The NIST AI Risk Management Framework and AI Classification

The NIST AI Risk Management Framework Playbook (AI RMF) is likely to become a must-have framework for AI development; not using it will likely equate (in some cases) with negligence. Currently, however, the AI RMF is not tailored to specific types of AI. In fact, there is no mention to what type of AI (classes) it is best suited.

AI classification is a complex undertaking in that it involves multiple criteria. To be effective, the classification needs to take into consideration:

  1. the AI’s computational capability level;
  2. the AI’s utility level (understand, perceive, predict, disambiguate, circuit reconfiguration)
  3. the extent to which the AI’s design adheres to the core principles* (of which there are 35 and counting);
  4. the AI Risk Ratio assignment which captures multiple risk variables, namely, frequency of use, duration of use, application power and complexity, application proliferation (user base), application type, and security; and
  5. whether an operational and development permit is required.

The table below offers a scenario that shows how the classification elements come together in evaluating four AI applications. In this scenario, the AI RMF is unlikely suitable for an A-1-2 application that does not require a permit and adheres to select core principles. On the other hand, the AI RMF is likely suitable in the development of an AI B-3-3 application (and mandatory if a permit is required). A developer that builds a B-3-3 application without reference to the AI RMF is taking a risk that it will be found negligent if the application causes harm.

Level Utility ARR Permit Req. Core Principles
A 1 2 No Bias, safety, interpretability, XAI
A 3 3 No Efficiency, accuracy
B 3 3 Optional Fairness, privacy, reliability
D 4 5 Yes Security, safety, resilience, predictable


*The core principles are: Accessibility; accountability; accuracy; bias; big data; consent; cooperation; efficiency; enabling; equity; ethics; XAI; fairness; fidelity; governance; human-centered; inclusive; interpretability; metrics; permit; predictable; privacy; R&D; reliability; resilience; robust; safety; security; sustainable; track record; transparency; trustworthy; truth; wherewithal; and workforce.