How does EchelonGraph detect NIST AI-RMF MAP-2.1 violations?

EchelonGraph automatically detects NIST AI-RMF MAP-2.1 violations using scanner rule AIRMF-MAP-002. The scanner checks cloud infrastructure configurations in real-time and flags non-compliant resources.

What audit questions are asked for NIST AI-RMF MAP-2.1?

Show me the AI system categorisation document. Walk me through how a new system gets categorised — who approves? Has any system been re-categorised in the last 12 months? Why? What review intensity differs between your top and bottom categories?

🤖NIST AI-RMF MAP-2.1Rule: AIRMF-MAP-002medium

AI system intended purpose and benefits are categorised

Description

Each AI system is categorised by intended purpose, the population affected, and the benefits sought.

⚠️ Risk Impact

Without categorisation, downstream risk treatment is uniform — over-investing safety controls in low-stakes systems and under-investing in high-stakes ones. Both fail.

🔍 How EchelonGraph Detects This

AIRMF-MAP-002Automated scanner rule

EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as medium-severity findings with remediation guidance.

🔧 Remediation

Adopt a categorisation taxonomy (e.g. EU AI Act Annex III for high-risk, plus your own internal tiers for limited and minimal). Tag every model with its category at registration time; gate review intensity on the tag.

💀 Real-World Attack Scenario

A bank classified its loan-approval model as 'internal decision support' — a low-tier category. When the CFPB audited consumer complaints, they discovered the model was the de facto decision-maker for 89% of approved loans. The bank faced a CFPB consent order requiring 6 months of remediation including external bias audit ($240K) and a public consumer notification campaign ($1.1M).

💰 Cost of Non-Compliance

CFPB consent orders involving AI: avg $1.5M (CFPB enforcement actions 2023-2026). EU AI Act mis-categorisation: deemed 'placing on the market in non-compliance' = up to €15M / 3% revenue.

📋 Audit Questions

1.Show me the AI system categorisation document.
2.Walk me through how a new system gets categorised — who approves?
3.Has any system been re-categorised in the last 12 months? Why?
4.What review intensity differs between your top and bottom categories?

⚡ Common Pitfalls

⛔Misclassifying decision-support systems as 'recommendation-only' when the human override rate is below 20%
⛔Using categories that don't map to any external framework (your taxonomy alone won't satisfy auditors)
⛔Forgetting to re-categorise when a downstream consumer changes the system's effective role

📈 Business Value

Risk-stratified categorisation cuts compliance overhead by 40% on low-tier systems while concentrating engineering effort where harm potential is real.

⏱️ Effort Estimate

Manual

1-2 hours per system at registration; annual re-review

With EchelonGraph

EchelonGraph proposes categories based on data sensitivity + use-case patterns; admin approves or overrides

🔗 Cross-Framework References

EU_AI_ACT-ART9-RMISO42001-6.2

Automate NIST AI-RMF MAP-2.1 compliance

EchelonGraph continuously monitors this control across all your cloud accounts.

Start Free →