An AI risk manager is applying the NIST AI Risk Management Framework (AI RMF). In which function would the organization establish a risk management process and assign roles and responsibilities for AI oversight?
Govern includes setting up risk management processes, roles, and responsibilities across the AI lifecycle.
Why this answer
The Govern function in the NIST AI RMF is specifically designed to establish organizational structures, policies, and accountability mechanisms for AI risk management. This includes defining roles and responsibilities, setting risk management processes, and ensuring oversight across the AI lifecycle. The other functions (Map, Measure, Manage) focus on different aspects such as understanding context, assessing risks, and treating risks, respectively.
Exam trap
Cisco often tests the misconception that 'Manage' is the catch-all function for all risk-related activities, but the trap here is that Manage specifically addresses risk treatment after assessment, while Govern is the distinct function for establishing the overarching risk management process and accountability structure.
How to eliminate wrong answers
Option A is wrong because the Map function focuses on understanding the AI system's context, including its intended use, stakeholders, and potential impacts, not on establishing governance structures or assigning roles. Option B is wrong because the Manage function deals with prioritizing, responding to, and treating identified risks after they have been assessed, not with setting up the initial risk management process or assigning oversight roles. Option D is wrong because the Measure function involves quantitative and qualitative assessment of AI risks, including metrics and monitoring, but does not cover the establishment of governance processes or role assignment.