Vanta NIST AI Risk Management Framework badge

January 31, 2024

Introducing NIST AI RMF: Monitor and mitigate AI risk

Written by

Brian Kuan

Product Marketing Manager

Adam Duman

Information Security & Compliance Manager

Reviewed by

Accelerating security solutions for small businesses
‍

Tagore offers strategic services to small businesses.

A partnership that can scale
‍

Tagore prioritized finding a managed compliance partner with an established product, dedicated support team, and rapid release rate.

Standing out from competitors
‍

Tagore's partnership with Vanta enhances its strategic focus and deepens client value, creating differentiation in a competitive market.

The pace and complexity of AI technologies is increasing every day. In this rapidly changing environment, it’s critical for companies to adopt a rigorous approach to safely and responsibly incorporating AI into their products and processes.

‍

That’s why we’re excited to announce that the NIST AI Risk Management Framework (RMF) is now available in preview. Previously announced at VantaCon, NIST AI RMF gives you a governance framework within the Vanta platform to mitigate the risks associated with the usage and development of AI products.

‍

Balancing innovation and trust in AI technologies

As AI technologies become more ubiquitous, building trust in those technologies becomes more important than ever. According to Vanta’s State of Trust Report, over half (54%) of business and IT leaders globally are concerned that secure data management is becoming more challenging with AI adoption, with another 51% saying that using Generative AI technologies could erode customer trust. For companies that rely on AI technologies, implementing strong AI governance practices — and proving it to customers— becomes essential.

‍

Demonstrating trust with NIST AI RMF in Vanta

Created by the National Institute of Standards and Technology, the NIST AI RMF is aimed at guiding companies that use AI systems in their operations to effectively manage the unique risks of AI.

‍

The framework has four functions: Govern, Map, Measure and Manage. Each function includes sub-requirements that have actions and outcomes to track implementation. For example, one of the requirements under the Govern function asks that your organizational teams are committed to a culture that considers and communicates risk. Meeting this requirement involves evidence in the form of an internal policy commitment to fostering a safety-first culture.

‍

‍

Vanta’s NIST AI RMF solution makes it easy to track these requirements in one place and map the necessary evidence required to demonstrate compliance. With 60 pre-built requirements — including dozens of existing tests, 10 new risk scenarios within Risk Management, and over 40 bespoke document requests such as risk assessment reports, compliance documentation, and incident response guidance — Vanta helps you navigate the NIST AI RMF in an informed way.

‍

Through clear documentation requests and guidance, Vanta helps your organization:

‍

Define the purpose of the AI system: What problem is it solving and for whom? What new capabilities does it provide?
Identify and describe formal use cases: What is the system being used for? Where is it being used, and how?
Consider the stakeholders: Who is going to be using the technology and how? Who is impacted by this technology and how?
Assess potential harm or unintended consequences: How would stakeholders be harmed by this technology? What uses are most likely to cause harm and for whom?
Build for positive outcomes: How to build the system to prevent harmful impact? How to optimize for beneficial outcomes?
Take maximum advantage of best practices: These include best practices related to user research, system architecture, data collection and model training, documentation, and feedback mechanisms.

‍

‍

In addition to providing comprehensive guidance on setting up a well-managed AI governance program, Vanta lets you tailor the NIST AI RMF requirements to your needs, from disabling irrelevant risk scenarios to modifying how you demonstrate adherence, and more. Paired with the power of automated evidence collection and continuous monitoring, Vanta helps you build and deepen customer trust in your AI risk management program effortlessly.

‍

As required by NIST AI RMF, we've added an AI Security Awareness module to our security and privacy training library so you can educate employees on the importance of AI governance and common risks to consider while interacting with AI technologies — further streamlining the NIST AI RMF process.

‍

Get started with NIST AI RMF

Ready to learn more? The NIST AI RMF is now in preview and will be generally available in the coming weeks. See how Vanta helps companies deploying AI technologies demonstrate trust by requesting a demo here.

‍

If you’re a current Vanta customer interested in NIST AI RMF, you can also contact your Customer Success Manager or Account Executive to learn more.

Access Review Stage	Content / Functionality
Across all stages	Easily create and save a new access review at a point in time View detailed audit evidence of historical access reviews
Setup access review procedures	Define a global access review procedure that stakeholders can follow, ensuring consistency and mitigation of human error in reviews Set your access review frequency (monthly, quarterly, etc.) and working period/deadlines
Consolidate account access data from systems	Integrate systems using dozens of pre-built integrations, or “connectors”. System account and HRIS data is pulled into Vanta. Upcoming integrations include Zoom and Intercom (account access), and Personio (HRIS) Upload access files from non-integrated systems View and select systems in-scope for the review
Review, approve, and deny user access	Select the appropriate systems reviewer and due date Get automatic notifications and reminders to systems reviewer of deadlines Automatic flagging of “risky” employee accounts that have been terminated or switched departments Intuitive interface to see all accounts with access, account accept/deny buttons, and notes section Track progress of individual systems access reviews and see accounts that need to be removed or have access modified Bulk sort, filter, and alter accounts based on account roles and employee title
Assign remediation tasks to system owners	Built-in remediation workflow for reviewers to request access changes and for admin to view and manage requests Optional task tracker integration to create tickets for any access changes and provide visibility to the status of tickets and remediation
Verify changes to access	Focused view of accounts flagged for access changes for easy tracking and management Automated evidence of remediation completion displayed for integrated systems Manual evidence of remediation can be uploaded for non-integrated systems
Report and re-evaluate results	Auditor can log into Vanta to see history of all completed access reviews Internals can see status of reviews in progress and also historical review detail