Manage
Allocate resources to identified risks regularly.
Risk Determinations
A determination is made as to whether the AI system achieves its intended purposes and stated objectives and whether its development or deployment should proceed.
Risk Treatment
Treatment of documented AI risks is prioritized based on impact, likelihood, and available resources or methods.
Risk Response
Responses to the AI risks deemed high priority — as identified by the MAP function — are developed, planned, and documented.
Negative Risks
Negative residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers of AI systems and end users are documented.
Resources Available
Resources required to manage AI risks are taken into account, along with viable non-AI alternative systems, approaches, or methods — to reduce the magnitude or likelihood of these risks.
Sustained Value
Mechanisms are in place and applied to sustain the value of deployed AI systems.
Decommissioning Procedures
Procedures are followed to respond to and recover from a previously unknown risk when it is identified.
Mechanisms for Override
Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use.
Third-Party AI Risks
AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented.
Pre-Trained Models
Pre-trained models which are used for development are monitored as part of AI system regular monitoring and maintenance.
Post-Deployment Monitoring
Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors, appeal and override, decommissioning, incident response, recovery, and change management.
Continuous Improvement
Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI actors.
Incident & Error Communication
Incidents and errors are communicated to relevant AI actors, including affected communities. Processes for tracking, responding to, and recovering from incidents and errors are followed and documented.