Regulatory Alert : The Nist Artificial Intelligence Risk Management Framework (AI RMF 1.0)

THE NIST ARTIFICIAL INTELLIGENCE RISK MANAGEMENT FRAMEWORK (AI RMF 1.0)

Setyawati Fitrianggraeni, Sri Purnama, Jericho Xavier Ralf[1]

BACKGROUND

On 26 January 2023, the United States National Institute of Standards and Technology (NIST)[2] released the AI Risk Management Framework (AI RMF 1.0).[3] The NIST AI RMF 1.0 provides a comprehensive framework for managing risks associated with AI technologies. It emphasises the need to balance harnessing AI’s potential benefits and mitigating its inherent risks.

AI RMF 1.0 was created in response to a directive from Congress to develop a framework to manage AI risks and to promote trustworthy and responsible development of AI systems.[4] AI RMF 1.0 as a framework[5] could be a lex informatica[6] and universally applicable digital international practices.[7]

KEY REQUIREMENTS

1. Risk Management: AI RMF 1.0 offers a structured approach to assessing, documenting, and managing AI-related risks and impacts.[8]
2. Trustworthiness: The framework identifies key characteristics of trustworthy AI, including validity, reliability, safety, security, accountability, transparency, explainability, privacy, and fairness.[9]
3. Core Functions: It delineates four core functions for risk management: Govern, Map, Measure, and Manage, each broken down into specific actions and outcomes.[10]
4. Audience and Engagement: The framework targets diverse AI actors across the AI lifecycle, encouraging inclusive and multidisciplinary perspectives.[11]

 

IMPLICATION

Organisations employing AI technologies must adopt a holistic risk management approach, addressing technical, societal, legal, and ethical standards. Implementing AI RMF 1.0 will involve significant organisational commitment, including adjustments in governance, transparency, and accountability practices.

CONSIDER

1. AI technologies’ dynamic and evolving nature necessitates a flexible and continuous risk management approach.
2. Organisations should integrate the AI RMF into their broader enterprise risk management strategies, aligning AI risk management with organisational principles and policies.
3. Collaboration and engagement with various stakeholders, including policymakers, AI developers, and civil society, are essential for effective implementation.

CONCLUSION

The NIST AI RMF 1.0 represents a critical step towards responsible AI usage, offering a structured approach to managing AI risks and enhancing trustworthiness. Its comprehensive and flexible nature allows organisations across various sectors to adapt and implement its guidelines, fostering a safer and more ethical AI ecosystem.

[1] Setyawati Fitrianggraeni holds the position of Managing Partner at Anggraeni and Partners in Indonesia. She also serves      as an Assistant Professor at the Faculty of Law, University of Indonesia, and is currently pursuing a PhD at the World Maritime University in Malmo, Sweden. This article is co-authored by Sri Purnama, Junior Legal Research and Jericho Xafier Ralf, Trainee Associate Analyst at Anggraeni and Partners.

[2]      The National Institute of Standards and Technology (NIST) is one of U.S oldest physical science laboratories which was founded in 1901 and is now a part of the U.S Department of Commerce. NIST was established by Congress to remove a major challenge to U.S industrial competitiveness during 1901. In the present, NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve quality of life.

[3]      The reference in this document pertains to the version dated 6 December 2023, as obtained from the National Institute of Standards and Technology (NIST) website, accessible at Artificial Intelligence Risk Management Framework (AI RMF 1.0) (nist.gov), AI Risk Management Framework | NIST, and About NIST | NIST. Please note that subsequent amendments or updates to the reference may have occurred after this date. Readers are advised to consult the latest version of the document for the most current information.

[4]      Simon Hodgett, Sam IP, and Sam Dobbin, “National Institute of Standards and Technology launches version 1.0 of AI Risk Management Framework”, Lexology, https://www.lexology.com/library/detail.aspx?g=46040915-562d-447e-b840-89d9a412596f accessed on 9 December 2023.

[5]      In general, a framework is a real or conceptual structure intended to serve as a support or guide for the building of something that expands the structure into something useful. See, Definition of Framework, https://www.techtarget.com/whatis/definition/framework#:~:text=In%20general%2C%20a%20framework%20is,the%20structure%20into%20something%20useful accessed on 9 December 2023.

[6]      In cyber law, there is lex informatica as the rules of information imposed by technology communication networks. Christos Dimitriou, “Lex Informatica and Legal Regime: Their Relationship”, 2015, p. 3, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2626941 accessed on 9 December 2023.

[7]      Therefore, if AI RMF 1.0 as a guideline becomes practices that are carried out repeatedly, then it will be binding and become a customary international law. Customary international law is, in a sentence, international obligations arising from recognized state practice carried out by a sense of legal obligation. See, Thomas Larsson, “Customary International Law”, Master’s Thesis in Public International Law, Uppsala Universitet: 2014, p. 9.

[8]      National Institute of Standard and Technology, “Artificial Intelligence Risk Management Framework (AI RMF 1.0)”. Artificial Intelligence Risk Management Framework (AI RMF 1.0) (nist.gov), pp. 4-9, accessed on 6 December 2023. This part is on Framing Risk, discusses about understanding and addressing risks, impacts, and harms; and challenges for AI risk management (risk measurement, risk tolerance, risk prioritisation, and organisational integration and management of risk.

[9]      Ibid., pp. 12-18.

[10]    Ibid., pp. 20. Governance is designed to be a cross-cutting function to inform and be infused throughout the other three functions.

[11]    Ibid., pp. 9-11.

DISCLAIMER:

This disclaimer applies to the publication of articles by Anggraeni and Partners. By accessing or reading any articles published by Anggraeni and Partners, you acknowledge and agree to the terms of this disclaimer:

No Legal Advice: The articles published by Anggraeni and Partners are for informational purposes only and do not constitute legal advice. The information provided in the articles is not intended to create an attorney-client relationship between Anggraeni and Partners and the reader. The articles should not be relied upon as a substitute for seeking professional legal advice. For specific legal advice tailored to your individual circumstances, please consult a qualified attorney.

Accuracy and Completeness: Anggraeni and Partners strive to ensure the accuracy and completeness of the information presented in the articles. However, we do not warrant or guarantee the accuracy, currency, or completeness of the information. Laws and legal interpretations may vary, and the information in the articles may not be applicable to your jurisdiction or specific situation. Therefore, Anggraeni and Partners disclaim any liability for any errors or omissions in the articles.

No Endorsement: Any references or mentions of third-party organizations, products, services, or websites in the articles are for informational purposes only and do not constitute an endorsement or recommendation by Anggraeni and Partners. We do not assume responsibility for the accuracy, quality, or reliability of any third-party information or services mentioned in the articles.

No Liability: Anggraeni and Partners, its partners, attorneys, employees, or affiliates shall not be liable for any direct, indirect, incidental, consequential, or special damages arising out of or in connection with the use of the articles or reliance on any information contained therein. This includes but is not limited to, loss of data, loss of profits, or damages resulting from the use or inability to use the articles.

No Attorney-Client Relationship: Reading or accessing the articles does not establish an attorney-client relationship between Anggraeni and Partners and the reader. The information provided in the articles is general in nature and may not be applicable to your specific legal situation. Any communication with Anggraeni and Partners through the articles or any contact form on the website does not create an attorney-client relationship or establish confidentiality.

By accessing or reading the articles, you acknowledge that you have read, understood, and agreed to this disclaimer. If you do not agree with any part of this disclaimer, please refrain from accessing or reading the articles published by Anggraeni and Partners.

 

For further information, please contact:

WWW.AP-LAWSOLUTION.COM

P: 6221. 7278 7678, 72795001

H: +62 811 8800 427

Anggraeni and Partners, an Indonesian law practice with a worldwide vision, provides comprehensive legal solutions using forward-thinking strategies. We help clients manage legal risk and resolve disputes on admiralty and maritime law, complicated energy and commercial issues, arbitration and litigation, tortious claims handling, and cyber tech law.

 

S.F. Anggraeni

Managing Partner

[email protected]

 

Sri Purnama

Junior Legal Research Analyst

[email protected]

 

Jericho Xafier Ralf

Junior Associate

[email protected]