The AI landscape is literally changing daily, with the potential to affect how we do business as much as, or greater than, the emergence of the Internet. Meanwhile, it’s incredibly hard for leaders to manage risk while making sure the AI opportunities are grasped.
I’ll be dissecting the most relevant and important AI posts and announcements each week to help senior IT and corporate leaders translate the latest developments into practical actions and decisions.
AI RISK AND AI MANAGEMENT FORMALISED BY NIST & ISO
These two subjects, with separate sections below are intertwined – understanding AI risk and the management of AI systems go hand in hand. Luckily NIST and ISO provide us with some tools to help with both.
NIST Risk Management Framework
- What is it?
Just over a year old the NIST Risk Management Framework (RMF) provides a way for us to understand the risks AI poses within its Govern, Map, Measure and Manage approach. In the AI RMF, the ‘Executive Summary’ and ‘Appendix B: How AI Risks Differ from Traditional Software Risks’ provide a good overview and quick insight.
NIST provides their NIST AI Risk Management Framework (AI RMF) and an NIST AI RMF Playbook to help us get started.
- What does it mean from a business perspective?
The framework helps us adopt AI by understanding whether we have, or could already be, exposed to an unacceptable level of risk. Using the NIST Framework we have a way to help us understand, manage and control risk (within the organisations risk appetite and tolerance). The NIST framework allows us to save time and provide a degree of transparency by using a published framework.
- What do I do with it?
Assuming the organisation has functions that cover Enterprise Risk Management, IT Security and Privacy; these functions should be made aware of this framework and plan for its implementation. NOTE: As with all Frameworks and Standards there will need to be some thought around what to selectively adopt as well as some customisation.
ISO/IEC 42001:2023
Information Technology – Artificial Intelligence – Management System
- What is it?
This ISO standard is broader than the NIST RMF in that it covers the management of AI systems. Risk is also covered by the ISO standard as well as other areas such as Policies, AI roles and responsibilities in the Internal Organisation, resources available, AI system life cycle, the impact on individuals and groups, data, AI use and 3rd party relationships.
- What does it mean from a business perspective?
Like the NIST framework we have another model to help us understand how we can adopt AI and ensure the broad aspects of its adoption are addressed, it helps us plan and understand where we are from a maturity perspective. It is something we can plan around that helps the business deal with AI in its many forms. This could include the use of more common AI tools such as ChatGPT, Microsoft Copilot or embedded AI’s in applications that find their way into the organisation, and promotes responsible and ethical AI adoption.
- What do I do with it?
The ISO standard has many use cases across an organisation: if we have an Enterprise Architecture function, it can help provide context and drive a road map for adoption; Internal Audit can use the framework to help ensure we are compliant with the AI risk management, ethical stance and AI policy and report to the Board; Supply Chain and Vendor Management procurement approvals for AI systems; and Strategy development groups can ensure that AI adoption aligns with the business goals and values of the organisation.
Please feel free to share this, comment, critique or simply disagree – I am more than happy to sharpen my understanding through dialogue.
Additional Reading
Some interesting articles here from Coalfire and Google on an AI assessment of Google using the NIST and ISO Frameworks.
Coalfire evaluates Google Cloud AI: ‘Mature’ ready for governance, compliance
#AI #ArtificalIntelligence #AIManagement #RiskManagement #NIST #ISO42001 #Automation #FutureOfWork #TechLeadership #EnterpriseAI #AICompliance #Innovation #Management #AILeadership