NIST AI Security Controls Trifecta

AI will be part of every business (that survives), from now until the end of time.

If you are a security pro, you need to prepare for that reality.

Similarly, regulators are starting to scrutinize the impacts of this technology and develop standards for using it securely and in a way that preserves privacy.

Europe looks poised to pass a comprehensive Artificial Intelligence Act, but details aren’t yet solidified. The U.S. National Institute of Standards and Technology (NIST), however, took what looks to be a first-mover advantage in the space by releasing the AI Risk Management Framework (RMF) earlier this year.

While analyzing it, I realized that layering on yet another compliance framework was going to make life very difficult for organizations trying to implement security best practices while embracing new tech.

So in order to help them make sense of this new NIST document alongside the existing ones for cybersecurity and privacy, I built a “trifecta” of controls.

Using the AI RMF as a base, I identified the relevant cybersecurity and privacy controls that matched up, like this:

And I put them all together in a unified matrix.

Frequently asked questions

Question: What is the NIST AI Risk Management Framework (RMF)? Why should I care?

Answer: Check out these four free articles that go deep on the topic.

• Frame AI risk with the NIST RMF
• Govern AI risk with the NIST RMF: policies, procedures, and compliance
• Govern AI risk with the NIST RMF: accountability, communication, third parties, and more
• Wrapping up the NIST AI RMF

Question: What are the columns names for the .csv?

Answer:

• nist_ai_rmf_subcategory_code
• nist_ai_rmf_subcategory
• nist_csf_subcategory_code
• nist_csf_subcategory
• nist_priv_subcategory_code
• nist_priv_subcategory

Question: How many rows are there in the .csv file?

Answer: Not including the column headings, 81.