Risk
Lack of Clarity on AI System Purpose and Criticality
Description
AI assets are identified, but their specific business purpose, intended use, and overall criticality to the organization are not clearly understood or documented.
Example
A discovered AI model is cataloged, but its function (e.g., critical decision support vs. minor automation) isn't known, leading to misprioritized security efforts.
Assets Affected
AI App
Model files
AI platform
Mitigation
- For each discovered AI asset, document its intended purpose, users, and business impact
- informs risk assessment and impact assessment
Standards Mapping
- ISO 42001: A.6.2.2, A.4.2, A.5.2
- NIST AI RMF: MAP 1.1, MAP 1.4