Skip to content

NIST AI Risk Management Framework Mapping

Maps the ai-agent-eval-harness-healthtech reference implementation against NIST AI RMF 1.0 (AI 100-1, January 2023). The RMF defines four core functions — Govern, Map, Measure, Manage — each with subcategories. This document evaluates which subcategories the repository addresses today and which require additional work for a production deployment.

Read alongside the regulatory posture and the model card.

This is not a NIST AI RMF certification. No certification exists for the RMF; it is a voluntary framework. The purpose of this document is to honestly assess which risk management practices the reference implementation demonstrates and where gaps remain for a production deployment. The assessment is against the repository as-shipped; a forked or deployed instance would need its own assessment.

GOVERN — Establish and Maintain AI Risk Management Culture

Section titled “GOVERN — Establish and Maintain AI Risk Management Culture”
SubcategoryCurrent ImplementationGap Assessment
GOV 1.1: Legal and regulatory requirements are understoodRegulatory posture documented in the regulatory posture; FDA wellness/CDS boundary, WHO 2024 guidance, MHRA GMLP, EU AI Act articles mappedLimited to US/EU/UK/Chile frameworks; a production system would need jurisdiction-specific legal review for each deployment region
GOV 1.2: AI risk management is embedded in organisational governanceArchitecture decision records provide traceability; changes to regulatory posture, guardrails, or escalation require a decision recordNo formal governance committee or review board; single-author reference implementation
GOV 1.3: Roles and responsibilities for AI risk are definedClear module ownership: guardrails, eval harness, observability (OpenTelemetry spans per the observability decision)No separation of duties; author is developer, reviewer, and operator
GOV 1.4: Risk tolerance is documented and communicatedDocumented eval gates, CI-enforced with published pass/fail semantics on faithfulness and hallucination and binary per-case gates on refusal and escalation correctnessThresholds are binary pass/fail; no graduated risk-acceptance framework
GOV 1.5: AI systems are transparentGuardrail-decision trace on every response; citation set on every clinical assertion; model card in CHAI format; regulatory posture publicly accessibleTransparency is at the response level; no public-facing model-performance dashboard
GOV 1.6: Policies and procedures for AI risk are in placeSecurity disclosure process; secret scanning in CI; no-secrets policy; PII redaction before LLMPolicies are repository-level, not enterprise-grade; no formal incident-response playbook
GOV 1.7: Stakeholder engagementDesign informed by published regulatory guidance (FDA, WHO, MHRA); no external stakeholders formally consulted (single-author project)No patient advisory board, clinical advisory board, or external ethics review

MAP — Understand and Contextualise AI Risks

Section titled “MAP — Understand and Contextualise AI Risks”
SubcategoryCurrent ImplementationGap Assessment
MAP 1.1: Intended purposes and use cases are definedModel card “Uses and Directions” section; regulatory posture “What the agent does NOT do” list; out-of-scope enumeration enforced by eval harnessDefined for the reference implementation; a deployed product would need context-specific use-case scoping
MAP 1.2: Interrelated AI risks are identifiedNear-miss off-corpus limitation documented in the model card; sub-acute escalation gap acknowledged; generative-model probabilistic behaviour documentedSystematic cross-risk interaction analysis (e.g., how locale bias compounds with near-miss retrieval) is not performed
MAP 1.3: Constraints and limitations are understoodHonest limitations documented: 38-card single-domain KB, 315-case eval corpus, US-English vocabulary bias, negation-blind escalation, in-memory durability for human-in-the-loop reviewLimitations are documented; no formal risk-register with severity scoring
MAP 1.4: Impact to individuals and groups is assessedNo demographic input features used by the agent; locale-parity scoring addresses cross-locale fairnessNo demographic impact assessment beyond locale; no assessment of impact on populations with low health literacy or limited internet access
MAP 2.1: AI system components are documentedArchitecture decision records; the system specification; the six-node graph documented in the orchestration decision; model card AI System FactsDocumentation is thorough for the reference implementation; a production system would need operational runbooks
MAP 2.2: Data provenance is trackedThe data statement and data card document full provenance for the eval corpus and KB cards; source licensing per cardProvenance tracking covers only the shipped synthetic data; no data-lineage tracking for runtime inputs
MAP 2.3: Third-party risks are identifiedThe LLM client Protocol abstracts provider dependencies (see the LLM vendor abstraction decision); providers listed in the model card 3rd Party InformationNo formal third-party risk assessment; no BAA or contractual review with LLM providers
MAP 3.1: AI risks are assessed at each lifecycle phaseEval harness gates every code change; nightly Promptfoo red-team; eval thresholds enforced in CIRisk assessment is continuous via CI but limited to the eval dimensions scored; no broader organisational risk review at lifecycle gates
MAP 3.2: Failure modes and cascading impacts are documentedGuardrail failure modes: scope bypass, escalation miss, citation fabrication; each has a test in the eval harnessNo formal failure-mode-and-effects analysis (FMEA); cascading impacts across system boundaries not assessed
MAP 3.3: Stakeholder feedback is incorporatedNo external stakeholder feedback loop; design informed by published guidance and author field experienceA production system would need structured feedback channels from patients, clinicians, and compliance officers
SubcategoryCurrent ImplementationGap Assessment
MEASURE 1.1: Appropriate metrics are selectedSeven scorer dimensions: citation correctness, citation coverage, refusal correctness, escalation correctness, faithfulness, hallucination, cost/latency; locale-stratifiedMetrics cover safety and quality; no fairness-specific metrics beyond locale parity; no environmental impact metrics
MEASURE 1.2: AI system performance is evaluatedDeterministic CI gate (a key-free deterministic stub client, 315 cases); nightly live-model run; Promptfoo red-teamDeterministic gate is reproducible; live-model metrics are not frozen in the model card (reported in the eval reports)
MEASURE 1.3: Evaluation data is representative315 cases across 3 locales (en, es-419, pt-BR); 5 condition clusters; golden + adversarial + no-match categoriesSmall sample; no demographic stratification (no demographic data collected); US-English bias acknowledged
MEASURE 2.1: Metrics are documented and communicatedEval reports published per run; model card Key MetricsReports are generated per-run; no longitudinal tracking dashboard
MEASURE 2.2: Risk thresholds are definedHard CI-enforced gates with published pass/fail semantics on faithfulness and hallucination; binary per-case gates on refusal and escalation correctnessThresholds are crisp but not risk-adjusted; no tiered response framework (e.g., amber vs red)
MEASURE 2.3: Monitoring and feedback mechanisms existCI eval on every code change; nightly red-team; OpenTelemetry spans on every node; Langfuse Cloud and Phoenix sinks (see the observability decision)Monitoring covers the reference implementation; no production alerting, SLA monitoring, or degradation-detection pipeline
MEASURE 3.1: Bias and fairness are evaluatedLocale parity enforced: identical thresholds for en, es-419, pt-BR; refusal and escalation correctness uniform across localesNo demographic subgroup evaluation (agent takes no demographic input); locale bias limited to vocabulary, not outcome equity
MEASURE 4.1: Measurement results are used for improvementRed-team findings folded into adversarial seed bank; eval regression fails the CI eval check (a signal, not a hard merge gate - no enforced branch protection); release notes track safety-relevant changesImprovement loop is within-repository; no external audit findings or post-market surveillance data feed
SubcategoryCurrent ImplementationGap Assessment
MANAGE 1.1: Risk treatment decisions are documentedArchitecture decision records document design decisions affecting risk (the guardrails decision, the observability decision, the eval harness decision, the streaming execution graph decision)Decision records record design intent; no formal risk-register with treatment plans and residual risk acceptance
MANAGE 1.2: AI systems are designed for safe failureGuardrails fire before LLM (scope classifier, refusal templates, escalation router); citation enforcement refuses on no-match; streaming error events for post-first-byte failuresNear-miss off-corpus handling is a known gap; sub-acute escalation is left to the model
MANAGE 2.1: AI risks are mitigatedDeterministic guardrails, eval harness, PII redaction, an OpenTelemetry audit trail, content-negotiated streaming with error eventsMitigations are reference-implementation-grade; production would need additional layers (model supply-chain verification, output filtering at scale)
MANAGE 2.2: Incident response plans existSecurity disclosure process; secret scanning; known limitations documented in the model cardNo formal incident-response playbook; no on-call rotation; no severity classification scheme
MANAGE 2.3: AI system monitoring is ongoingCI eval on every code change; nightly Promptfoo red-team; OpenTelemetry spans on every turn; cost/latency gatesMonitoring is repository-level; no production alerting, anomaly detection, or automated rollback
MANAGE 3.1: AI risks are communicated to stakeholdersThe model card, regulatory posture, data statement, and the governance docs in this section are publicCommunication is passive (published documents); no active stakeholder notification process for risk changes
MANAGE 4.1: Policies and procedures are maintainedDecision-record-based change control; the regulatory posture change-control section requires a decision record for scope changes; release notes track changesPolicies are repository-level; no enterprise policy-management system; no annual policy review cycle

The reference implementation demonstrates NIST AI RMF practices in the following areas:

  • GOVERN: Decision-record-based traceability, documented regulatory posture, transparent guardrail decisions, public model card and regulatory posture
  • MAP: Defined use cases and out-of-scope boundaries, documented data provenance, identified failure modes (near-miss off-corpus, sub-acute escalation), honest limitation statements
  • MEASURE: Seven-dimension eval harness with deterministic CI gate, locale-stratified scoring, nightly adversarial testing, OpenTelemetry-traced execution
  • MANAGE: Guardrails-before-LLM architecture, decision-record-documented risk treatment, eval regression blocking changes, public disclosure process

The assessment above is honest about what is a reference-implementation demonstration versus a production-grade risk management programme. The four functions are addressed at the depth a reference artefact can reasonably demonstrate: structured documentation, automated measurement, deterministic safety controls, and transparent communication.

What the repository does not have — formal governance committees, risk registers with severity scoring, incident-response playbooks, third-party risk assessments, graduated risk-acceptance frameworks, production monitoring pipelines — is documented explicitly in the Gap Assessment column of each subcategory.

A production deployment would need to establish:

  1. Formal governance structure: AI risk committee, defined roles and responsibilities, separation of duties between developers and reviewers, stakeholder advisory boards (patient, clinical, ethics)
  2. Risk register: systematic enumeration of AI risks with severity scoring, likelihood assessment, treatment plans, residual risk acceptance, and risk owner assignment
  3. Expanded measurement: fairness metrics beyond locale parity, environmental impact assessment, demographic subgroup evaluation where applicable, longitudinal performance tracking, automated drift detection
  4. Incident response: formal IR playbook with severity classification, escalation paths, communication templates, post-incident review process, regulatory notification procedures
  5. Third-party governance: vendor risk assessments for LLM providers, BAA where applicable, contractual review for data processing, supply-chain verification for model provenance
  6. Continuous monitoring: production alerting, anomaly detection, automated rollback, degradation early-warning, SLA monitoring, capacity planning
  7. Audit readiness: evidence collection automation, audit log retention (6 years for HIPAA, as applicable), tamper-evident logging, query interface for auditors

The repository’s patterns — eval contracts, decision-record traceability, OpenTelemetry instrumentation, guardrail-first architecture — accelerate building each of these capabilities. They are the foundation, not the finished structure.