teams.

Next Steps: Align Third-Party AI Controls with Your TPRM Program

Prevalent can help your organization improve not only its own AI governance, but also how it governs third-party AI risks. Specifically, we can help you:

• Establish governing policies, standards, systems and processes to protect data and systems from AI risks as part of your overall TPRM program. (Aligns with category GOVERN 6.)
• Profile and tier third parties, while quantifying inherent risks associated with third-party AI usage to ensure that all risks are mapped. (Aligns with category MAP 4.)
• Conduct comprehensive third-party risk assessments and continuously monitor and measure AI-specific risks in the context of your TPRM program. (Aligns with the MEASURE category.)
• Ensure comprehensive incident response to AI-specific risks from third-party entities. (Aligns with MANAGE 3.)

Leveraging the NIST AI Risk Management Framework in your TPRM program will help your organization establish the controls and accountability over third-party AI usage. For more on how Prevalent can help simplify this process, request a demo today.