Compliance
NIST AI RMF
How Scrydon supports the NIST AI Risk Management Framework — Govern, Map, Measure, Manage.
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework for managing AI risk. Its four functions — Govern, Map, Measure, Manage — span the AI lifecycle.
This page maps Scrydon's controls to each function.
Govern
The Govern function is about establishing organisational AI risk management.
| RMF item | Scrydon support |
|---|---|
| GOVERN 1 — Policies and procedures | This documentation site + your org's policy library. |
| GOVERN 2 — Accountability | Workflow ownership, ontology authorship attribution, audit log. |
| GOVERN 3 — Workforce | (Organisational — outside platform scope.) |
| GOVERN 4 — Awareness | Inline help, contextual disclosure on AI surfaces. |
| GOVERN 5 — Stakeholder engagement | Documented per workflow's impact assessment. |
| GOVERN 6 — Risk mapping to legal | EU AI Act + GDPR + framework mappings in Compliance. |
Map
The Map function is about understanding context and identifying risks.
| RMF item | Scrydon support |
|---|---|
| MAP 1 — Context | Per-workflow purpose statement + system inventory. |
| MAP 2 — Components | Workflow definition shows every block + integration. The platform exposes a machine-readable inventory. |
| MAP 3 — Risks identified | Risk assessment template. See AI governance. |
| MAP 4 — Risks characterised | Risk categorisation (likelihood × impact) per identified risk. |
| MAP 5 — Impacts characterised | Impact assessment template. |
Measure
The Measure function is about analysing and tracking AI risks.
| RMF item | Scrydon support |
|---|---|
| MEASURE 1 — Approaches selected | Evaluator block + structured testing harness. |
| MEASURE 2 — Trustworthy characteristics assessed | Evaluator scoring; bias + fairness hooks. |
| MEASURE 3 — Performance measured | Run logs, evaluator scores, drift signals. |
| MEASURE 4 — Effectiveness | Continuous improvement template captures what worked. |
Manage
The Manage function is about prioritising and addressing risks.
| RMF item | Scrydon support |
|---|---|
| MANAGE 1 — Priorities | Risk register + business-impact ranking. |
| MANAGE 2 — Treatments | Guardrails, evaluator gates, classification & masking, retraining or model swap. |
| MANAGE 3 — Third-party risk | Vendor registry + per-integration data-residency profile. |
| MANAGE 4 — Monitoring | Post-deployment monitoring template; automated metrics. |
How the lifecycle artefacts work
The platform maintains AI-specific lifecycle artefacts referenced in AI governance. These map to NIST RMF as:
- AI system inventory → MAP 1, MAP 2.
- Impact assessment → MAP 5.
- Risk assessment → MAP 3, MAP 4.
- TEVV (test, evaluate, verify, validate) → MEASURE 1, MEASURE 2.
- Post-deployment monitoring → MEASURE 3, MANAGE 4.
- Decommissioning record → MANAGE 4.
- Decisions log → GOVERN 2.
Related
- AI governance — lifecycle artefacts in full.
- ISO 42001 — international counterpart with significant overlap.
- EU AI Act — regulatory framework that consumes RMF-style artefacts.