NIST AI RMF-Lite card
Four functions. Fill in the blank for your single highest-stakes AI use case before it touches a real person. If you can't answer all four, the use case doesn't ship yet.
Your top use case: ______
Govern — who owns this decision?
Not the technology — the decision. Who decides whether this use case ships, what we will never do with it, and who gets the call when it does something nobody expected?
| Key question | Our answer for the use case above |
|---|---|
| Who has the authority to approve or kill this use case? | |
| Who gets the call at 3 a.m. if something goes wrong? | |
| What will we never do with this AI, stated explicitly? |
Map — where is the risk?
For this use case, which of the twelve NIST AI 600-1 failure modes actually apply? The four that bite most often at mid-market scale are listed first.
| Failure mode | Does it apply? (Y / N / Maybe) | How it could show up here |
|---|---|---|
| Confabulation — confident false output | ||
| Data privacy — client/employee data exposure | ||
| Harmful bias / homogenization — biased sorting of people | ||
| Human-AI configuration — reviewer rubber-stamping | ||
| Value chain / component integration — vendor's model, your risk | ||
| Intellectual property — output too close to copyrighted source | ||
| Information integrity — fake/synthetic content inbound | ||
| Information security — prompt injection, exfiltration |
Measure — how would you know it's going wrong?
Decide in advance what "this is drifting" looks like. Amazon's failure was a Measure failure: they noticed the bias eventually, but the noticing wasn't a system.
| Key question | Our answer for the use case above |
|---|---|
| What is the one number we watch to catch failure early? | |
| Who is responsible for watching that number, and how often? | |
| What threshold triggers an escalation? | |
| If bias applies: what bias metric do we track, and who audited it? |
Manage — what do you do about it?
The kill switch, the human in the loop on irreversible actions, and the escalation path when Measure trips. This is the part everyone skips because nothing is wrong yet on the day you deploy.
| Key question | Our answer for the use case above |
|---|---|
| What is the kill switch, and who can pull it? | |
| Which actions require a human sign-off before they execute? | |
| What is the escalation path when Measure trips? | |
| How do we communicate a problem to affected people? |
Gate check: If any cell above is blank, the use case does not ship yet. Not because a committee said so — because you can't see how you'd catch it failing.
Want a second set of eyes on this in your firm? The no-sell promise applies — if it isn't a fit, I'll tell you in the first ten minutes.
Book a 30-Minute Call →