<a href="https://colab.research.google.com/github/bhagavanthai724/python-foundation-set/blob/main/19_nist_ai_rmf.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

In [None]:
# Summarize NIST RMF core functions
summary = {
    "GOVERN": "Set policy, roles, accountability, oversight.",
    "MAP": "Understand system, data, context, stakeholders, risks.",
    "MEASURE": "Define and compute metrics to evaluate behavior.",
    "MANAGE": "Operate, remediate, monitor, and reduce risk."
}
print(summary)

In [None]:
# Map AI risks to correct NIST RMF functions
risk_mapping = {
    "data_bias": ["MAP", "MEASURE"],
    "model_drift": ["MEASURE", "MANAGE"],
    "regulatory_non_compliance": ["GOVERN", "MANAGE"]
}
print(risk_mapping)

In [None]:
# Dataset-quality checklist as Python dict
dataset_checklist = {
    "accuracy": "labels validated; correctness rate measured",
    "completeness": "no missing critical fields",
    "consistency": "consistent data types and formats",
    "provenance": "source documented",
    "freshness": "recent enough for use case",
    "representativeness": "coverage across groups",
    "label_quality": "inter-annotator agreement measured",
    "noise_rate": "duplicate/corrupted entries flagged",
    "bias_assessment": "disparate-impact metrics checked",
    "documentation": "schema + sampling method included"
}
print(dataset_checklist)

In [None]:
# Systemic risk vs model risk (string evaluation)
comparison = """
Systemic Risk: comes from broader ecosystem interactions, incentives, downstream use.
Model Risk: comes from errors/bias inside a specific model.
Systemic risk needs governance; model risk needs technical evaluation.
"""
print(comparison)

In [None]:
# Governance artifacts before deployment
artifacts = [
    "risk_register",
    "model_card",
    "data_provenance_report",
    "privacy_assessment",
    "harm_taxonomy_and_mitigation_plan",
    "access_control_policy",
    "monitoring_plan",
    "regulatory_compliance_mapping"
]
print(artifacts)

In [None]:
# Risk register template
risk_register = {
    "id": None,
    "risk": "",
    "likelihood": "",
    "impact": "",
    "owner": "",
    "mitigation": "",
    "status": "",
    "detection_date": None,
    "residual_risk": None,
    "review_date": None
}
print(risk_register)

In [None]:
# MAP-phase reviewer questions
map_questions = [
    "What data sources trained the model?",
    "What is the intended use and prohibited uses?",
    "Who are the stakeholders?",
    "What is the data lineage?",
    "What deployment constraints apply?"
]
print(map_questions)

In [None]:
# Contextual integrity + example where it fails
contextual_integrity = {
    "definition": "Data use must match contextual norms and expectations.",
    "failure_example": "Health data used by a chatbot appears in public forum responses."
}
print(contextual_integrity)

In [None]:
# Markdown table comparing NIST RMF vs ISO 42001
table = """
| Aspect | NIST AI RMF | ISO 42001 |
|-------|--------------|-----------|
| Purpose | Risk mgmt guidance | AI management system standard |
| Scope | Lifecycle functions | Org-level governance |
| Focus | Practical eval + metrics | Auditable processes |
| Cert | No certification | Certification-oriented |
| Artifacts | Metrics, dashboards | Policies, procedures |
"""
print(table)

In [None]:
# Measurable indicators for trustworthiness
trust_indicators = [
    "safety_violation_rate",
    "expected_calibration_error",
    "hallucination_rate"
]
print(trust_indicators)

In [None]:
# Incident categories aligned to MANAGE phase
incident_categories = {
    "safety_incident": "Triggered when model outputs cause or risk harm.",
    "security_privacy_incident": "Triggered on data exposure or unauthorized access."
}
print(incident_categories)

In [None]:
# Evaluation pipeline role + three metrics
measure_info = {
    "role": "Pipelines compute metrics and convert raw outputs into measurable signals.",
    "metrics": [
        "safety_violation_rate",
        "drift_metric",
        "refusal_precision_recall"
    ]
}
print(measure_info)

In [None]:
# Lightweight NIST-aligned mitigation workflow
mitigation_workflow = [
    "identify_issue",
    "assess_severity_and_root_cause",
    "prioritize_in_risk_register",
    "apply_mitigation",
    "monitor_effectiveness",
    "document_and_update_governance"
]
print(mitigation_workflow)

In [None]:
# Convert NIST lifecycle into 6 analyst review steps
review_steps = [
    "review_governance_and_intended_use",
    "inventory_data_model_and_assets",
    "define_metrics_and_tests",
    "run_evaluation_pipelines",
    "triage_and_mitigate_issues",
    "report_findings_and_update_risk_docs"
]
print(review_steps)

In [None]:
# How Log Analyzer + Incident Detector fit MEASURE + MANAGE
explanation = """
MEASURE: Log Analyzer extracts structured metrics (errors, violations, severities).
MANAGE: Incident Detector triggers alerts, triage, and corrective actions.
Together: They close the loop from detection → action → verification.
"""
print(explanation)