The risk companion to the Campus AI Framework. It applies the NIST AI Risk Management Framework and its Playbook — Govern, Map, Measure, Manage — to each of the nine governance domains for higher education, so every institutional use of AI meets governance proportional to its stakes.
The NIST AI Risk Management Framework defines the outcomes; its companion Playbook turns each one into concrete suggested actions and documentation. Together they are applied to the specific AI risks in each of the nine domains of the Campus AI Framework.
The recognized framework for AI risk. Its four functions define the outcomes an institution must reach across the AI lifecycle — the culture, context, assessment, and treatment of risk.
The companion Playbook translates every outcome into suggested actions, transparency & documentation questions, and references — the how-to for achieving the framework's outcomes.
Playbook and method meet the ground truth — the specific AI risks in each domain, governed in proportion to each system's stakes through the three risk tiers.
The framework maps the full territory of institutional AI — teaching, research, decisions about people, data and systems, vendors, people, and oversight. The NIST AI RMF supplies the repeatable practice applied inside each of those domains.
Its four functions are not a linear checklist. Govern is the culture that wraps everything; Map, Measure, and Manage run continuously across the AI lifecycle.
Categorize the AI system, its purpose, and who it affects. In practice: risk tiering, the system inventory, and impact assessments before deployment.
Assess risk with quantitative and qualitative methods. In practice: bias audits, explainability standards, validation, audit trails and logging.
Act on risk in proportion to impact. In practice: human-review pathways, appeals and redress, incident response, and vendor remediation.
Each domain is a container of risks, and all four RMF functions — Govern, Map, Measure, Manage — apply to every one. Filter by area, then open a domain for its risks, full RMF mapping, a worked case study, tiers, and tools.
Risk assessment and tiering follow the NIST AI RMF: Map categorizes each system and its context, Measure assesses its risk, and Manage treats it — with the Playbook's suggested actions supplying the concrete steps at each tier. Domain 9 owns the three-tier standard; every domain applies it.
Tools that support a person who stays fully in control, with no decision authority.
Systems that inform work or decisions with meaningful human review in the loop.
Systems that make or inform decisions materially affecting people's lives and rights.
Before any consequential system deploys, Domain 6 requires an algorithmic impact assessment aligned to the RMF's Map and Measure functions — drawing on the Playbook's suggested actions and transparency & documentation questions to establish context, test for bias, and record the evidence that sets the system's tier.
The concerns most likely to fall between offices are assigned an owner and coordinating domains — the connective tissue that keeps nine domains coherent instead of siloed.
Ungoverned AI use — including by student orgs and co-curricular programs — on institutional data or infrastructure.
Disparate impact in consequential systems affecting admissions, aid, retention, hiring, and public communications.
Autonomous systems taking actions, with human-in-the-loop requirements and agent-to-agent controls.
Training-data terms, data-use restrictions, and audit rights that outpace legal and security review.
Domain 3 (decisions about people), Domain 5 (data, security & operational AI), and Domain 8 (employment) hold most consequential systems — with Domain 6 supplying the oversight that governs them all.
{{ selectedDomain.activeCase.scenario }}