GRN 1.1 - AI Legal and Regulatory Requirements

NIST AI RMF (in the playbook companion) states:

GOVERN 1.1

Legal and regulatory requirements involving AI are understood, managed, and documented.

About

Numerous legal and regulatory considerations and requirements are applicable to AI systems. Some legal requirements mandate documentation and increased AI system transparency. These requirements are complex and may not be applicable across contexts.

For example, AI system testing processes for bias measurement, such as disparate treatment, are not applied uniformly within the legal context. Disparate treatment is broadly defined as a decision that treats an individual less favorably than similarly situated individuals because of a protected characteristic such as race, sex, or other trait. Modeling algorithms or debiasing techniques that rely on demographic information, may pose higher risks in regulated environments such as employment, credit, or housing, where disparate treatment is typically avoided.

Additionally, some intended users of AI systems may not have consistent or reliable access to fundamental internet technologies (a phenomenon widely described as the “digital divide”) or may experience difficulties interacting with AI systems due to disabilities or impairments. Such factors may mean different communities experience bias or other negative impacts when trying to access AI systems. These difficulties often cannot be mitigated by mathematical or software-based approaches. Failure to address such design issues may pose legal risks, for example in employment related activities affecting persons with disabilities.

Actions

• Maintain awareness of the legal and regulatory considerations and requirements specific to industry, sector, and business purpose, as well as the application context of the deployed AI system.

• Align risk management efforts with applicable legal standards.

• Maintain policies for training organizational staff about necessary legal or regulatory considerations that may impact AI-related design, development and deployment activities.

Transparency and Documentation

Organizations can document the following:

• To what extent has the entity defined and documented the regulatory environment—including minimum requirements in laws and regulations?

• When auditing an AI system, has existing legislation or regulatory guidance been reviewed and documented?

• Has the system been reviewed to ensure the AI system complies with relevant laws, regulations, standards, and guidance?