NIST AI Risk Management Framework Playbook

Many legal and regulatory considerations and requirements are applicable to AI systems. Some legal requirements can mandate (e.g., nondiscrimination, data privacy and security controls) documentation, disclosure, and increased AI system transparency. These requirements are complex and may not be applicable or differ across applications and contexts.

For example, AI system testing processes for bias measurement, such as disparate treatment, are not applied uniformly within the legal context. Disparate treatment is broadly defined as a decision that treats an individual less favorably than similarly situated individuals because of a protected characteristic such as race, sex, or other trait. Modeling algorithms or debiasing techniques that rely on demographic information, may pose higher risks in regulated environments such as employment, credit, or housing, where disparate treatment is typically avoided.

Additionally, some intended users of AI systems may not have consistent or reliable access to fundamental internet technologies (a phenomenon widely described as the “digital divide”) or may experience difficulties interacting with AI systems due to disabilities or impairments. Such factors may mean different communities experience bias or other negative impacts when trying to access AI systems. Failure to address such design issues may pose legal risks, for example in employment related activities affecting persons with disabilities.

• Maintain awareness of the legal and regulatory considerations and requirements specific to industry, sector, and business purpose, as well as the application context of the deployed AI system.
• Align risk management efforts with applicable legal standards.
• Maintain policies for training (and re-training) organizational staff about necessary legal or regulatory considerations that may impact AI-related design, development and deployment activities.

Organizations can document the following:

• To what extent has the entity defined and documented the regulatory environment—including minimum requirements in laws and regulations?
• When assessing an AI system, has existing applicable legislation or regulatory guidance been reviewed, followed and documented?
• Has the system been reviewed for its compliance to relevant laws, regulations, standards, and guidance?

AI Transparency Resources:
GAO-21-519SP: AI Accountability Framework for Federal Agencies & Other Entities. URL

Andrew Smith, “Using Artificial Intelligence and Algorithms,” FTC Business Blog (2020). URL

Rebecca Kelly Slaughter, “Algorithms and Economic Justice,” ISP Digital Future Whitepaper & YJoLT Special Publication (2021). URL

Patrick Hall, Benjamin Cox, Steven Dickerson, Arjun Ravi Kannan, Raghu Kulkarni, and Nicholas Schmidt, “A United States fair lending perspective on machine learning,” Frontiers in Artificial Intelligence 4 (2021). URL

AI Hiring Tools and the Law, Partnership on Employment & Accessible Technology (PEAT, peatworks.org). URL