AI Risk Management — The NIST Framework for PMs

If ISO 42001 is the management system standard for AI, the NIST AI Risk Management Framework is the practical playbook. I use it as a reference for structuring risk assessment in every AI program I manage.

The Four Core Functions

NIST AI RMF organizes AI risk management into four functions: Govern, Map, Measure, and Manage. Each maps directly to program management activities.

Govern establishes the organizational structures, policies, and processes for AI risk management. As a PM, I ensure governance structures are defined during program setup, not as an afterthought. Who approves model deployment? Who owns monitoring? Who escalates incidents? These questions get answered in week one.

Map identifies the context in which the AI system operates, including its intended purpose, stakeholders, and potential impacts. I run mapping workshops during discovery that document the AI system's operating context. These artifacts become the foundation for risk assessment and compliance documentation.

Measure employs quantitative and qualitative methods to analyze AI risks. I work with engineering leads to define metrics for bias, accuracy, robustness, and explainability. These metrics feed into sprint-level monitoring dashboards that I review weekly.

Manage prioritizes and acts on identified risks. This is where standard program management skills shine. Risk registers, mitigation plans, contingency strategies — the tools are familiar. The content is AI-specific, but the discipline is the same.

Why PMs Should Own This

Engineers understand technical risk. Legal understands regulatory risk. Business stakeholders understand strategic risk. The program manager is the only role that synthesizes all three into a unified risk management approach. The NIST framework provides the structure. The PM provides the execution.

Practical Application

I create a one-page risk summary for every AI system using the NIST framework as a template. It covers governance structure, operational context, measurement approach, and management plan. This document becomes the single source of truth for AI risk discussions with stakeholders at every level.

Frameworks are only useful if they are applied. The NIST AI RMF is one of the few that translates directly into delivery practice.