NIST AI Risk Management Framework 1.0 + Playbook
NIST AI Risk Management Framework 1.0 + Playbook
NIST AI Risk Management Framework 1.0 + Playbook — 93% covered.
101 requirements · 88 enforced · 9 designed · 4 advisory · 0 deferred.
Source: NIST AI 100-1 (January 2023) + AI RMF Playbook · License: US Government — public domain
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Govern (GV) | 31 | 24 | 5 | 2 | 0 | 87% |
| Map (MP) | 23 | 19 | 3 | 1 | 0 | 90% |
| Measure (MS) | 27 | 26 | 1 | 0 | 0 | 98% |
| Manage (MG) | 20 | 19 | 0 | 1 | 0 | 96% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
nist-ai-rmf.GV.1.4 |
Govern 1.4 — The risk-management process and its outcomes are established through transparent policies, procedures, and other controls | enforced | audit_events: kye.compliance.attestation.v1, kye.purpose.permission.v1constitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-ai-rmf.GV.1.5 |
Govern 1.5 — Ongoing monitoring and periodic review of the risk-management process and its outcomes are planned, and organizational roles and responsibilities clearly defined | enforced | audit_events: kye.assurance.audit_pilot.v1, kye.change_calendar.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.GV.1.6 |
Govern 1.6 — Mechanisms are in place to inventory AI systems and are resourced according to organizational risk priorities | enforced | audit_events: kye.entity.model.v1, kye.entity.model_endpoint.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.GV.1.7 |
Govern 1.7 — Processes and procedures are in place for decommissioning and phasing out of AI systems safely and in a manner that does not increase risks or decrease the organization's trustworthiness | enforced | audit_events: kye.purpose.grant.revoked.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.GV.2.2 |
Govern 2.2 — The organization's personnel and partners receive AI risk-management training to enable them to perform their duties and responsibilities | designed | constitution_refs: constitution/39-LEARN-RAIL.md, constitution/10-PARTNER.md |
nist-ai-rmf.GV.2.3 |
Govern 2.3 — Executive leadership of the organization takes responsibility for decisions about risks associated with AI-system development and deployment | enforced | audit_events: kye.risk.authority_register.v1, kye.approval_decision.v1engines: internalgovernedui_modules: kye.governedui.module.action_approval.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.GV.3.2 |
Govern 3.2 — Policies and procedures are in place to define and differentiate roles and responsibilities for human-AI configurations and oversight | enforced | audit_events: kye.purpose.permission.v1engines: internalgovernedui_modules: kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.GV.4.2 |
Govern 4.2 — Organizational teams document the risks and potential impacts of AI technology they design, develop, deploy, evaluate, and use | enforced | audit_events: kye.consequence_map.v1, kye.risk_assessment.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.4.3 |
Govern 4.3 — Organizational practices are in place to enable AI testing, identification of incidents, and information sharing | enforced | audit_events: kye.scenario_run.v1, kye.signal.incident.opened.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.5.2 |
Govern 5.2 — Mechanisms are established to enable the team that develops or deploys AI systems to regularly incorporate adjudicated feedback from relevant AI actors into system design and implementation | designed | audit_events: kye.signal.drift.detected.v1, kye.approval_decision.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.6.2 |
Govern 6.2 — Contingency processes are in place to handle failures or incidents in third-party data or AI systems deemed to be high-risk | enforced | audit_events: kye.spof_registry.v1, kye.signal.incident.opened.v1engines: internalconstitution_refs: constitution/51-NO-SPOF.md |
nist-ai-rmf.MP.1.2 |
Map 1.2 — Inter-disciplinary AI actors, competencies, skills and capacities for establishing context reflect demographic diversity and broad domain and user experience expertise | advisory | audit_events: kye.stakeholder.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.1.3 |
Map 1.3 — The organization's mission and relevant goals for AI technology are understood and documented | enforced | audit_events: kye.purpose_manifest.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MP.1.4 |
Map 1.4 — The business value or context of business use has been clearly defined or — in the case of assessing existing AI systems — re-evaluated | enforced | audit_events: kye.purpose.permission.v1, kye.operating_model.spec.v1constitution_refs: constitution/18-OPERATING-MODEL.md |
nist-ai-rmf.MP.1.5 |
Map 1.5 — Organizational risk tolerances are determined and documented | enforced | audit_events: kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.1.6 |
Map 1.6 — System requirements (e.g., 'the system shall respect the privacy of its users') are elicited from and understood by relevant AI actors | enforced | audit_events: kye.model.capability_profile.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MP.2.2 |
Map 2.2 — Information about the AI system's knowledge limits and how system output may be utilized and overseen by humans is documented | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MP.2.3 |
Map 2.3 — Scientific integrity and TEVV considerations are identified and documented | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MP.3.2 |
Map 3.2 — Potential costs, including non-monetary costs, that result from expected or realized AI errors or system functionality and trustworthiness are examined and documented | enforced | audit_events: kye.consequence_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.3.3 |
Map 3.3 — Targeted application scope is specified and documented | enforced | audit_events: kye.scope.v1, kye.purpose.permission.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MP.3.4 |
Map 3.4 — Processes for operator and practitioner proficiency with AI system performance and trustworthiness are defined, assessed, and documented | designed | constitution_refs: constitution/10-PARTNER.md, constitution/39-LEARN-RAIL.md |
nist-ai-rmf.MP.3.5 |
Map 3.5 — Processes for human oversight are defined, assessed, and documented in accordance with organizational policies | enforced | audit_events: kye.purpose.permission.v1, kye.approval_decision.v1governedui_modules: kye.governedui.module.action_approval.v1, kye.governedui.module.approval_queue.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.MP.4.2 |
Map 4.2 — Internal risk controls for components of the AI system, including third-party AI technologies, are identified and documented | enforced | audit_events: kye.subprocessor.v1, kye.federation.cross_org_delegation.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/51-NO-SPOF.md |
nist-ai-rmf.MP.5.2 |
Map 5.2 — Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback about positive, negative, and unanticipated impacts are in place and documented | designed | audit_events: kye.comms.dispatch.v1, kye.signal.incident.opened.v1constitution_refs: constitution/38-COMMS-RAIL.md |
nist-ai-rmf.MS.1.2 |
Measure 1.2 — Appropriateness of AI metrics and effectiveness of existing controls are regularly assessed | enforced | audit_events: kye.scenario_run.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.1.3 |
Measure 1.3 — Internal experts who did not serve as front-line developers for the system and/or independent assessors are involved in regular assessments and updates | enforced | audit_events: kye.assurance.audit_pilot.v1agents: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.2.2 |
Measure 2.2 — Evaluations involving human subjects meet applicable requirements (including human-subject protection) and are representative of the relevant population | enforced | audit_events: kye.consent.acceptance.v1, kye.data_use_manifest.v1constitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-ai-rmf.MS.2.3 |
Measure 2.3 — AI-system performance or assurance criteria are measured qualitatively or quantitatively and demonstrated for conditions similar to deployment setting | enforced | audit_events: kye.scenario_run.v1, kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.2.4 |
Measure 2.4 — The functionality and behavior of the AI system and its components — as identified in the MAP function — are monitored when in production | enforced | audit_events: kye.audit_chain_entry.v1, kye.signal.drift.detected.v1engines: internal, internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
nist-ai-rmf.MS.2.6 |
Measure 2.6 — AI system is evaluated regularly for safety risks — as identified in the MAP function | enforced | audit_events: kye.risk.score.v1, kye.scenario_run.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.2.8 |
Measure 2.8 — Risks associated with transparency and accountability — as identified in the MAP function — are examined and documented | enforced | audit_events: kye.evidence.decision_map.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.2.9 |
Measure 2.9 — The AI model is explained, validated, and documented, and AI system output is interpreted within its context — as identified in the MAP function — and to inform responsible use and governance | enforced | audit_events: kye.evidence.decision_map.v1, kye.model.capability_profile.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.MS.2.10 |
Measure 2.10 — Privacy risk of the AI system — as identified in the MAP function — is examined and documented | enforced | audit_events: kye.data_use_manifest.v1, kye.dsar_evidence_pack.v1engines: internalconstitution_refs: constitution/31-DATA-GOVERNANCE-PACK.md |
nist-ai-rmf.MS.2.11 |
Measure 2.11 — Fairness and bias — as identified in the MAP function — are evaluated and results are documented | enforced | audit_events: kye.scenario_run.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.2.12 |
Measure 2.12 — Environmental impact and sustainability of AI model training and management activities — as identified in the MAP function — are assessed and documented | designed | audit_events: kye.evidence.model_params.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MS.2.13 |
Measure 2.13 — Effectiveness of the employed TEVV metrics and processes in the MEASURE function are evaluated and documented | enforced | audit_events: kye.assurance.audit_replay_report.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.3.2 |
Measure 3.2 — Risk tracking approaches are considered for settings where AI risks are difficult to assess using currently available measurement techniques or where metrics are not yet available | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.3.3 |
Measure 3.3 — Feedback processes for end users and impacted communities to report problems and appeal system outcomes are established and integrated into AI system evaluation metrics | enforced | audit_events: kye.signal.incident.opened.v1, kye.comms.dispatch.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-ai-rmf.MS.4.2 |
Measure 4.2 — Measurement results regarding AI system trustworthiness in deployment context(s) and across the AI lifecycle are informed by input from domain experts and relevant AI actors to validate whether the system is performing consistently as intended | enforced | audit_events: kye.assurance.audit_replay_report.v1, kye.approval_decision.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MG.1.4 |
Manage 1.4 — Negative residual risks (defined as the sum of all unmitigated risks) to both downstream acquirers of AI systems and end users are documented | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.2.2 |
Manage 2.2 — Mechanisms are in place and applied to sustain the value of deployed AI systems | enforced | audit_events: kye.change_calendar.v1, kye.signal.drift.detected.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.2.3 |
Manage 2.3 — Procedures are followed to respond to and recover from a previously unknown risk when it is identified | enforced | audit_events: kye.signal.incident.opened.v1, kye.signal.incident.closed.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.2.4 |
Manage 2.4 — Mechanisms are in place and applied, and responsibilities are assigned and understood, to supersede, disengage, or deactivate AI systems that demonstrate performance or outcomes inconsistent with intended use | enforced | audit_events: kye.purpose.grant.revoked.v1, kye.signal.revocation.cascaded.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MG.3.2 |
Manage 3.2 — Pre-trained models which are used for development are monitored as part of AI system regular monitoring and maintenance | enforced | audit_events: kye.entity.model.v1, kye.signal.drift.detected.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MG.4.2 |
Manage 4.2 — Measurable activities for continual improvements are integrated into AI system updates and include regular engagement with interested parties, including relevant AI actors | enforced | audit_events: kye.signal.drift.detected.v1, kye.compliance.attestation.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.4.4 |
Manage 4.4 — AI risks and benefits from third-party resources are regularly monitored, and risk controls are applied and documented | enforced | audit_events: kye.subprocessor.v1, kye.spof_registry.v1constitution_refs: constitution/51-NO-SPOF.md |
nist-ai-rmf.GV.OC-01.2 |
Playbook GV.OC-1 — Establish AI organisational risk-tolerance statements (sub-action) | enforced | audit_events: kye.risk.authority_register.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.OC-01.3 |
Playbook GV.OC-1 — Document organisational risk-tolerance baseline and decay clock (sub-action) | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/DECAY-WINDOWS.md |
nist-ai-rmf.MP.CT-01.2 |
Playbook MP.CT-1 — Document intended purposes and beneficiaries of the AI system (sub-action) | enforced | audit_events: kye.purpose_manifest.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MS.AI-01.2 |
Playbook MS.AI-1 — Establish thresholds for trustworthiness measurements (sub-action) | enforced | audit_events: kye.scenario.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.RR-01.2 |
Playbook MG.RR-1 — Document residual risk and acceptance criteria per principal (sub-action) | enforced | audit_events: kye.risk.authority_register.v1, kye.approval_decision.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.PO-02.1 |
Playbook GV.PO-2 — AI-specific procurement policies (sub-action) | designed | audit_events: kye.subprocessor.v1constitution_refs: constitution/26-COMMERCIAL.md |
nist-ai-rmf.GV.AC-01.1 |
Playbook GV.AC-1 — Roles and responsibilities for AI accountability (sub-action) | enforced | audit_events: kye.purpose.permission.v1, kye.risk.authority_register.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.GV.AC-02.1 |
Playbook GV.AC-2 — Periodic competency assessment of AI actors (sub-action) | designed | constitution_refs: constitution/10-PARTNER.md |
nist-ai-rmf.GV.TM-01.1 |
Playbook GV.TM-1 — Multi-disciplinary team membership for AI risk management (sub-action) | advisory | audit_events: kye.stakeholder.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.SK-01.1 |
Playbook GV.SK-1 — Strategies for engaging stakeholders throughout AI lifecycle (sub-action) | enforced | audit_events: kye.stakeholder.v1, kye.comms.dispatch.v1constitution_refs: constitution/38-COMMS-RAIL.md |
nist-ai-rmf.MP.CR-01.1 |
Playbook MP.CR-1 — Categorise AI system by capability, end users, and deployment context (sub-action) | enforced | audit_events: kye.model.capability_profile.v1, kye.entity.model.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MP.IM-01.1 |
Playbook MP.IM-1 — Identify positive and negative impacts (sub-action) | enforced | audit_events: kye.consequence_map.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.RA-01.1 |
Playbook MP.RA-1 — Likelihood and impact mapping per identified risk (sub-action) | enforced | audit_events: kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.ME-01.1 |
Playbook MS.ME-1 — Use approved methods and metrics for measurement (sub-action) | enforced | audit_events: kye.scenario.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.DC-01.1 |
Playbook MS.DC-1 — Document measurement results and limitations (sub-action) | enforced | audit_events: kye.assurance.audit_replay_report.v1, kye.evidence.pack.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MG.IM-01.1 |
Playbook MG.IM-1 — Document risk-management decisions (sub-action) | enforced | audit_events: kye.evidence.decision_map.v1, kye.approval_decision.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MG.RT-01.1 |
Playbook MG.RT-1 — Risk treatment selection per identified risk (sub-action) | enforced | audit_events: kye.risk.score.v1, kye.purpose.admissibility.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MG.CO-01.1 |
Playbook MG.CO-1 — Communicate risk-management outcomes to relevant AI actors (sub-action) | enforced | audit_events: kye.comms.dispatch.v1, kye.compliance.attestation.v1constitution_refs: constitution/38-COMMS-RAIL.md |
nist-ai-rmf.GV.AC-03.1 |
Playbook GV.AC-3 — Maintain audit-evidence trails for accountability (sub-action) | enforced | audit_events: kye.audit_chain_entry.v1, kye.audit_retention_policy.v1engines: internalconstitution_refs: constitution/30-AUDIT-WORM-RETENTION.md |
nist-ai-rmf.GV.PO-03.1 |
Playbook GV.PO-3 — Periodic policy review (sub-action) | enforced | audit_events: kye.change_calendar.v1constitution_refs: constitution/DECAY-WINDOWS.md |
nist-ai-rmf.MS.AI-02.1 |
Playbook MS.AI-2 — Evaluate AI-system trustworthiness against the seven trustworthy-AI characteristics (sub-action) | enforced | audit_events: kye.assurance.audit_replay_report.v1, kye.scenario_run.v1constitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.RD-01.1 |
Playbook MS.RD-1 — Recurrent measurement cadence (sub-action) | enforced | audit_events: kye.change_calendar.v1, kye.compliance.attestation.v1constitution_refs: constitution/DECAY-WINDOWS.md |
nist-ai-rmf.MG.MR-01.1 |
Playbook MG.MR-1 — Monitor risk after deployment (sub-action) | enforced | audit_events: kye.signal.drift.detected.v1, kye.audit_chain_entry.v1engines: internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
nist-ai-rmf.MG.4.1 |
Manage 4.1 — Post-deployment AI system monitoring plans are implemented, including mechanisms for capturing and evaluating input from users and other relevant AI actors | enforced | audit_events: kye.signal.drift.detected.v1, kye.audit_chain_entry.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/35-STREAMING-LOGS.md |
nist-ai-rmf.GV.6.3 |
Govern 6.3 — Third-party data sources, models, and APIs used by the AI system are subject to acquisition and supplier risk-management processes | enforced | audit_events: kye.subprocessor.v1, kye.connector.evidence_import.v1constitution_refs: constitution/51-NO-SPOF.md, constitution/26-COMMERCIAL.md |
nist-ai-rmf.GV.1.1 |
Legal and regulatory requirements involving AI are understood, managed, and documented | enforced | audit_events: kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-ai-rmf.GV.1.2 |
The characteristics of trustworthy AI are integrated into organisational policies and processes | enforced | audit_events: kye.purpose.permission.v1, kye.purpose.grant.v1engines: internal, internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.GV.1.3 |
Processes, procedures, and practices are in place to determine the needed level of risk management | enforced | audit_events: kye.risk.score.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.2.1 |
Roles, responsibilities, and lines of communication related to mapping, measuring, managing AI risks are documented | enforced | audit_events: kye.purpose.grant.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.GV.3.1 |
Decision-making related to mapping, measuring, managing AI risks throughout the lifecycle is informed by a diverse team | advisory | constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.GV.4.1 |
Organisational policies and practices are in place to foster a critical thinking and safety-first mindset | enforced | audit_events: kye.agent.governance.v1, kye.agent.refusal.v1engines: internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
nist-ai-rmf.GV.5.1 |
Organisational policies and practices are in place to collect, consider, prioritise, and integrate feedback from external sources | designed | audit_events: kye.resilience.improvement_record.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.6.1 |
Policies and procedures are in place to address AI risks arising from third-party software, data, and other supply-chain issues | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.federation.cross_org_delegation.v1, kye.agent.mcp_allow_list.v1engines: internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
nist-ai-rmf.GV.OV-1 |
AI system performance and trustworthiness is regularly evaluated against agreed-upon metrics | enforced | audit_events: kye.compliance.attestation.v1, kye.evidence.trace_replay_spec.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.GV.IM-1 |
Continual improvement of AI risk management is integrated into organisational decision-making | enforced | audit_events: kye.resilience.loop_iteration.v1, kye.resilience.improvement_record.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.1.1 |
A determination is made as to whether the AI system achieves its intended purposes and stated objectives | enforced | audit_events: kye.assurance.adoption_stage.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.1.2 |
Treatment of documented AI risks is prioritised based on impact, likelihood, available resources or methods | enforced | audit_events: kye.risk.authority_register.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.1.3 |
Responses to identified AI risks include plans, follow up, response time, communication, decisions | enforced | audit_events: kye.resilience.improvement_record.v1, kye.purpose.grant.revoked.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.2.1 |
Resources required to manage AI risks are taken into account along with viable non-AI alternatives | advisory | constitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MG.3.1 |
AI risks and benefits from third-party resources are regularly monitored and risk controls are applied and documented | enforced | audit_events: kye.evidence.tool_call_pin.v1, kye.agent.mcp_allow_list.v1, kye.federation.cross_org_delegation.v1engines: internalconstitution_refs: constitution/52-DELEGATED-AGENT-BINDING.md |
nist-ai-rmf.MG.4.1 |
Post-deployment AI system monitoring plans are implemented | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stress_test.high_risk_detected.v1, kye.evidence.observed_action.v1engines: internal, internalconstitution_refs: constitution/35-STREAMING-LOGS.md |
nist-ai-rmf.MG.4.3 |
Incidents and errors are communicated to relevant AI actors including affected communities | enforced | audit_events: kye.signal.stress_test.high_risk_detected.v1, kye.evidence.pack.v1engines: internalconstitution_refs: constitution/38-COMMS-RAIL.md |
nist-ai-rmf.MP.1.1 |
Intended purposes, potentially beneficial uses, context-specific laws, norms, and expectations are understood and documented | enforced | audit_events: kye.purpose.permission.v1, kye.model.capability_profile.v1engines: internalconstitution_refs: constitution/12-PURPOSE-PERMISSION.md |
nist-ai-rmf.MP.2.1 |
The specific tasks and methods used to implement the tasks that the AI system will support are defined | enforced | audit_events: kye.model.capability_profile.v1, kye.model.influence_envelope.v1engines: internalconstitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
nist-ai-rmf.MP.3.1 |
Categorisation of the AI system is performed | enforced | audit_events: kye.model.capability_profile.v1, kye.risk.score.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.4.1 |
Approaches for mapping AI technology and legal risks are followed | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/40-IMPLEMENTATION-CANONICAL.md |
nist-ai-rmf.MP.5.1 |
Likelihood and magnitude of each identified impact based on expected use are identified and documented | enforced | audit_events: kye.risk.score.v1, kye.evidence.decision_map.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MP.6.1 |
Practices and personnel for supporting regular engagement with relevant AI actors and integrating feedback are documented | designed | audit_events: kye.resilience.improvement_record.v1governedui_modules: kye.governedui.module.consultants.v1, kye.governedui.module.auditors.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.MS.1.1 |
Approaches and metrics for measurement of AI risks enumerated during Map function are selected for implementation | enforced | audit_events: kye.risk.score.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.2.1 |
Test sets, metrics, and details about the tools used during TEVV are documented | enforced | audit_events: kye.evidence.trace_replay_spec.v1, kye.evidence.tool_call_pin.v1, kye.assurance.audit_replay_report.v1engines: internal, internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.2.5 |
AI system performance or assurance criteria are measured qualitatively or quantitatively | enforced | audit_events: kye.assurance.audit_replay_report.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/21-DELEGATED-AUDITABILITY.md |
nist-ai-rmf.MS.2.7 |
AI system security and resilience are evaluated and documented | enforced | audit_events: kye.signal.stress_test.high_risk_detected.v1, kye.resilience.drift_event.v1, kye.compliance.attestation.v1engines: internal, internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.3.1 |
Approaches, personnel, and documentation to detect and track existing, unanticipated, and emergent AI risks based on factors such as intended use are in place | enforced | audit_events: kye.signal.drift.detected.v1, kye.signal.stable_drift.detected.v1, kye.resilience.drift_event.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |
nist-ai-rmf.MS.4.1 |
Measurement approaches for identifying AI risks are connected to deployment context(s) and informed through consultation with domain experts | enforced | audit_events: kye.risk.score.v1engines: internalgovernedui_modules: kye.governedui.module.consultants.v1constitution_refs: constitution/36-GOVERNEDUI.md |
nist-ai-rmf.MS.4.3 |
Measurable performance improvements or declines based on consultations with relevant AI actors are identified and documented | enforced | audit_events: kye.resilience.improvement_record.v1, kye.compliance.attestation.v1engines: internalconstitution_refs: constitution/13-RESILIENCE-LOOP.md |