How do I apply the NIST AI RMF Map function to an AI agent's context and use case?

To apply the NIST AI RMF Map function to an AI agent's context and use case, an organization must identify and inventory the AI system, its operating context, and potential risks. This involves documenting the system's purpose, deployment, and potential impacts, as well as maintaining an up-to-date inventory of all AI components.

Here are concrete controls for applying the NIST AI RMF Map function:

• Document System Context and Intended Purpose: The intended purpose, deployment setting, and operating context of each AI agent system should be thoroughly documented [NIST-MAP-1.1]. This includes details about the company_context.deployment and data_sensitivity.
• Maintain an AI System Inventory: An up-to-date inventory of all AI agent systems, including models, agents, tools, and data flows, must be maintained [NIST-MAP-1.5]. This is foundational for governing AI systems [NIST-MAP-1.5].
• Identify Impacts and Harms: Potential positive and negative impacts on individuals, groups, and society should be identified [NIST-MAP-5.1]. This includes assessing data sensitivity and exposure to regulated data [NIST-MAP-5.1].
• Address Third-Party Risks: Policies should address risks associated with third-party models, datasets, and tools, such as foundation model providers, fine-tunes, and plugins [NIST-GOVERN-6.1]. This includes tracking provenance, licensing, and model-update risks, and cross-maps to OWASP LLM03/LLM05 (supply chain) [NIST-GOVERN-6.1].
• Implement Context Governance: Treat context as a governed dependency, tracking its origin, validating its integrity, and embedding policy constraints within the context the agent uses for reasoning. This includes maintaining a provenance graph for every context element and enforcing segregation through structural delimiters and role-based channels.