Quote

Research: Leader’s Guide to US NIST AI Risk Management Framework

The widespread integration of Artificial Intelligence (AI) and Machine Learning (ML) into the operational fabric of North American enterprises has fundamentally altered the risk landscape for regulated industries. For leaders in finance, healthcare, education, the nonprofit sector, and government, the era of unbridled experimentation has concluded. We have entered a period of “governed accountability,” characterized by a rapid shift from voluntary best practices to enforceable regulatory standards.

This report provides an exhaustive analysis of the United States regulatory environment concerning AI, with a specific focus on the National Institute of Standards and Technology (NIST) AI Risk Management Framework (AI RMF 1.0). While initially conceived as a voluntary guideline, the NIST AI RMF is rapidly calcifying into the de facto “standard of care” for AI liability, compliance, and procurement.1 Federal enforcement agencies—including the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and the Equal Employment Opportunity Commission (EEOC)—are increasingly aligning their enforcement actions with the principles enshrined in the NIST framework: Validity, Reliability, Safety, Security, Resilience, Accountability, Transparency, Explainability, Privacy, and Fairness.3

The financial and reputational penalties for non-compliance are no longer theoretical. Organizations that have failed to implement robust governance have faced significant punitive measures, ranging from the $881 million operational loss suffered by Zillow due to algorithmic model drift 5 to the five-year ban on facial recognition technology imposed on Rite Aid by the FTC.6 In the financial sector, Trident Mortgage paid over $24 million to settle allegations of algorithmic redlining, setting a precedent that neutral algorithms can still generate liability if they produce discriminatory outcomes.7

This document articulates pragmatic, step-by-step mechanisms for implementing the NIST AI RMF to mitigate these risks. It bridges the gap between high-level policy and day-to-day business operations, offering executives in regulated sectors a blueprint for sustainable, compliant AI innovation.

1. The New Regulatory Reality: From “Wild West” to “Soft Law” Compliance

For much of the last decade, AI development in the United States operated within a regulatory vacuum, guided primarily by general consumer protection statutes that were ill-equipped to address the nuances of algorithmic decision-making. This laissez-faire environment has ended. We are now navigating a complex transition phase characterized by “Soft Law”—where voluntary frameworks are utilized by regulators and courts to define “reasonable care” in the deployment of automated systems.

1.1 The NIST AI Risk Management Framework: The Gold Standard

Released in January 2023, the NIST AI RMF 1.0 is the cornerstone of the U.S. government’s strategy to promote trustworthy AI. Unlike the European Union’s AI Act, which takes a prescriptive, risk-categorization approach, the NIST RMF is a flexible, outcome-based framework designed to be adaptable across industries.3

The Framework is structured around four core functions that operate cyclically:

  1. GOVERN: Cultivating a culture of risk management at the leadership level.
  2. MAP: Identifying context and potential risks before development begins.
  3. MEASURE: Assessing, analyzing, and tracking identified risks quantitatively and qualitatively.
  4. MANAGE: Prioritizing and acting upon risks based on their projected impact.4

While the framework itself is voluntary, its adoption is becoming mandatory through indirect pressure. It provides a common lexicon for “Trustworthy AI,” allowing technical teams, legal counsel, and regulators to communicate effectively about complex probabilistic systems.

1.2 The Shift to “Hard” Enforcement Vectors

The voluntary nature of NIST is being superseded by three primary enforcement vectors that effectively mandate its adoption for regulated entities:

1.2.1 State-Level Legislation: The Colorado AI Act (SB24-205)

The Colorado AI Act, signed into law in May 2024, represents a watershed moment in U.S. AI regulation. It is the first comprehensive state law to regulate “high-risk” AI systems—those involved in consequential decisions regarding employment, housing, healthcare, and finance.

Crucially, the Act creates a legal incentive for NIST adoption. It offers an “affirmative defense” for companies that face enforcement actions if they can demonstrate that they have maintained a comprehensive risk management program aligned with a recognized framework, specifically citing the NIST AI RMF.10 This provision explicitly converts NIST compliance from a “best practice” into a potential legal shield, encouraging organizations nationwide to adopt the framework to mitigate liability exposure.

1.2.2 Federal Executive Action: Executive Order 14110

President Biden’s Executive Order 14110 (“Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”), issued in October 2023, directs federal agencies to adopt rigorous AI testing and risk management standards. By mandating that the federal government—the world’s largest customer—purchase only NIST-compliant AI systems, the EO effectively forces the private sector to align with these standards to remain eligible for government contracts.12

The Order explicitly requires the implementation of “minimum risk-management practices” for AI uses that impact rights or safety, mirroring the core functions of the NIST RMF. Agencies are required to designate Chief AI Officers (CAIOs) and establish governance boards, signaling to the private sector that governance is now a top-tier executive responsibility.12

1.2.3 Agency Enforcement: The “Joint Statement”

In April 2023, the FTC, CFPB, EEOC, and DOJ issued a “Joint Statement on Enforcement Efforts Against Discrimination and Bias in Automated Systems.” This document clarified that existing federal laws—such as the Equal Credit Opportunity Act (ECOA) and the Civil Rights Act—apply fully to AI and automated systems.14

These agencies are using their broad statutory powers to penalize “unfair and deceptive” practices involving AI. For example, the CFPB has confirmed that “complex algorithms” are not a valid excuse for failing to provide specific reasons for credit denials, effectively mandating the NIST principle of Explainability.14

2. Deconstructing the NIST AI RMF: Key Principles for Executives

To navigate this landscape, leaders must understand the specific definitions of “Trustworthy AI” as defined by NIST. These are not merely technical specifications; they are the metrics against which liability will likely be assessed in future litigation and regulatory hearings.

2.1 Validity and Reliability

The Principle: AI systems must perform as intended and produce accurate results across different conditions and over time. Reliability implies that the system functions correctly not just in a test environment, but in the chaotic real world.

The Executive Implication: This principle challenges the “deploy and forget” mentality. A model that is valid today may become invalid tomorrow due to “model drift” or changing environmental data.

  • Financial Risk: A credit model trained on 2020 economic data may be unreliable in the high-interest environment of 2024.
  • Legal Risk: Using a model known to be unreliable constitutes negligence.

Pragmatic Step: Implement continuous monitoring pipelines that track model performance against a “golden dataset” or ground truth. Establish statistical thresholds (e.g., a drift in accuracy of >5%) that trigger an automatic review or “kill switch”.5

2.2 Safety and Resilience

The Principle: Systems must not endanger human life, health, property, or the environment. They must be robust against adversarial attacks (e.g., data poisoning, prompt injection) and unforeseen edge cases.

The Executive Implication: Safety must be viewed through a “system-level” lens. A safe model placed in a poorly designed user interface can still cause harm if the human user misinterprets the output.

  • Healthcare Risk: An AI diagnostic tool might be statistically accurate but unsafe if it recommends conflicting medications due to incomplete patient history data.

Pragmatic Step: Conduct “Red Teaming” exercises where security teams actively try to break the model or force it to generate harmful content. This is a requirement under EO 14110 for high-risk models.3

2.3 Accountability and Transparency

The Principle: There must be clear human oversight (accountability), and the system’s processes must be visible and documented (transparency). “Transparency” encompasses the disclosure of when an AI is being used and access to information about how the model was trained.

The Executive Implication: “The algorithm did it” is no longer a viable defense. Boards must designate specific roles (e.g., Chief AI Officer, AI Ethics Board) responsible for AI outcomes.

  • Consumer Trust: Users must know if they are interacting with a chatbot or a human agent.

Pragmatic Step: Create “System Cards” or “Model Cards” for every AI tool in the enterprise. These documents function like nutritional labels, detailing the model’s intended use, limitations, training data, and performance metrics.4

2.4 Explainability and Interpretability

The Principle: The outputs of the AI must be understandable to the users (e.g., doctors, loan officers) and the subjects (e.g., patients, applicants).

The Executive Implication: Explainability is context-dependent. An explanation suitable for a data scientist (e.g., SHAP values) is insufficient for a consumer whose loan was denied.

  • Regulatory Compliance: The CFPB mandates that adverse action notices must provide specific, actionable reasons for denial, regardless of the technology used.

Pragmatic Step: Invest in ML Ops tools that provide interpretability layers. For high-stakes decisions, avoid “Black Box” deep learning models if simpler, interpretable models (like decision trees or regression) provide comparable accuracy.4

2.5 Privacy-Enhanced

The Principle: AI systems must respect data privacy, minimizing data collection, restricting data usage to the intended purpose, and preventing the re-identification of individuals.

The Executive Implication: Privacy in the age of Generative AI goes beyond encryption. Large Language Models (LLMs) can inadvertently memorize and regurgitate sensitive training data (PII or PHI).

  • Education/Nonprofit Risk: Protecting donor or student data from being used to train third-party public models.

Pragmatic Step: Implement strict “Data Minimization” policies. Do not feed the model more data than it strictly needs. Utilize “Federated Learning” or differential privacy techniques where possible.9

2.6 Fairness and Bias Mitigation

The Principle: Systems must not discriminate against individuals or groups based on protected characteristics (race, gender, age, disability, religion).

The Executive Implication: Fairness is the primary target of current regulatory enforcement (EEOC, CFPB, DOJ). “Algorithmic Bias” occurs when an AI replicates historical inequalities found in training data.

  • Hiring Risk: An AI trained on historical hiring data from a male-dominated industry will likely learn to penalize female applicants.

Pragmatic Step: Conduct “Fairness Through Awareness” testing. Paradoxically, this often requires collecting protected class data (which you might otherwise avoid) to statistically prove that the model is not treating those groups differently.3

3. The Core Functions: A Blueprint for Implementation

The NIST AI RMF is organized into four functions. For executives, these represent the stages of the AI governance lifecycle.

3.1 GOVERN: Establishing the Culture

Objective: Cultivate a culture of risk management. Governance is a cross-functional responsibility involving legal, compliance, technical, and business leadership.

Key ActionDescriptionNIST Sub-Category
Establish AI Oversight BodyForm a cross-functional AI Governance Committee (Legal, IT, HR, Risk) to approve high-risk use cases.Govern 1.2
Define Risk ToleranceExplicitly state what the organization will not do (e.g., “We will not use facial recognition for surveillance”).Govern 1.3
Vendor ManagementUpdate procurement policies to require AI risk assessments from all software vendors.Govern 4.1

Pragmatic Implementation: Create an AI Governance Charter. This document, signed by the Board, defines the organization’s AI principles and designates the specific roles responsible for AI risk. It should explicitly link AI risk to the broader Enterprise Risk Management (ERM) framework.18

3.2 MAP: Context and Inventory

Objective: Context is recognized and risks are identified. You cannot govern what you cannot see.

Key ActionDescriptionNIST Sub-Category
AI Inventory (BOM)Survey the organization to identify all “Shadow AI” and official AI tools. Create an “AI Bill of Materials.”Map 1.1
Impact AssessmentFor each use case, map the potential adverse impacts on rights, safety, and finances.Map 3.1
Data LineageMap the flow of data. Where does training data come from? Is there consent?Map 2.2

Pragmatic Implementation: Conduct a “Shadow AI” Audit. Survey department heads to identify unauthorized use of tools like ChatGPT or Otter.ai. Centralize this into an AI Inventory that categorizes systems by risk level (Low, Medium, High). High-risk systems (e.g., hiring, lending) trigger a full Impact Assessment.20

3.3 MEASURE: Quantification and Testing

Objective: Identified risks are assessed, analyzed, and tracked. This moves governance from qualitative feelings to quantitative facts.

Key ActionDescriptionNIST Sub-Category
Bias TestingRun statistical tests for disparate impact (e.g., Adverse Impact Ratio) on protected groups.Measure 2.6
Red TeamingEngage security teams to attack the model (prompt injection, data poisoning).Measure 2.7
Performance MetricsDefine clear metrics for validity (accuracy, precision, recall) and track them.Measure 1.1

Pragmatic Implementation: Adopt a “TEVV” (Test, Evaluate, Verify, Validate) methodology. Before any high-risk model is deployed, it must pass a “gate” where its bias metrics and performance metrics are reviewed by an independent internal team (e.g., Internal Audit).10

3.4 MANAGE: Mitigation and Monitoring

Objective: Risks are prioritized and acted upon. This is the operational phase of governance.

Key ActionDescriptionNIST Sub-Category
Human-in-the-LoopEnsure high-stakes decisions require human review. Counteract “automation bias.”Manage 2.3
Kill SwitchesImplement automated mechanisms to shut down a model if performance drifts below a threshold.Manage 3.3
Incident ResponseCreate specific protocols for AI failures (e.g., “The chatbot hallucinated a racial slur”).Manage 4.3

Pragmatic Implementation: Develop Standard Operating Procedures (SOPs) for human reviewers. A human who blindly accepts an AI recommendation is not a control; they are a liability. Training must emphasize critical evaluation of AI outputs.23

4. Sector-Specific Analysis: Finance

4.1 Regulatory Environment

The financial sector faces the most mature regulatory environment for AI. The Consumer Financial Protection Bureau (CFPB) and federal banking regulators (OCC, Fed, FDIC) have made it clear that existing fair lending laws apply to AI.

  • ECOA & Regulation B: Lenders must provide specific reasons for adverse actions (denials). ” The model score was too low” is insufficient.
  • SR 11-7: The Federal Reserve’s guidance on Model Risk Management (MRM) is being updated to include AI/ML, emphasizing validation and governance.14

4.2 NIST Application: Fairness & Explainability

Financial institutions must focus heavily on the NIST Map and Measure functions to detect “digital redlining.” Marketing algorithms that optimize for “cost per click” may inadvertently exclude minority neighborhoods, creating fair lending violations.

4.3 Case Study: Trident Mortgage Company ($24.4 Million)

  • The Organization: Trident Mortgage (owned by Berkshire Hathaway).
  • The Violation: Redlining (discrimination against majority-minority neighborhoods) in the Philadelphia area.
  • The Mechanism: Trident’s marketing strategies and loan officer distribution—aided by data analysis—avoided minority areas. While not a pure “AI” case, it illustrates the liability of data-driven exclusion.
  • The Penalty: $24.4 Million total settlement ($18.4M loan subsidy fund, $4M civil penalty, $2M advertising spend).7
  • NIST Analysis: A failure of the Map function. Trident failed to map the demographic impact of its marketing strategy. A NIST-aligned impact assessment would have revealed the disparity in loan applications from protected vs. non-protected neighborhoods.

4.4 Case Study: Meta/Facebook Housing Ads ($115,054 + Engineering Costs)

  • The Organization: Meta (Facebook).
  • The Violation: The “Special Ad Audience” tool allowed housing advertisers to exclude users based on race, gender, and zip code, violating the Fair Housing Act.
  • The Mechanism: The algorithm optimized ad delivery based on “Lookalike” profiles, which served as proxies for protected characteristics.
  • The Penalty: A $115,054 civil penalty (the maximum allowed under FHA) plus a massive engineering mandate. Meta was forced to disable the tool and build a new “Variance Reduction System” (VRS) to ensure ad audiences matched eligible populations.27
  • NIST Analysis: A failure of Fairness and Measure. The algorithm was optimizing for engagement without measuring for demographic skew. The settlement effectively forced Meta to implement the NIST Manage function by building a corrective mechanism (VRS) into the product.

5. Sector-Specific Analysis: Healthcare

5.1 Regulatory Environment

Healthcare AI is governed by the Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR).

  • Section 1557 (ACA): Prohibits discrimination in health programs. The Biden administration has proposed rules explicitly applying this to clinical algorithms.
  • HIPAA: Governs data privacy. AI tools that process Protected Health Information (PHI) must be HIPAA-compliant.
  • FDA: Regulates AI as a Medical Device (SaMD), though many operational AI tools fall outside this scope.30

5.2 NIST Application: Validity & Reliability

In healthcare, Validity is paramount. An algorithm that works in a research hospital may fail in a rural clinic due to data shifts. Safety is also critical; a chatbot giving incorrect medical advice can cause physical harm.

5.3 Case Study: Optum / UnitedHealth (Racial Bias)

  • The Organization: Optum (UnitedHealth Group).
  • The Violation: An algorithm used to manage care for millions of patients systematically discriminated against Black patients.
  • The Mechanism: The algorithm used “healthcare cost” as a proxy for “health need.” Because Black patients historically incur lower costs (due to systemic access barriers), the model erroneously concluded they were healthier than White patients with the same conditions.
  • The Implication: Black patients were denied access to extra care management programs.
  • The Outcome: While the financial settlement details were not public in the snippets, the case triggered a massive regulatory review and is cited as the textbook example of proxy bias in AI.32
  • NIST Analysis: A catastrophic failure of validity and Map. The developers failed to understand the context (Map) that “cost” does not equal “need” in a system with unequal access.

5.4 Case Study: Rite Aid (Facial Recognition Ban)

  • The Organization: Rite Aid.
  • The Violation: Use of facial recognition technology to identify shoplifters without reasonable safeguards.
  • The Mechanism: The system used low-quality images from security cameras, leading to thousands of false positives, disproportionately affecting women and people of color.
  • The Penalty: 5-Year Ban on the use of facial recognition technology. No monetary fine was cited, but the operational cost of losing a security tool and the reputational damage were immense.6
  • NIST Analysis: A failure of Measure. The FTC cited Rite Aid’s failure to “test, assess, measure, document, or inquire about the accuracy” of the technology. They deployed a tool without validating its reliability—a direct violation of NIST principles.

6. Sector-Specific Analysis: Education

6.1 Regulatory Environment

Education leaders must navigate FERPA (Family Educational Rights and Privacy Act) and state-level student data privacy laws.

  • Department of Education Guidance: Emphasizes “Human in the Loop” (HITL) for AI in grading and instruction.35
  • State Legislation: States like California and Illinois have strict laws on student data, which prohibit using student data to train commercial models without consent.37

6.2 NIST Application: Privacy & Fairness

Schools are often buyers, not builders. The NIST Govern function is critical for procurement. Schools must demand transparency from EdTech vendors about how their AI models were trained and whether they perpetuate bias.

6.3 Case Study: iTutorGroup ($365,000 Settlement)

  • The Organization: iTutorGroup (English tutoring services).
  • The Violation: Age discrimination in hiring.
  • The Mechanism: The company’s AI-powered hiring software was programmed to automatically reject female applicants over 55 and male applicants over 60.
  • The Penalty: $365,000 settlement with the EEOC.39
  • NIST Analysis: A failure of Govern and Fairness. This was likely an intentional feature (or a heavily hard-coded rule) rather than a subtle ML bias. A governance review of the software’s logic would have identified this illegal parameter immediately. The settlement required iTutorGroup to invite rejected applicants to reapply—a significant operational burden.

7. Sector-Specific Analysis: Nonprofit & Government

7.1 Nonprofit Sector

Nonprofits face a unique “Trust” challenge. They rely on donor goodwill.

  • Risk: Using AI for donor profiling or generative AI for communications can erode trust if not disclosed.
  • NIST Application: Transparency. Nonprofits should clearly label AI-generated content.
  • IRS Scrutiny: The IRS is increasingly using AI for audits, and tax-exempt organizations must ensure their own AI use aligns with their exempt purpose.41

7.2 Government Sector

Government agencies are bound by EO 14110. They are the primary adopters of the NIST framework.

  • Risk: Public sector AI must be accountable to the citizenry. “Black Box” decisions on benefits or policing are constitutionally suspect (Due Process).
  • NIST Application: Accountability and Rights-Preserving AI. Agencies must conduct rigorous impact assessments before deploying AI that affects civil rights.

8. The Cost of Algorithmic Failure: A Business Case

While regulatory fines are significant, the operational cost of bad AI can be existential. This case study demonstrates that governance is not just about compliance—it is about business survival.

8.1 Case Study: Zillow Offers ($881 Million Loss)

  • The Organization: Zillow.
  • The Initiative: Zillow Offers (iBuying). The company used an AI algorithm (“Zestimate”) to predict home prices, buy homes directly from sellers, renovate them, and flip them for a profit.
  • The Failure: Model Drift and Reliability.
  • The Mechanism: The algorithm was trained on historical data. When the COVID-19 pandemic caused housing market volatility to spike, the model failed to accurately predict future prices. It continued to bid aggressively on homes even as the market cooled.
  • The Consequence: Zillow purchased thousands of homes at inflated prices. When it tried to sell them, it realized the error.
  • The Penalty: $881 Million in losses. Zillow was forced to shut down the entire Zillow Offers division and lay off 25% of its workforce (approx. 2,000 employees).5
  • NIST Analysis: A catastrophic failure of Manage and Measure.
  • Measure: Zillow failed to adequately stress-test the model for high-volatility scenarios (“tail risk”).
  • Manage: They lacked a “human-in-the-loop” circuit breaker. When the model’s bidding behavior became aggressive, there was no governance mechanism to pause operations and re-evaluate the model’s validity. They trusted the “Black Box” over market fundamentals.

9. Pragmatic Implementation Roadmap: The First 90 Days

For senior consultants advising North American executives, this roadmap provides a structured approach to implementing NIST AI RMF.

Phase 1: Discovery & Governance (Days 0-30)

  1. Form the AI Steering Committee:
  • Members: Legal, Risk, IT, Data Science, HR, Business Units.
  • Deliverable: An AI Charter defining the organization’s risk appetite (e.g., “We embrace GenAI for internal efficiency but ban it for code generation without human review”).
  1. The “AI Bill of Materials” (Inventory):
  • Action: Launch a survey to map all AI tools.
  • Question: “Are you using any tool that generates content, makes predictions, or automates decisions?”
  • Deliverable: A master list of AI assets categorized by risk (High/Medium/Low).

Phase 2: Assessment & Measurement (Days 31-60)

  1. Risk Mapping Workshop:
  • Action: For every “High Risk” system (e.g., hiring, lending, medical), conduct a workshop to map potential harms.
  • Tool: Use the NIST AI RMF Playbook’s mapping questions.
  • Deliverable: An Algorithmic Impact Assessment (AIA) for each high-risk tool.
  1. Vendor Risk Assessment:
  • Action: Review contracts for top 5 AI vendors.
  • Requirement: Send a questionnaire asking for their “Model Card” or “System Card.” Ask: “How was this model trained? How do you test for bias?”

Phase 3: Operationalization (Days 61-90)

  1. Establish “Kill Switches”:
  • Action: Define performance thresholds for critical models.
  • Rule: “If accuracy drops below 85% or bias metrics exceed 5% variance, the system alerts Compliance.”
  1. Human-in-the-Loop (HITL) Training:
  • Action: Train staff who interact with AI outputs.
  • Curriculum: How to spot hallucinations, how to challenge the AI’s recommendation, and the legal requirement for human oversight.

10. Future Outlook: 2025 and Beyond

The regulatory landscape is moving fast. Executives must prepare for the next wave of challenges.

  • Agentic AI: As AI moves from “chatbots” to “agents” that can take actions (e.g., booking flights, transferring money), liability will shift from information to action. NIST is updating its frameworks to address these autonomous risks.45
  • Generative AI Profile: NIST released the NIST AI 600-1 (Generative AI Profile) in July 2024. This document provides specific guidance for LLMs, focusing on risks like hallucinations, data leakage, and chemical/biological weapon generation. Adoption of this profile will likely become the standard for GenAI governance.17
  • Global Alignment: The NIST AI RMF is increasingly aligning with ISO/IEC 42001 (the international standard for AI Management Systems). Organizations that align with NIST today will find it easier to certify to ISO 42001 tomorrow, facilitating global business.47

Conclusion

The era of unregulated AI experimentation is over. For leaders in regulated industries, the NIST AI Risk Management Framework provides the only viable roadmap for sustainable innovation. By treating AI risks—validity, safety, fairness, and privacy—with the same rigor as financial or cybersecurity risks, organizations can innovate at speed while shielding themselves from the growing wave of regulatory enforcement and litigation.

The choice is no longer between “innovation” and “compliance.” It is between “governed AI” and “liability.” The case studies of Zillow, Rite Aid, and Trident Mortgage prove that the cost of governance is a fraction of the cost of failure.

Appendix: Summary of Key NIST RMF Functions & Regulatory Alignment

NIST FunctionCore ActivityKey Regulatory DriverExecutive Deliverable
GOVERNEstablish culture, roles, and policies.EO 14110 (Agencies must designate CAIOs).AI Governance Charter; AI Risk Policy.
MAPContextualize risks and inventory systems.Colorado SB24-205 (High-risk system classification).AI Inventory (BOM); Impact Assessments.
MEASUREQuantify risks (bias, accuracy, drift).CFPB / ECOA (Fair lending testing).Bias Audit Reports; Model Performance Dashboards.
MANAGEMitigate risks and prioritize resources.FTC Act (Preventing unfair practices).Incident Response Plan; HITL SOPs; Kill Switches.

Works cited

  1. Understanding the NIST AI Risk Management Framework – databrackets, accessed February 9, 2026, https://databrackets.com/blog/understanding-the-nist-ai-risk-management-framework/
  2. Catastrophic Liability: Managing Systemic Risks in Frontier AI Development – arXiv, accessed February 9, 2026, https://arxiv.org/html/2505.00616v2
  3. NIST AI Risk Management Framework: A simple guide to smarter AI governance – Diligent, accessed February 9, 2026, https://www.diligent.com/resources/blog/nist-ai-risk-management-framework
  4. Safeguard the Future of AI: The Core Functions of the NIST AI RMF – AuditBoard, accessed February 9, 2026, https://auditboard.com/blog/nist-ai-rmf
  5. Zillow — A Cautionary Tale of Machine Learning – causaLens, accessed February 9, 2026, https://causalai.causalens.com/resources/blog/zillow-a-cautionary-tale-of-machine-learning/
  6. FTC Announces Groundbreaking Action Against Rite Aid for Unfair Use of AI – WilmerHale, accessed February 9, 2026, https://www.wilmerhale.com/en/insights/blogs/wilmerhale-privacy-and-cybersecurity-law/20240111-ftc-announces-groundbreaking-action-against-rite-aid-for-unfair-use-of-ai
  7. CFPB, DOJ Order Trident Mortgage Company to Pay More Than $22 Million for Deliberate Discrimination Against Minority Families, accessed February 9, 2026, https://www.consumerfinance.gov/about-us/newsroom/cfpb-doj-order-trident-mortgage-company-to-pay-more-than-22-million-for-deliberate-discrimination-against-minority-families/
  8. AI Risk Management Framework | NIST – National Institute of Standards and Technology, accessed February 9, 2026, https://www.nist.gov/itl/ai-risk-management-framework
  9. Artificial Intelligence Risk Management Framework (AI RMF 1.0) – NIST Technical Series Publications, accessed February 9, 2026, https://nvlpubs.nist.gov/nistpubs/ai/nist.ai.100-1.pdf
  10. Colorado SB24-205 Consumer Protection Law, accessed February 9, 2026, https://www.coloradosb205.com/
  11. SB24-205 Consumer Protections for Artificial Intelligence | Colorado …, accessed February 9, 2026, https://leg.colorado.gov/bills/sb24-205
  12. Safe, Secure, and Trustworthy Development and … – Federal Register, accessed February 9, 2026, https://www.federalregister.gov/documents/2023/11/01/2023-24283/safe-secure-and-trustworthy-development-and-use-of-artificial-intelligence
  13. Highlights of the 2023 Executive Order on Artificial Intelligence for Congress, accessed February 9, 2026, https://www.congress.gov/crs-product/R47843
  14. JOINT STATEMENT ON ENFORCEMENT EFFORTS AGAINST …, accessed February 9, 2026, https://www.ftc.gov/system/files/ftc_gov/pdf/EEOC-CRT-FTC-CFPB-AI-Joint-Statement%28final%29.pdf
  15. EEOC Chair Burrows Joins DOJ, CFPB, And FTC Officials to Release Joint Statement on Artificial Intelligence (AI) and Automated Systems | U.S. Equal Employment Opportunity Commission, accessed February 9, 2026, https://www.eeoc.gov/newsroom/eeoc-chair-burrows-joins-doj-cfpb-and-ftc-officials-release-joint-statement-artificial
  16. NIST AI Risk Management Framework (AI RMF) – Palo Alto Networks, accessed February 9, 2026, https://www.paloaltonetworks.com/cyberpedia/nist-ai-risk-management-framework
  17. NIST AI RMF 2025 Updates: What You Need to Know About the Latest Framework Changes, accessed February 9, 2026, https://www.ispartnersllc.com/blog/nist-ai-rmf-2025-updates-what-you-need-to-know-about-the-latest-framework-changes/
  18. CISO Perspectives: A Practical Guide to Implementing the NIST AI Risk Management Framework (AI RMF) – A-Team Chronicles, accessed February 9, 2026, https://www.ateam-oracle.com/ciso-perspectives-a-practical-guide-to-implementing-the-nist-ai-risk-management-framework-ai-rmf
  19. Cyber and AI Oversight Disclosures: What Companies Shared in 2025, accessed February 9, 2026, https://corpgov.law.harvard.edu/2025/10/28/cyber-and-ai-oversight-disclosures-what-companies-shared-in-2025/
  20. How To Align with the NIST AI RMF: Step-by-Step Playbook – CyberSaint, accessed February 9, 2026, https://www.cybersaint.io/blog/nist-ai-rmf-playbook
  21. A Checklist for the NIST AI Risk Management Framework – AuditBoard, accessed February 9, 2026, https://auditboard.com/blog/a-checklist-for-the-nist-ai-risk-management-framework
  22. A Deep Dive into Colorado’s Artificial Intelligence Act – National Association of Attorneys General, accessed February 9, 2026, https://www.naag.org/attorney-general-journal/a-deep-dive-into-colorados-artificial-intelligence-act/
  23. State AI Guidance for Education, accessed February 9, 2026, https://www.aiforeducation.io/ai-resources/state-ai-guidance
  24. Human-Centered AI Guidance for K-12 Public Schools – OSPI, accessed February 9, 2026, https://ospi.k12.wa.us/sites/default/files/2024-08/comprehensive-ai-guidance-accessible-format_0.pdf
  25. AI in Lending: AI Credit Regulations Affecting Lending Business 2025 – HES FinTech, accessed February 9, 2026, https://hesfintech.com/blog/all-legislative-trends-regulating-ai-in-lending/
  26. Justice Department and Consumer Financial Protection Bureau Secure Agreement with Trident Mortgage Company to Resolve Lending Discrimination Claims, accessed February 9, 2026, https://www.justice.gov/archives/opa/pr/justice-department-and-consumer-financial-protection-bureau-secure-agreement-trident-mortgage
  27. DOJ Provides Settlement Update with Meta Over Allegedly Discriminatory Housing Advertising Practices | Consumer Financial Services Law Monitor, accessed February 9, 2026, https://www.consumerfinancialserviceslawmonitor.com/2023/01/doj-provides-settlement-update-with-meta-over-allegedly-discriminatory-housing-advertising-practices/
  28. Justice Department finalizes compliance metrics for Meta’s (formerly Facebook) target advertising system pursuant to settlement | Consumer Finance Monitor, accessed February 9, 2026, https://www.consumerfinancemonitor.com/2023/01/30/justice-department-finalizes-compliance-metrics-for-metas-formerly-facebook-target-advertising-system-pursuant-to-settlement/
  29. Meta to Change Ad Technology as Part of Settled DOJ Lawsuit – GovTech, accessed February 9, 2026, https://www.govtech.com/public-safety/meta-to-change-ad-technology-as-part-of-settled-doj-lawsuit
  30. How President Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence Addresses Health Care | Crowell & Moring LLP, accessed February 9, 2026, https://www.crowell.com/en/insights/client-alerts/how-president-bidens-executive-order-safe-secure-and-trustworthy-artificial-intelligence-addresses-health-care
  31. What are the Penalties for HIPAA Violations? 2026 Update, accessed February 9, 2026, https://www.hipaajournal.com/what-are-the-penalties-for-hipaa-violations-7096/
  32. Healthcare algorithm used across America has dramatic racial biases – The Guardian, accessed February 9, 2026, https://www.theguardian.com/society/2019/oct/25/healthcare-algorithm-racial-biases-optum
  33. The legal doctrine that will be key to preventing AI discrimination – Brookings Institution, accessed February 9, 2026, https://www.brookings.edu/articles/the-legal-doctrine-that-will-be-key-to-preventing-ai-discrimination/
  34. Rite Aid Banned from Using AI Facial Recognition After FTC Says …, accessed February 9, 2026, https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without
  35. Artificial Intelligence (AI) Guidance | U.S. Department of Education, accessed February 9, 2026, https://www.ed.gov/about/ed-overview/artificial-intelligence-ai-guidance
  36. U.S. Department of Education Issues Guidance on Artificial Intelligence Use in Schools, Proposes Additional Supplemental Priority, accessed February 9, 2026, https://www.ed.gov/about/news/press-release/us-department-of-education-issues-guidance-artificial-intelligence-use-schools-proposes-additional-supplemental-priority
  37. States Focused on Responsible Use of AI in Education during the 2025 Legislative Session, accessed February 9, 2026, https://cdt.org/insights/states-focused-on-responsible-use-of-ai-in-education-during-the-2025-legislative-session/
  38. Artificial Intelligence 2025 Legislation – National Conference of State Legislatures, accessed February 9, 2026, https://www.ncsl.org/technology-and-communication/artificial-intelligence-2025-legislation
  39. EEOC Settles Over Recruiting Software in Possible First Ever AI-related Case – Akin Gump, accessed February 9, 2026, https://www.akingump.com/en/insights/blogs/ag-data-dive/eeoc-settles-over-recruiting-software-in-possible-first-ever-ai-related-case
  40. EEOC Secures First Workplace Artificial Intelligence Settlement | Insights, accessed February 9, 2026, https://www.gtlaw.com/en/insights/2023/8/eeoc-secures-first-workplace-artificial-intelligence-settlement
  41. IRS Audits and the Emerging Role of AI in Enforcement | Insights – Holland & Knight, accessed February 9, 2026, https://www.hklaw.com/en/insights/publications/2025/11/irs-audits-and-the-emerging-role-of-ai-in-enforcement
  42. Nonprofits Under Fire: How the IRS Can — and Cannot — Revoke Federal Tax-Exempt Status, accessed February 9, 2026, https://tnpa.org/nonprofits-under-fire-how-the-irs-can-and-cannot-revoke-federal-tax-exempt-status/
  43. How did Zillow get AI so wrong – YouTube, accessed February 9, 2026, https://www.youtube.com/watch?v=pKY7-wC_MN4
  44. How Covid Broke Zillow’s Pricing Algorithm – DeepLearning.AI, accessed February 9, 2026, https://www.deeplearning.ai/the-batch/price-prediction-turns-perilous/
  45. Draft NIST Guidelines Rethink Cybersecurity for the AI Era, accessed February 9, 2026, https://www.nist.gov/news-events/news/2025/12/draft-nist-guidelines-rethink-cybersecurity-ai-era
  46. Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile – NIST Technical Series Publications, accessed February 9, 2026, https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
  47. Understanding the NIST AI RMF Framework | LogicGate Risk Cloud, accessed February 9, 2026, https://www.logicgate.com/blog/understanding-the-nist-ai-rmf-framework/

This article was written with my brain and two hands (primarily) with the help of Google Gemini, ChatGPT, Claude, and other wondrous toys.

Leave a comment