Map
Establish context to frame AI risks.
Context Established
Intended purposes, potentially beneficial uses, context-specific laws, norms and expectations, and prospective settings in which the AI system will be deployed are understood.
Interdisciplinary AI Actors
Interdisciplinary AI actors, competencies, skills, and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise.
Mission and Goals
The organization's mission and relevant goals for AI technology are understood and documented.
Business Value
The business value or context of business use has been clearly defined.
Risk Tolerance
Organizational risk tolerances are determined and documented.
System Requirements
System requirements (e.g., 'the system shall respect the privacy of its users') are elicited from and understood by relevant AI actors.
Tasks and AI System Categorization
The specific tasks and methods used to implement them (e.g., classifiers, generative models) are defined.
Knowledge Limits
Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented.
Scientific Integrity
Scientific integrity and TEVV considerations are identified and documented.
Benefits Examination
Potential benefits of intended AI system functionality and performance are examined and documented.
Costs Examined
Potential costs, including non-monetary costs, of AI system errors are examined and documented.
Targeted Application Scope
Targeted application scope is specified and documented based on the system's capability.
Operator and Practitioner Proficiency
Processes for operator and practitioner proficiency with AI system performance and trustworthiness are defined and documented.
Human Oversight
Processes for human oversight are defined, assessed, and documented in accordance with organizational policies.
Third-Party Mapping
Approaches for mapping AI technology and legal risks of its components — including third-party software and data — are in place.
Internal Risk Controls
Internal risk controls for components of the AI system, including third-party AI technologies, are identified and documented.
Likelihood and Magnitude
Likelihood and magnitude of each identified impact (both potentially beneficial and harmful) are identified and documented.
Risk Tracking
Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback are in place and documented.