Classifying and understanding risk is a non-negotiable governance responsibility for every organization when procuring an AI system. Additionally, it is important to recognize that every AI system represents unique risks to various stakeholders. These risks can very in type, scale, and gravity.
The RMF for AI Procurement focuses on helping organizations identify and control risks by establishing a risk appetite to guide the risk management process. The risk appetite tool is based on two key risk indicators, both of which are comprised of expected system design choices for the anticipated use case at hand. The key risk indicators include:
The RMF emphasizes the importance of determining how much risk the procuring organization is willing to accept for each system at the outset of each procurement. By defining the risk appetite for each procurement, it can serve as an anchoring point throughout the procurement lifecycle to guide risk mitigation strategies during risk assessment, risk mitigation and control mapping, and risk treatment negotiations in order to create an acceptable risk tolerance for the chosen system.
Ultimately, the RMF PAIS 1.0 provides organizations with a responsible, risk-managed approach to AI procurements that facilitates return on investment while keeping stakeholders safer in the process.