With 80% of healthcare organizations expected to leverage intelligent automation this year, the question is no longer if your organization needs AI risk governance — it’s how quickly you can implement it.
ISO/IEC 42001 is an international management system standard for AI, published by the International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC). Designed with mature organizations in mind, ISO/IEC 42001 involves multiple requirements for certification. This includes assessments, leadership onboarding, policy building, audits and more.
The other framework to consider, and the focus of this blog, is NIST AI RMF. Designed for organizations in the earlier stages of GRC, NIST stands for National Institute of Standards and Technology Artificial Intelligence Risk Management Framework. Read on to learn more.
What is NIST AI RMF?
Released by NIST in January 2023, the AI RMF provides organizations with a flexible, voluntary framework for managing AI risks while fostering innovation and trust. Much like laying the foundation for a house or other sturdy structure, NIST AI RMF can help organization leads gain operational visibility and risk awareness. Later on, those insights can be used to build the policies and documents needed for meeting your ISO/IEC 42001/NIST requirements.
NIST AI RMF has four core components: Govern, Map, Measure and Management. The beauty of each of these components is that leaders have the autonomy to adapt and flex each of these in their own ways based on the size and type of their organization.
Here are some characteristics associated with each of the four components:
- Govern: Build AI Management Program that includes repeatable processes and an intentional culture of risk management.
- Map: Understand how AI is used within various business contexts along with associated risks.
- Measure: Monitor and validate performance of the AI Management Program.
- Manage: Actively manage the program by adjusting policies, processes, and activities based on risk and opportunity.
What Are Key Differences between NIST AI RMF and ISO/IEC 42001?
Timing is everything, and for many organizations NIST AI RMF acts as the perfect “on ramp” to a full ISO/IEC 42001 certification journey. Here’s a quick comparison of how the two frameworks stack up.
| Aspect | NIST AI RMF | ISO/IEC 42001 |
| Flexibility | Highly adaptable and voluntary | Highly Comprehensive |
| Maturity Level | Orgs in early stages of AI governance | Mature organizations with established systems in place |
| Certification | None; however it can be used in combination with a SOC2 audit | Standalone certification based on the ISO standard. |
| Use Cases | Consider it like a governance pilot for areas such as automation, analytics or operational AI | Favored in highly regulated industries as well as industries selling to non-US customers |
| Implementation Speed | Faster and less resource-intensive. Weeks to months | Longer and more complex. Months to a year. |
Bottom line: Start with NIST AI RMF to create the strong governance culture you want. Once your organization is ready for a more formal approach, you’ll be well on your way to ISO/IEC 42001.
What are some practical use cases of NIST AI RMF in action?
Revenue Cycle Automation is a growing landmine in use cases for automation thanks to the efficiencies it can provide on the front, middle and back end–think everything from patient registration to charge-capture all the way to patient collections. Unfortunately errors in RCM management are rampant, and nearly 80% of all medical bills are riddled with some type of error. NIST’s “Map”, “Measure”, and “Manage” components can help identify and resolve errors such as this.
Another example of NIST AI RMF in action is Clinical AI Models. Say for example a healthcare startup has deployed AI for risk stratification and wants to be able to map all the touchpoints where the model could interact with sensitive patient data. Risk assessment processes based on the NIST AI RMF could uncover numerous AI related land mines, including: biased historical datasets, EHR integrations that lack proper encryption and non-compliance risks with major frameworks such as HIPAA and GDPR.
In Summary
Whether you’re just starting to explore AI governance or preparing for ISO/IEC 42001 certification, NIST AI RMF is the perfect first step. Contact us today to learn how Genius GRC can help you build a foundation for safe, scalable AI.
