Frameworks

From AI Risk Principles to Production Reality

Β· Gerard Louis Β· 5 min read

NISTAI RMFFS AI RMFMITRE ATLASOWASPCSA MAESTROAgentic AIGenAIRisk ManagementFinancial Services

Executive Summary

AI is rapidly being embedded in enterprise workflows β€” from customer service to decision support and automation. As adoption grows, so does the need for practical, defensible AI risk management.

Many organizations face a consistent gap:

  • Governance is too abstract
  • Controls become checklists
  • Engineering lacks risk alignment

This guide bridges that gap using a four-layer model aligned to publicly available frameworks:

  • National Institute of Standards and Technology AI Risk Management Framework (AI RMF)
  • Cyber Risk Institute FS AI RMF
  • MITRE ATLAS & OWASP Top 10 for LLMs (v2025)
  • Cloud Security Alliance MAESTRO

Note: Other frameworks β€” such as ISO/IEC 42001 and the EU AI Act β€” also address AI governance and risk. The frameworks selected here are chosen for their direct relevance to operationalizing AI risk management in US financial services.

What Each Layer Does

NIST AI RMF (Risk) defines how to identify and manage AI risk across four core functions: Govern, Map, Measure, and Manage.

FS AI RMF (Controls) translates those risk categories into control objectives, evidence expectations, and regulatory alignment tailored for financial institutions.

MITRE ATLAS & OWASP Top 10 for LLMs v2025 (Threats) define real-world attack and failure scenarios β€” including prompt injection, data leakage, and model manipulation.

CSA MAESTRO (Execution) provides a security lifecycle specifically designed for multi-agent AI systems, implementing and validating controls through guardrails, monitoring, and adversarial testing.

The Complete Model

AI risk management requires alignment across five components:

  1. Risk (NIST AI RMF) β€” Defines risk taxonomy and lifecycle
  2. Control (FS AI RMF) β€” Defines control objectives and evidence expectations
  3. Threat (MITRE ATLAS / OWASP Top 10 for LLMs) β€” Defines adversarial behavior and failure scenarios
  4. Implementation & Validation (CSA MAESTRO) β€” Implements safeguards and tests resilience
  5. Evidence β€” Logs, metrics, and monitoring outputs

Proposed Traceability Model:

Risk β†’ Control β†’ Threat β†’ Implementation β†’ Evidence

This is a proposed alignment model β€” not an established industry standard. It represents a practical way to connect these frameworks into a single operational chain. If this chain is incomplete, AI risk management is unlikely to be operationally effective.

Threat Modeling in AI β€” What’s Different

AI systems require both traditional and AI-specific threat modeling. Understanding where each approach applies is critical to building a complete threat picture.

  • MITRE ATLAS covers AI/ML attack techniques such as data poisoning and model evasion
  • OWASP Top 10 for LLMs (v2025) covers GenAI application risks such as prompt injection

These are complemented by traditional approaches:

  • STRIDE addresses system-level threats including identity, data, and access
  • PASTA provides a risk-driven threat modeling methodology

Industry direction: Leading practitioners are combining system-level threats with AI-specific threats, applying risk-driven modeling (the PASTA mindset), and validating continuously using frameworks like MAESTRO.

GenAI Implementation Patterns

Pattern A: Retrieval-Augmented Generation (RAG)

RAG systems power knowledge assistants and enterprise search. Their primary risks include hallucination and data leakage, with prompt injection and data poisoning as key threat vectors. Controls should focus on grounding, access control, and output validation.

Pattern B: Content Generation Pipelines

Content pipelines generate documents, code, and marketing materials. Risks center on inaccuracy, bias, and intellectual property concerns. Prompt manipulation and data exposure are the primary threats. Human review, output validation, and versioning are essential controls.

Pattern C: AI-Assisted Decision Support

Decision support systems provide analytics and risk insights. The core risk is over-reliance on AI outputs, compounded by threats from manipulated inputs and misleading outputs. Explainability, confidence indicators, and human override are the critical controls.

Agentic AI Patterns

Agentic AI introduces a fundamentally different risk profile β€” these systems take actions, not just generate text. Each pattern below escalates in autonomy and risk.

Pattern D: Single-Agent Execution

A single agent performs tasks autonomously. The primary risk is incorrect actions. Controls include clearly defined task boundaries and approval gates.

Pattern E: Tool-Using Agents

Agents that invoke external tools and APIs introduce the risk of unauthorized actions and API abuse. Access control and comprehensive logging are essential.

Pattern F: Multi-Agent Systems

Multiple agents collaborating can produce emergent behavior that no single agent was designed to exhibit. Orchestration rules, real-time monitoring, and kill switches are necessary controls.

Pattern G: Human-in-the-Loop

Even with human oversight, automation bias β€” the tendency to accept AI recommendations uncritically β€” remains a risk. Explicit approval workflows and audit trails are the key controls.

Deployment Models

AI systems typically fall into two deployment categories, each with a distinct risk surface.

No GUI (Backend Systems)GUI (User-Facing)
DescriptionAPIs, workflows, agentsChat interfaces, assistants
Risk SurfaceSystem-levelHuman + System
Primary RisksExecution errors, data integrityMisuse, over-reliance, prompt manipulation
ControlsValidation pipelines, monitoringBackend + UX controls, disclaimers, escalation
EvidenceLogs, metricsLogs + user behavior

Key Insight: GUI-based systems introduce human behavior as a primary risk factor. Controls must account for how users interact with the system, not just how the system performs.

What Good Looks Like

Measurable:

  • Risks classified using NIST AI RMF
  • Controls defined per FS AI RMF
  • Threats mapped via MITRE ATLAS and OWASP
  • Safeguards implemented and tested
  • Continuous monitoring in place

Practical:

  • Systems are safe by design
  • Controls are testable
  • Risk is traceable end-to-end

Final Takeaway

AI risk management requires alignment across four layers:

  • NIST AI RMF β†’ defines risk
  • FS AI RMF β†’ defines controls
  • MITRE ATLAS & OWASP β†’ define threats
  • CSA MAESTRO β†’ enforces and tests controls

This alignment turns AI governance into operational reality.

This analysis references publicly available frameworks: NIST AI RMF 1.0, CRI FS AI RMF, MITRE ATLAS, OWASP Top 10 for LLMs, and CSA MAESTRO. No vendor endorsement is implied.

Ask the Vault
Ask me anything about the published blog posts.