NIST AI Risk Management Framework: GOVERN 1.1

Posted on

NIST AI Risk Management Framework: GOVERN 1.1

The NIST AI Risk Management Framework (NIST AI RMF) helps organizations manage risks related to AI, while balancing their goals and respecting legal and regulatory requirements. The Framework is voluntary to use and is designed to improve the ability of an organization’s trustworthiness when designing, developing, implementing, using and evaluating AI based systems, tools and services. The Framework’s companion document, “Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile” is intended to help organizations identify unique risks posed by generative AI (genAI) and proposes actions for generative AI risk management that best aligns with the organization’s goals and priorities.

The NIST AI RMF contains 4 functions of Govern, Map, Measure and Manage, together with their Categories and Sub–Categories. The structure is similar to that followed by the popular NIST Cybersecurity Framework (NIST CSF).

 

About This Article:

This Article discusses our analysis of the first control, Sub-Category 1, “GOVERN 1.1”. Our analysis is designed to help risk practioners and other teams to implement this control in an effective manner that aligns with organizational needs and comply with applicable laws and regulations. This Article is written in an accessible format to raise awareness about NIST AI RMF. FTF believes that financial service providers, Fintech entities, consulting firms and technology companies can benefit from this article and ponder over their respective approaches to AI Risk Management. Practitioners from other industries are welcome to adopt this Article to suit their context.

 

Control Descriptions:

Function GOVERN is a cross-cutting function that is infused throughout AI risk management and enables other functions of the process.

Category GOVERN 1: Policies, processes, procedures, and practices across the organization related to the mapping, measuring, and managing of AI risks are in place, transparent, and implemented effectively.

Sub–Category GOVERN 1.1: Legal and regulatory requirements involving AI are understood, managed, and documented.

 

Explanation:

GOVERN 1.1 is a foundational element of the NIST AI Risk Management Framework emphasizing understanding, managing, and documenting compliance with all relevant legal and regulatory requirements affecting AI systems. Its purpose is to help organizations maintain due diligence, promote trustworthy AI systems deployment, and integrate compliance into AI risk governance. This control is part of the overarching GOVERN function permeating all stages of AI risk management.

 

Operational Activities Involved in GOVERN 1.1:

Organizations need to undertake appropriate activities that help them implement GOVERN 1.1 in a safe and acceptable manner. These are:

  • Identify all applicable legal and regulatory requirements relevant to AI development, deployment, and use. This can vary by Industry, Region and other Geopolitical considerations.
  • Establish management processes ensuring continuous compliance. This is an area where organizations can leverage insights from other players in similar industries and regulatory contexts.
  • Maintain comprehensive compliance documentation as evidence of due diligence. Maintaining adequate and appropriate documentation helps organizations to demonstrate their commitment and evidence of practices when implementing and adhering to the requirements.

Importance of GOVERN 1.1:

  • Ensures legal and regulatory compliance to avoid penalties and reputational risk.
  • Builds trust and accountability through documented compliance.
  • Acts as a risk mitigation foundation preventing operational disruption.
  • Supports ethical AI use respecting societal norms, privacy, and public rights.
  • Addresses the dynamic and evolving AI regulatory landscape requiring ongoing vigilance.

Key Roles and their responsibilities in GOVERN 1.1

Key Role Responsibility for GOVERN 1.1
Risk Practitioner Identifies applicable laws, integrates compliance into risk strategies and updates risk documentation (e.g., Risk Register). Generally, this is part of the 2nd Line of Defense.
IT Auditor Audits compliance and adherence to the applicable policies, verifies whether policies are current, identifies gaps and recommends improvements.
CISO Aligns security controls with the organization’s AI requirements, ensures AI regulations are complied with, oversees and monitors the secure and safe usage of AI within the organization and facilitates cross-team and executive communication.
CTO / CIO / CDO Implement Business programs using AI in a manner that is trustworthy, ethical, safe and secure. Work closely with CISO, CRO and other business teams to operationalize AI–driven systems in an effective way.
CFO Evaluate investments into AI–driven systems and technologies against financial risks, budgets and organizational roadmaps.
CRO Reviews AI usage in the organization, defines risk appetite related to AI usage, prioritizes governance resources, leads compliance and risk reporting. Liaises with the CFO and 3rd Line of Defence to understand, categorize and prioritize risk treatment.
CHRO Develops compliance training, fosters ethical culture, defines acceptable use of AI, identifies and upskills resources on AI and supports talent development in incorporating AI in the organization.
Others Other Roles such as Administration, Sales, Customer Service, etc. play defined roles in implementing and adhering to GOVERN 1.1 requirements, based on the expectations set by other Executive Leaders and business objectives.

 

The Path Forward

This analysis is aimed to help organizations in their thoughts on how to implement GOVERN 1.1 in their respective contexts. By no means this is exhaustive. Additional aspects that need to be factored into implementing GOVERN 1.1 include:

  • Identifying and implementing automated tools for tracking the usage of AI in the organization in compliance with local, regional and international regulations, as applicable.
  • Reviewing the control implementation activities and enhancing them to include emerging trends and developments such as gen AI and agentic AI.
  • Collaborating with other industry peers, research bodies, auditors, regulators and other governmental organizations to understand best practices and standardizing internal governance frameworks.
  • Integrating AI–driven compliance monitoring and real-time auditing technologies for proactive identification of gaps and their remediation.

About Financial Technology Frontiers

Financial Technology Frontiers (FTF) is a global media-led fintech platform dedicated to building and nurturing innovation ecosystems. We bring together thought leaders, financial institutions, fintech disruptors, and technology pioneers to drive meaningful change in the financial services industry.

Authored By: Narasimham Nittala.

 

 

Related Posts

Commerzbank stresses on cloud in its digital changeover

Commerzbank stresses on cloud in its digital changeover

Emirates NBD, Dubai’s government-owned bank and one of the largest banking groups in the Middle East in terms of assets, is considered as a pioneer in adopting disruptive technologies designed to transform banking operations and to offer extreme customer delight. The bank has an embedded culture to continually innovate and move to newer levels. It has made significant investments in new technologies so that its technology infrastructure is state-of-the-art and it could make major breakthroughs in digitization.