Govern
Cultivate a culture of AI risk management.
Legal and Regulatory Requirements
Legal and regulatory requirements involving AI are understood, managed, and documented.
Trustworthy AI Characteristics
The characteristics of trustworthy AI are integrated into organizational policies, processes, and procedures.
Risk Tolerance
Processes are in place to determine the needed level of risk management activities based on organization's risk tolerance.
Risk Management Processes
The risk management process and its outcomes are established through transparent policies, procedures, and other controls.
Ongoing Monitoring & Review
Ongoing monitoring and periodic review of the risk management process and its outcomes are planned.
Inventory
Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities.
Decommissioning
Processes and procedures are in place for decommissioning and phasing out AI systems safely.
Roles, Responsibilities, Authorities
Roles, responsibilities, and lines of communication related to mapping, measuring, and managing AI risks are documented.
AI Risk Training
The organization's personnel and partners receive AI risk management training.
Executive Leadership
Executive leadership of the organization takes responsibility for decisions about risks associated with AI development and deployment.
Diversity, Equity, Inclusion
Decision-making related to mapping, measuring, and managing AI risks throughout the lifecycle is informed by a diverse team.
Human-AI Configurations
Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight.
Risk-Aware Culture
Organizational policies and practices are in place to foster a critical thinking and safety-first mindset.
Documentation Practices
Organizational teams document the risks and potential impacts of the AI technology they design, develop, deploy, evaluate, and use.
Testing Disclosure
Organizational practices are in place to enable AI testing, identification of incidents, and information sharing.
External Stakeholder Engagement
Organizational policies and practices are in place to collect, consider, prioritize, and integrate feedback from external parties.
Communication of AI Decisions
Mechanisms are established to enable AI actors to regularly incorporate adjudicated feedback from relevant stakeholders.
Third-Party Risks
Policies and procedures are in place to address AI risks and benefits arising from third-party software and data.
Contingency Processes
Contingency processes are in place to handle failures or incidents in third-party data or AI systems.