How does EchelonGraph detect NIST AI-RMF MANAGE-1.2 violations?

EchelonGraph automatically detects NIST AI-RMF MANAGE-1.2 violations using scanner rule AIRMF-MN-001. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST AI-RMF MANAGE-1.2?

Show me a risk where the response is 'accept' — who accepted it? What is the threshold for 'accept' to require board approval? Show me a risk that moved from 'mitigate' to 'avoid' — what changed? How long does a risk typically sit without a response decision?

🤖NIST AI-RMF MANAGE-1.2Rule: AIRMF-MN-001high

AI risks responded to (mitigate / transfer / accept / avoid)

Description

Every documented AI risk has a documented response decision (mitigate / transfer / accept / avoid) with rationale.

⚠️ Risk Impact

Risks without a decision get the worst of both worlds — they pollute the register without producing action. Worse, they imply the org saw the risk and chose to ignore it.

🔍 How EchelonGraph Detects This

AIRMF-MN-001Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.

🔧 Remediation

For every open risk: assign one of {mitigate, transfer, accept, avoid} with rationale + named decision-maker. 'Accept' decisions above a defined threshold require board or steering-committee sign-off.

💀 Real-World Attack Scenario

A telco's AI fraud-detection model carried a known fairness risk against non-native-English-speaking customers. The risk was logged but never decided — it sat in 'pending response' for 14 months. When a class-action surfaced the disparity, the company's defence ('we identified the risk and were working on it') collapsed because no decision had ever been recorded.

💰 Cost of Non-Compliance

Undecided documented risks in litigation: ~80% of cases result in adverse jury findings (US class-action defence data 2020-2024).

📋 Audit Questions

1.Show me a risk where the response is 'accept' — who accepted it?
2.What is the threshold for 'accept' to require board approval?
3.Show me a risk that moved from 'mitigate' to 'avoid' — what changed?
4.How long does a risk typically sit without a response decision?

⚡ Common Pitfalls

⛔Defaulting to 'mitigate' for every risk because it sounds best — without budget or owner to actually mitigate
⛔Letting the same person who creates the risk also decide the response (conflict of interest)
⛔Not refreshing decisions when the system or business context changes

📈 Business Value

Documented decisions transform risk acceptance into defensible business judgment in regulatory probes and litigation.

⏱️ Effort Estimate

Manual

30-60 minutes per risk decision; quarterly review

With EchelonGraph

EchelonGraph routes risks to appropriate decision-maker based on severity + rule; tracks decision rationale

🔗 Cross-Framework References

AIRMF-GOVERN-2.1

Automate NIST AI-RMF MANAGE-1.2 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →