How to apply the NIST risk framework to GenAI

 

The greatest potential — and risk — of AI in business could be in the realm of generative AI (GenAI). When employees can create new content with GenAI, there are inherent risks in how they use that content to inform business decisions, interactions and processes.

 

Organizations in almost every industry have been using various AI capabilities, but the comparatively accessible interfaces and open-ended results of GenAI have inspired many business leaders to look for guidance and governance. Often, leaders are seeking the best approach to harness the power of the technology for their unique businesses and needs while still protecting users and the organization from disinformation and unintended results.

 

The GenAI profile

Headshot of Mathew Cassidy

“The RMF is fairly prescriptive, and that's what people really like about NIST frameworks. You can follow along and see how pieces tie out, to make sure that the organization is aware of them.”

Matthew Cassidy

Grant Thornton Risk Advisory Services Principal 

 

The National Institute of Standards and Technology (NIST) has created a comprehensive and evolving AI Risk Management Framework (RMF) that now includes a NIST RMF GenAI Profile to help anyone considering or actively deploying GenAI. The profile includes more than 400 actions that take you through the GenAI utilization lifecycle with helpful guidance, roadmaps, frameworks and more to strengthen desired results.

 

“The RMF is fairly prescriptive, and that's what people really like about NIST frameworks,” said Grant Thornton Risk Advisory Principal Matt Cassidy. “You can follow along and see how each piece ties out, to make sure that the organization is considering each factor.” 

 

 

 

Four core functions

 

The RMF profile outlines many facets of GenAI execution in straightforward language and sheds light on some aspects that can be overlooked. It is not intended as a set of requirements or regulations, but an ongoing and evolving set of guidelines that have been developed through a consensus-driven and collaborative process involving many stakeholders.

 

For instance, the profile explains four interconnected core functions in the use of GenAI: Map, Measure, Manage and Govern. These functions will look familiar to any organization that has implemented the adoption of a major technology to achieve corporate goals, and the profile shows how they apply to a GenAI effort.

 

 

Map

 

The first core function, Map, covers the importance of educating and involving all team members such as internal stakeholders, external collaborators and end users. It can be important to consider the perspectives of anyone affected by the GenAI, whether or not they will use it in their everyday functions. A request for this input can provide a level of transparency that is both critical and appreciated by all participants.

 

 

Measure

 

The Measure function stresses testing of the GenAI system before deployment and during operation. Is it resulting in the desired outcomes? Is it providing consistent results? Does the output reflect any harmful biases that were inadvertently incorporated into the model?

Headshot of Mathew Cassidy

“Make sure that you have a definition of what ‘fair’ is. That way, when regulation comes, you're prepared for it and you can stand behind your definition as it aligns to your values, risk tolerances and the customers you serve.”

Matthew Cassidy

Grant Thornton Risk Advisory Services Principal 

 

A GenAI-driven solution should deliver fairness in its outcomes, and that is often overlooked. Cassidy emphasized the importance of fairness, and defining “fair” for everyone involved, including regulators who will examine the solution. “Make sure that you have a definition of what ‘fair’ is. That way, when regulation comes, you're prepared for it and you can stand behind your definition as it aligns to your values, risk tolerances and the customers you serve.” 

 

 

Manage

 

The Manage function relates to the ongoing monitoring and maintenance of the GenAI system. Once the system is launched, the organization can thoroughly evaluate if its original objectives are being realized, if participants are having helpful and intuitive experiences, and if stakeholder expectations are being met. An overarching metric would be to ask, “Is the new system trustworthy?”

 

The NIST AI RMF outlines the characteristics of trustworthy AI systems. When an AI system is trustworthy, it helps the initiating organization avoid the potential harm that AI can cause — to people, the organization and even the complete business ecosystem. The NIST AI RMF outlines these seven characteristics:

  1. Valid and reliable: outcomes should be as predetermined
  2. Safe: no harm to any users such as loss of private liberties
  3. Secure and resilient: should stand up to attacks
  4. Accountable and transparent: all intentions and goals should be understood
  5. Explainable and interpretable: should be understood by laypersons and experts alike
  6. Privacy enhanced: standards for user privacy should be in place
  7. Fair with harmful bias managed: user experiences should be fair, balanced and consistent for all users
Headshot of Mathew Cassidy

“You don't want something that's reliable, secure, accountable, and fair, but it's not valid. The RMF really addresses all the areas of a model that you should be considering.”

Matthew Cassidy

Grant Thornton Risk Advisory Services Principal 

These characteristics provide a strong foundation for measuring the integrity of the AI system completely and thoroughly. But, as Cassidy warns, “it's really about a balancing act of all the attributes. You don't want something that's reliable, secure, accountable, and fair, but it's not valid. The RMF really addresses all the areas of a model that you should be considering.”

 

 

Govern

 

The final core function is Govern. The implementation of a generative AI system, especially the first one in an organization, could result in considerable change in processes, structures and the culture within the organization. To continue offering transparency to all involved parties, the organization needs to establish comprehensive AI policies, risk management regulations, usage guidelines and proper feedback mechanisms that allow for effective administration and governance of the system.

 

 

 

Expanded tools

 

The NIST AI RMF and GenAI profile also connect organizations to other helpful resources: The NIST AI RMF Roadmap outlines the complete AI journey, the Playbook provides paths to help navigate the RMF and the Crosswalk explains how the RMF maps to existing technical guidelines from other companies and organizations.

 

Even with these helpful resources, organizations need to invest time in due diligence as they examine the reasons for undertaking the effort, and ultimate likely impacts, of launching and managing a GenAI solution for the organization as a whole. This due diligence should involve potential users, management, IT, compliance, legal, third-party vendors and other stakeholders. The effort to gather their perspectives and expectations will be key to a successful outcome.

 

Ultimately, the organization can establish when it is ready to adopt a GenAI system. “You know your organization, and it should be in line with all of your values and governance,” Cassidy said. “There will be a risk when implementing this technology, but there can and will be a risk of not implementing this transformative technology.”

 
 

Contact:

 
 
Content disclaimer

This Grant Thornton Advisors LLC content provides information and comments on current issues and developments. It is not a comprehensive analysis of the subject matter covered. It is not, and should not be construed as, accounting, legal, tax, or professional advice provided by Grant Thornton Advisors LLC. All relevant facts and circumstances, including the pertinent authoritative literature, need to be considered to arrive at conclusions that comply with matters addressed in this content.

Grant Thornton Advisors LLC and its subsidiary entities are not licensed CPA firms.

For additional information on topics covered in this content, contact a Grant Thornton Advisors LLC professional.

 

Our featured insights