Campus AI Framework / Pillar 4 — Risk
Download framework
Pillar 4 · Governance, Risk & Compliance

Managing AI risk across the nine domains

The risk companion to the Campus AI Framework. It applies the NIST AI Risk Management Framework and its Playbook — Govern, Map, Measure, Manage — to each of the nine governance domains for higher education, so every institutional use of AI meets governance proportional to its stakes.

9 governance domains
4 NIST RMF functions
3 risk tiers
7 trustworthy characteristics
The operating model

Two instruments, applied to the risk in every domain

The NIST AI Risk Management Framework defines the outcomes; its companion Playbook turns each one into concrete suggested actions and documentation. Together they are applied to the specific AI risks in each of the nine domains of the Campus AI Framework.

01 · The framework
NIST AI Risk Management Framework

The recognized framework for AI risk. Its four functions define the outcomes an institution must reach across the AI lifecycle — the culture, context, assessment, and treatment of risk.

Govern Map Measure Manage
NIST AI 100-1 · 7 trustworthy characteristics ↗
02 · The playbook
NIST AI RMF Playbook

The companion Playbook translates every outcome into suggested actions, transparency & documentation questions, and references — the how-to for achieving the framework's outcomes.

Suggested actions Documentation References
Open the Playbook ↗
03 · The application
The nine domains' risks

Playbook and method meet the ground truth — the specific AI risks in each domain, governed in proportion to each system's stakes through the three risk tiers.

9 domains 3 tiers
Explore the nine domains →
NIST AI RMF + NIST RMF Playbook AI risk, governed across nine domains
The method · NIST AI RMF 1.0

The nine domains say where risk lives. NIST says how to govern it.

The framework maps the full territory of institutional AI — teaching, research, decisions about people, data and systems, vendors, people, and oversight. The NIST AI RMF supplies the repeatable practice applied inside each of those domains.

Its four functions are not a linear checklist. Govern is the culture that wraps everything; Map, Measure, and Manage run continuously across the AI lifecycle.

Govern
Cultivate a culture of AI risk management — the cross-cutting foundation
Policies, accountability structures, and review cycles that inform and run through Map, Measure, and Manage across the entire lifecycle. Here Govern is owned by Domain 9 and shared by every other domain.
Map
Establish context & identify risk

Categorize the AI system, its purpose, and who it affects. In practice: risk tiering, the system inventory, and impact assessments before deployment.

Measure
Analyze, assess & monitor

Assess risk with quantitative and qualitative methods. In practice: bias audits, explainability standards, validation, audit trails and logging.

Manage
Prioritize, respond & recover

Act on risk in proportion to impact. In practice: human-review pathways, appeals and redress, incident response, and vendor remediation.

How the Playbook works
New to NIST? For every outcome in the framework, the NIST AI RMF Playbook hands you four practical things — the same structure behind each domain's worked case study.
About
A plain-language explanation of the risk each outcome addresses.
Suggested actions
Concrete steps a team can take to reach the outcome.
Transparency & documentation
Questions to answer and record as evidence of your work.
References
Standards and sources to draw on for each action.
The bar each domain is measured against · 7 characteristics of trustworthy AI
Valid & reliable Safe Secure & resilient Accountable & transparent Explainable & interpretable Privacy-enhanced Fair — with harmful bias managed
Where risk lives · the nine domains

Nine domains, each governed through the RMF

Each domain is a container of risks, and all four RMF functions — Govern, Map, Measure, Manage — apply to every one. Filter by area, then open a domain for its risks, full RMF mapping, a worked case study, tiers, and tools.

Filter {{ count }} shown
{{ g.range }} {{ g.label }}
Proportionality · NIST-aligned risk tiering & assessment

Govern each system in proportion to its stakes

Risk assessment and tiering follow the NIST AI RMF: Map categorizes each system and its context, Measure assesses its risk, and Manage treats it — with the Playbook's suggested actions supplying the concrete steps at each tier. Domain 9 owns the three-tier standard; every domain applies it.

Tier 1 · Low
Assistive

Tools that support a person who stays fully in control, with no decision authority.

RMF Govern
Acceptable-use compliance + approved tool list
Tier 2 · Moderate
Operational

Systems that inform work or decisions with meaningful human review in the loop.

RMF Govern Map Measure
Data-governance review + departmental approval
Tier 3 · High
Consequential

Systems that make or inform decisions materially affecting people's lives and rights.

RMF Map Measure Manage
Impact assessment · bias audit · human oversight · notification & appeals · evidence package · inventory
Map
+
Measure
The assessment behind the tier: a NIST-aligned algorithmic impact assessment

Before any consequential system deploys, Domain 6 requires an algorithmic impact assessment aligned to the RMF's Map and Measure functions — drawing on the Playbook's suggested actions and transparency & documentation questions to establish context, test for bias, and record the evidence that sets the system's tier.

Coordination · risks that belong to no single office

Shared risks get one explicit owner

The concerns most likely to fall between offices are assigned an owner and coordinating domains — the connective tissue that keeps nine domains coherent instead of siloed.

Shadow AI

Ungoverned AI use — including by student orgs and co-curricular programs — on institutional data or infrastructure.

D5 discovery → D7 vendor remediation → D9 escalation
Algorithmic bias

Disparate impact in consequential systems affecting admissions, aid, retention, hiring, and public communications.

D6 owns standard → applied by D3, D5, D7
Agentic AI

Autonomous systems taking actions, with human-in-the-loop requirements and agent-to-agent controls.

D9 owns standard → D5 build, D7 vendor, D3 decisions
Data security in vendor relationships

Training-data terms, data-use restrictions, and audit rights that outpace legal and security review.

D5 defines → D7 enforces in contracts → D9 monitors
Where consequential risk concentrates
High-risk systems cluster in decisions about people — govern those first

Domain 3 (decisions about people), Domain 5 (data, security & operational AI), and Domain 8 (employment) hold most consequential systems — with Domain 6 supplying the oversight that governs them all.

03 05 08 06
Implementation · adopt in phases

A minimum viable governance stack first

Phase 1 · Minimum viable stack
Stand up governance and the most urgent risk domains
09Governance, oversight & continuous review — established first
05Data, security, privacy & AI-enabled systems
01Teaching, learning & assessment
03Institutional algorithmic decision-making & student services
07Procurement, vendors & legal
Phase 2 · Full framework
Extend once infrastructure is operational
02Research & scholarship
04Student AI literacy, career readiness & workforce
06Fairness, transparency, accountability & oversight
08AI literacy & role-based competency (employees)
The Nine AI Governance Domains — Risk

Pillar 4 of the Campus AI Framework. NIST AI RMF terminology (Govern · Map · Measure · Manage) is drawn from NIST AI 100-1.

About

Concept & content by Joe Sabado. Version 1.0 · March 2026. Licensed CC BY-NC-SA 4.0.

General guidance — not legal advice. Confirm applicability with your own counsel, privacy office, and leadership; your institution's local rules govern. Developed with AI assistance.
← All domains
Domain {{ selectedDomain.num2 }} · {{ selectedDomain.catRange }}

{{ selectedDomain.title }}

{{ selectedDomain.scope }}
Key AI risks
{{ r }}
Governed through the RMF Playbook
Each function pairs the outcome to reach for this domain (the Playbook's About) with the Playbook's suggested actions.
{{ b.key }}
{{ b.text }}
Playbook · suggested actions
{{ b.actions }}
Worked case studies · the RMF Playbook applied {{ selectedDomain.caseCount }} scenarios
Each step is a Playbook suggested action for that function; the evidence line is the transparency & documentation you keep.
{{ selectedDomain.activeCase.title }}
{{ selectedDomain.activeCase.setting }}

{{ selectedDomain.activeCase.scenario }}

{{ s.fn }} {{ s.text }}
Outcome — {{ selectedDomain.activeCase.outcome }}
Evidence: {{ selectedDomain.activeCase.evidence }}
Risk-tier examples
{{ t.tier }} {{ t.example }}
Tools & artifacts
{{ t }}
Key controls & instruments
{{ c }}
{{ selectedDomain.prevLabel }} {{ selectedDomain.nextLabel }}