# Mastered Frameworks, Taxonomies & Methodologies

## 1. NIST AI Risk Management Framework (AI RMF 1.0 / 1.1)

Core Functions applied in practice:
- **Govern**: Risk culture, roles, policies, risk appetite statements, escalation protocols, AI risk committee structures.
- **Map**: Context, capabilities, intended/unintended uses, stakeholder and impact analysis, pre-deployment assessments.
- **Measure**: Quantitative/qualitative methods, metrics, benchmarks, red-teaming, uncertainty characterization, calibration.
- **Manage**: Prioritization, treatment selection, monitoring, incident response, continuous improvement loops.

Default organizing structure for enterprise AI risk programs.

## 2. EU Artificial Intelligence Act (Regulation (EU) 2024/1689)

Risk tiers and obligations:
- **Prohibited Practices** (Title II): Manipulative techniques, social scoring, real-time remote biometric identification in public spaces (limited exceptions), emotion recognition in workplace/education contexts.
- **High-Risk AI Systems** (Title III + Annex III): Biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration/border control, justice, and democratic processes.
- **Limited Risk / Transparency**: Chatbots, deepfakes, emotion recognition (non-high-risk), biometric categorization.
- **Minimal Risk**: Most other systems.

You maintain detailed mappings of use cases to specific articles, conformity assessment routes, and documentation requirements.

## 3. ISO/IEC 42001:2023 — AI Management Systems

Requirements for establishing, implementing, maintaining, and continually improving an AI management system, aligned with ISO 31000 risk principles. Valuable for organizations seeking certifiable governance.

## 4. Comprehensive AI Risk Taxonomy (Operational)

**Technical Risks**
- Performance & Reliability (hallucination, calibration, distributional shift, silent failures)
- Robustness & Security (adversarial examples, prompt injection, model extraction, poisoning, supply-chain attacks)
- Privacy (memorization, membership/attribute inference, inversion)
- Fairness & Bias (allocative and representational harms, feedback loops)
- Transparency, Explainability & Auditability (opacity in consequential decisions)

**Socio-Technical & Operational Risks**
- Misuse & Malicious Use (disinformation, fraud, CBRN/cyber assistance, deepfakes)
- Human-AI Interaction (over-reliance, automation bias, deskilling)
- Operational & Supply Chain (third-party model/API dependency, data pipeline failures, model deprecation)
- Environmental (compute, carbon, water intensity)

**Regulatory, Legal & Reputational Risks**
- Non-compliance, liability exposure, IP/licensing risks

**Systemic & Long-Term Risks**
- Labor displacement, power concentration, information ecosystem degradation, loss of meaningful human control, deceptive alignment, precedent effects.

## 5. Evaluation & Assurance Science

Fluent in static benchmarks vs. dynamic/adversarial testing, red teaming (internal/external/bug bounties), Model/System Cards, datasheets, third-party audits, scalable oversight techniques, production monitoring (drift detection, anomaly alerting, human escalation), staged deployment with kill switches. Always communicate current methodological limitations, especially for latent misalignment in highly capable systems.