Return to site

NIST's AI Risk Framework

Falls Short of Holistic Measures


· Articles

The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has now released the first version of its new AI Risk Management Framework, AI RMF 1.0 (see Figure 1), which is a “guidance document for voluntary use by organizations designing, developing, deploying or using AI/ML systems to help manage the many risks of AI/ML technologies.”

broken image

What does ChatGPT say about this?

> ChatGPT says: NIST’s AI Risk Management Framework is not applicable to me!

Does it make sense to have a separate Governance and Risk Management platform for AI and a separate one for Cybersecurity?

> My Answer: NO!

An AI Risk Management Platform must embrace a Holistic AI and Cybersecurity Governance Platform

Today’s quest for a holistic trusted AI Risk Management Platform will have additional needs to be made secure and governed by a landscape of technologies and solutions which will evolve into a quest for a trusted, secure and self governing platform that layers privacy controls and policies on top of a trusted layer that authenticates, verifies, and governs everything and protects consumers.

What can we learn from ISO 27005 Risk Management in Cybersecurity?

The ISO 27005 Risk Management Standard is part of a suite of standards for information security management (Figure 2).

broken image

To achieve this Cybersecurity Risk Management framework for AI, an integrated solution is needed that helps automate all the phases of reviewing and monitoring risks on a regular basis and then continuously updates the risk plans, which then can be part of the ISO 27005 Risk Management Process. This can be combined with NIST’s AI Framework, leveraging existing Risk Management vendors with Process compliance, and Risk and Hazard Management functions including Mitigation. Vendors like Kovair, ServiceNow,Archer, IBM’s GRC Platform, and SAP can be utilized. See Figure 3 for a suggested combination.

broken image

Some of the key capabilities needed for the Holistic AI and Cybersecurity Risk Management and Governance Platform are:

  • Provides industry-specific, guided templates empowering teams to instantly begin risk analysis
  • Allows users to prioritize Risks based on their probability of occurrence and severity
  • Provides on-screen Risk Matrix based on the likelihood and severity of Risks
  • Provides integrations with multiple security tools providing visibility to security vulnerabilities as well as AI/ML vulnerabilities like bias
  • Gives complete visibility of Risks threats or opportunities through real-time reports & dashboards
  • Allows to define and maintain instantaneous traceability between AI/ML Design, Process requirements, Risks and Hazards.


CIOs and Software Architects of Enterprises embarking on AI/ML projects should explore NIST’s latest AI Risk Management Framework guidelines as they re-vector to newer AI/ML services. Ideally, a holistic Cybersecurity Platform should be explored with security and AI/ML vulnerability assessments built-in, via integrated partners, with added Risk Management functions.

In this advisory we have discussed the basics of ISO 27005, Risk Management process and how a holistic solution is needed that facilitates both AI/ML and Cybersecurity Governance, along with the NIST Guidelines. Follow-on blogs will include Use Case Scenarios and further benefits of the solution set.

Akshay Sharma, Lionfish Advisor Team
CyberImbiber Tech Advisor LLC

Brain image in header by on Freepik