Align GAI development and use with appli…

BackThe characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices.

This page is still being polished. If you have thoughts, please share them via the feedback form.

Data on this page is preliminary and may change. Please do not share or cite these figures publicly.

The characteristics of trustworthy AI are integrated into organizational policies, processes, procedures, and practices.

US_NIST (2024)|LLM classified

Mitigation Taxonomy

2Organisation

2.1Oversight & Accountability

2.1.3Policies & Procedures

Governance frameworks, formal policies, and strategic alignment mechanisms.

Also in Oversight & Accountability

2.1.1 Leadership Oversight2.1.2 Roles & Accountability

LLM Classification Details

Reasoning

Integrating trustworthy AI characteristics into organizational policies, processes, and practices establishes formal governance frameworks.

Code: 2.1.3Version: v0.6Classified: Feb 6, 2026

Sub-mitigations (2)

Establish transparency policies and processes for documenting the origin and history of training data and generated data for GAI applications to advance digital content transparency, while balancing the proprietary nature of training approaches.

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Establish policies to evaluate risk-relevant capabilities of GAI and robustness of safety measures, both prior to deployment and on an ongoing basis, through internal and external evaluations.

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Other mitigations from US_NIST (2024) (260)

Legal and regulatory requirements involving AI are understood, managed, and documented.

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Legal and regulatory requirements involving AI are understood, managed, and documented. > Align GAI development and use with applicable laws and regulations, including those related to data privacy, copyright and intellectual property law.

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance.

2.1.3 Policies & Procedures

Lifecycle:Other (outside lifecycle)Actor:Governance ActorAIRM:Govern

Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance. > Consider the following factors when updating or defining risk tiers for GAI: Abuses and impacts to information integrity; Dependencies between GAI and other IT or data systems; Harm to fundamental rights or public safety; Presentation of obscene, objectionable, offensive, discriminatory, invalid or untruthful output; Psychological impacts to humans (e.g., anthropomorphization, algorithmic aversion, emotional entanglement); Possibility for malicious use; Whether the system introduces significant new security vulnerabilities; Anticipated system impact on some groups compared to others; Unreliable decision making capabilities, validity, adaptability, and variability of GAI system performance over time.

2.2.1 Risk Assessment

Lifecycle:Plan and DesignActor:Governance ActorAIRM:Govern

Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance. > Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval (“go/”no-go”) policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks.

2.1.3 Policies & Procedures

Lifecycle:DeployActor:DeployerAIRM:Govern

Processes, procedures, and practices are in place to determine the needed level of risk management activities based on the organization’s risk tolerance. > Establish a test plan and response policy, before developing highly capable models, to periodically evaluate whether the model may misuse CBRN information or capabilities and/or offensive cyber capabilities.

2.2.2 Testing & Evaluation

Lifecycle:Plan and DesignActor:DeveloperAIRM:Govern

View all 260 mitigations from this source →

Source Document

Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (NIST AI 600-1)

US National Institute of Standards and Technology (NIST) (2024)

This document is a cross-sectoral profile of and companion resource for the AI Risk Management Framework (AI RMF 1.0) for Generative AI, 1 pursuant to President Biden’s Executive Order (EO) 14110 on Safe, Secure, and Trustworthy Artificial Intelligence.2 The AI RMF was released in January 2023, and is intended for voluntary use and to improve the ability of organizations to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

View source DOI: 10.6028/nist.ai.600-1

Classification

AI Lifecycle Stage

Other (outside lifecycle)

Outside the standard AI system lifecycle

Responsible Actor

Governance Actor

Regulator, standards body, or oversight entity shaping AI policy

NIST AI RMF Function

Govern

Policies, processes, and accountability structures for AI risk management

Risk Domains

Primary

6.5 Governance failure