The United States government published guidelines designed to help organizations limit harm from AI.
What's new: The National Institute for Standards and Technology, which recommends technological standards in a variety of industries, released the initial version of its AI Risk Management Framework.
What it says: The framework outlines principles for defining classes of potential harm, building trustworthy systems, and defending against AI-related risks as they emerge.
- Broad categories of AI-related risk include harm to people (by, say, causing medical distress or undermining civil liberties), harm to organizations (such as security breach or financial loss), and harm to ecosystems (both natural and artificial; for example, global financial networks).
- Trustworthy AI systems are validated, privacy-enhanced, secure, explainable, fair, and accountable. Validated AI systems are accurate, reliable, and generalized to data and settings beyond their training. Privacy-enhanced systems protect the anonymity and confidentiality of people and their data.
- Organizations can manage emerging capabilities by mapping risks that arise from a system’s intended uses, measuring risks, handling risks based on their projected impact, and, above all, cultivating a culture of transparency around mitigating risk.
- NIST plans to evaluate the framework on an ongoing basis and will release an update in a few months.
Behind the news: NIST’s framework, created in response to a 2021 order from Congress, incorporates feedback from over 240 organizations. It’s backed by corporations including IBM and Microsoft, lobbyists such as the U.S. Chamber of Commerce, nonprofits like the National Science Foundation, and think tanks like the Future of Life Institute.
Why it matters: A 2019 paper counted 84 efforts to codify best practices for managing AI risks. NIST’s effort marks a step away from this jigsaw-puzzle approach and toward guidelines that have broad support and thus are more likely to be implemented.
We're thinking: A framework like this is necessarily general, and different organizations will implement it very differently. For example, reliability in healthcare is very different from reliability in an app that customizes selfies, leading to different approaches to monitoring AI systems. It will take disciplined effort to translate these high-level ideas into specific practices — but it’s likely to head off tremendous trouble down the line.