Hey Reader
The NIST AI RMF has four functions: GOVERN, MAP, MEASURE, MANAGE.
Most GRC professionals stop at GOVERN and MAP.
That’s a mistake.
MEASURE is where governance gets technical and it’s exactly where your skills translate.
What Is MEASURE?
MEASURE = assessing and benchmarking AI risks. It covers four categories:
- Risk Measurement: How do we quantify AI risk?
- Validation: Is the model performing as expected?
- Testing & Evaluation: Have we tested for bias, security, and robustness?
- Documentation: Can we explain our testing methodology?
Sound familiar? It should.
If you've worked as a GRC professional you have built risk heat maps, scored likelihood and impact and tracked KRIs. MEASURE is that same discipline applied to AI systems.
The Bridge: Governance Questions, Not Tech Questions
Here’s what operationalizing MEASURE looks like in practice. The next time you sit down with a data science or AI/ML team, ask these four questions:
“What metrics are you using to measure model accuracy?”
“Have you tested for disparate impact across protected classes?”
“What’s your false positive/false negative rate and is that acceptable for this use case?”
“How do you monitor for model drift in production?”
None of those are engineering questions.
They are governance questions applied to AI.
And they are exactly the kind of questions your auditors, regulators, and boards are going to start asking - if they haven’t already.
Your Takeaway
You don’t need to build the models. You need to govern them.
MEASURE gives you the vocabulary to do that. Start with those four questions. Work them into your next AI risk review. Watch what happens when you ask a data science team if they’ve documented their testing methodology.
That’s where AI governance gets real.
Until next week,
~ Francois B. Arthanas
