Tag: nist ai risk management framework

  • Deemed Export Rule and AI Research Compliance

    The deemed export rule treats the release of export-controlled technology or source code to a foreign national inside the United States as if it were an export to that person’s home country, even though nothing crosses a physical border. For AI research groups, this means that giving a foreign-national graduate student or postdoc access to certain model weights, training code, or restricted technical data can itself require a federal export licence.

    A deemed export is any release of “technology” or “technical data” — controlled under the Export Administration Regulations (EAR) or the International Traffic in Arms Regulations (ITAR) — to a foreign person physically present in the United States. The doctrine is old; its application to frontier AI systems is new, and it now collides with university research practice.

    What is the deemed export rule?

    Under 15 CFR 734.13(b) of the EAR, releasing controlled technology or source code to a foreign person in the United States is “deemed” to be an export to that person’s country of nationality. The Bureau of Industry and Security (BIS), the Commerce Department agency administering the EAR, names universities and high-technology research institutions as typical deemed-export-licence users, alongside biochemical, medical and computer-sector organisations.

    A “release” can occur through conversation, email, or lab access that lets a foreign national read or modify controlled source code — no shipment is required. Permanent residents, US citizens, and “protected individuals” under US immigration law are exempt; most international graduate students and postdocs on visas are not.

    How the fundamental research exclusion applies to AI research

    Most university AI research avoids deemed export licensing through the fundamental research exclusion at 15 CFR 734.8. Fundamental research is basic or applied research in science and engineering where the resulting information is ordinarily published and shared broadly, with no restrictions on foreign-national participation and no government-imposed access controls.

    The exclusion is conditional, not automatic. It fails where:

    • Results are restricted for proprietary or commercial reasons, such as a sponsorship agreement with a publication-delay clause.
    • The funding agreement imposes access or dissemination controls, which some defence-adjacent AI grants do.
    • The activity involves direct transfer of a controlled item — hardware, software, or source code — rather than an exchange of research information.

    Information already publicly available, including open-access papers and public code repositories, is separately exempt from EAR licensing.

    When AI models, weights and training infrastructure trigger a deemed export

    Using a publicly available AI chatbot or API is not, by itself, a release of controlled technology. Risk rises when a foreign national gains access to model architecture details, training methodologies, or model weights covered by an Export Control Classification Number (ECCN) on the Commerce Control List, or to advanced computing hardware BIS has specifically controlled.

    BIS tightened advanced-computing controls in its October 2022 Interim Final Rule, amended October 2023, then went further in January 2025 with a Framework for Artificial Intelligence Diffusion rule that, for the first time, extended export-control treatment to certain closed-weight AI model parameters, not only training hardware. Disclosing weights, architecture specifications, or training-cluster configuration for a covered model to a foreign-national researcher can itself be a release event.

    Much of this tightening is explicitly framed around china ai regulation concerns — restricting frontier compute and model know-how flowing to entities on the BIS Entity List. Nationality alone does not create liability; nationality plus access to a controlled item, combined with funding or sponsor restrictions, does.

    US deemed export rules vs the EU AI Act research exemption

    Institutions with EU partnerships increasingly ask how the US doctrine compares with the European approach. The EU AI Act — Regulation (EU) 2024/1689 — takes a structurally different route: rather than controlling technology transfer by nationality, it excludes AI systems and models developed and used exclusively for scientific research from most of the Act’s obligations, under Article 2(6) and Article 2(8).

    Aspect US deemed export rule EU AI Act research exemption
    Governing instrument EAR, 15 CFR 734.13(b) and 734.8 Regulation (EU) 2024/1689, Art. 2(6) & 2(8)
    What triggers the rule Release of controlled technology to a foreign person Placing an AI system on the market or into service
    Exclusion basis Fundamental research intended for open publication Research and development activity, prior to market placement
    Administering body Bureau of Industry and Security (Commerce Dept.) National market surveillance authorities / EU AI Office
    Nationality relevant? Yes — central to the rule No — exemption is activity-based, not person-based

    The distinction matters for compliance design: a US export control office manages deemed exports as a personnel and access-control question, while an EU research-exemption assessment is a product-lifecycle question. A model built for fundamental research at a US university may fall outside the AI Act exemption once deployed commercially — the two frameworks do not map onto each other cleanly.

    Compliance steps for universities with foreign national researchers

    Export control officers, research administrators, and AI lab principal investigators need a shared workflow before granting foreign nationals lab or system access:

    1. Screen every incoming foreign national against the BIS Entity List and the Treasury Denied Persons List before granting technical access.
    2. Classify the technology, dataset, or model against the Commerce Control List to determine whether an ECCN applies.
    3. Document the fundamental research exclusion in writing at project inception — funding terms, publication plans, and sponsor restrictions.
    4. Restrict access to controlled weights or training infrastructure until the export control office confirms licence status.
    5. Certify deemed export status accurately on Form I-129 for H-1B, H-1B1, L-1, and O-1A hires, as USCIS requires.
    6. Use the NIST AI Risk Management Framework to document AI system risk tiers internally — a defensible record, though not itself an export-control exemption.

    Treat this as distinct from state ai laws, such as Colorado’s and California’s AI transparency statutes, which govern AI deployment to end users, not technology transfer to foreign persons — a university can comply with one and still be exposed under the other. Guidance from the Center for AI Standards and Innovation (CAISI), the Commerce Department body that succeeded the original AI Security Institute at NIST, can inform risk-evaluation methodology, though it is not itself an export-control determination. See CASRAI’s research administration resources for broader governance context.

    Frequently asked questions

    What are the criteria for a deemed export?

    A deemed export occurs when controlled technology or source code is released to a foreign person inside the United States. The criteria: the item sits on the Commerce Control List or US Munitions List, the recipient is not a citizen, permanent resident, or protected individual, and no exclusion applies.

    How can a university determine whether an activity is a deemed export?

    A university’s export control office classifies the technology against its ECCN or USML category, checks whether the fundamental research exclusion applies, and confirms the researcher’s immigration status. If the technology is controlled, the researcher is a foreign person, and no exclusion fits, a licence is required before access.

    Who is exempt from the deemed export rule?

    US citizens, lawful permanent residents, and individuals granted protected individual status under US immigration law are exempt from deemed export licensing regardless of the technology involved. Most international students and postdocs on visas do not qualify for this exemption and depend instead on the fundamental research exclusion.

    Does using a publicly available AI model trigger a deemed export?

    No. Interacting with a publicly available AI model — a public API, chatbot, or open-weight release with no access restrictions — is not a controlled release under the EAR. Risk arises only when a foreign national gains access to restricted model weights, proprietary architecture details, or controlled training infrastructure not available to the public.

    Implications and outlook

    Export control offices built their playbooks around physical items and classified research; AI weights and training infrastructure do not fit that playbook cleanly. As BIS extends ECCN coverage into software and model parameters, universities running foreign-national-staffed AI labs face rising documentation burden even where no licence is ultimately required.

    Expect continued divergence between the deemed export regime, EU AI Act research-exemption practice, and state ai laws — three separate compliance tracks addressing different questions. Research administrators who map these tracks now, rather than after an incident, will be better placed as controls continue to tighten.

  • NIST AI Risk Management Framework for Research Offices

    The NIST AI Risk Management Framework (AI RMF) is a voluntary, four-function framework — Govern, Map, Measure, Manage — published by NIST in January 2023 to structure AI risk identification and mitigation across the system lifecycle, and it is increasingly the reference model research offices use to build AI-use policies for grant compliance and research computing.

    In one sentence: the NIST AI RMF is a voluntary, technology-neutral process framework — not a certification standard — that organises AI risk management into four continuous functions applied across governance, context-mapping, measurement and mitigation.

    What is the NIST AI Risk Management Framework?

    The NIST AI RMF (formally NIST AI 100-1) was directed by Congress under the National Artificial Intelligence Initiative Act of 2020 (P.L. 116-283) and published by the National Institute of Standards and Technology on 26 January 2023. It gives organisations a structured, repeatable way to identify, assess and manage AI-related risk without prescribing specific tools or vendors.

    Unlike a certification scheme, the AI RMF is deliberately flexible. Organisations apply it through “profiles” — documented mappings of the Core functions to a specific system, unit or risk context — supported by companion NIST materials including the AI RMF Playbook, Roadmap and sector Crosswalks. For a university research office, that flexibility matters: the same four functions can govern an AI-assisted grant-writing tool, a research-computing cluster running a locally hosted model, and a vendor’s generative-AI research assistant, each with a different risk profile.

    What are the four core functions — Govern, Map, Measure, Manage?

    The AI RMF Core is organised into four functions that operate continuously rather than sequentially: Govern establishes accountability and policy; Map identifies context and potential harms; Measure tests and monitors systems against trustworthy-AI characteristics; and Manage prioritises and resources mitigation. Each function contains categories and subcategories that a research office adapts rather than adopts wholesale.

    Function Purpose Typical research-office artefact
    Govern Sets accountability, policy and approval authority for AI use Institutional AI-use policy; PI attestation clause in proposal sign-off
    Map Documents context, stakeholders and where AI touches sponsored work Inventory of AI tools used in grant writing, review, and data analysis
    Measure Tests systems for validity, bias, security and privacy Vendor security questionnaire; bias check on AI-assisted scoring tools
    Manage Prioritises, mitigates and documents residual risk Incident log for AI-related data exposure; annual policy review

    The Core does not mandate a fixed maturity level. Organisations document which subcategories they have deferred, and why, alongside compensating controls — a discipline that maps onto existing research-compliance practices such as data management plans.

    What does NIST AI 600-1 add for generative AI?

    NIST AI 600-1, the Generative Artificial Intelligence Profile, was published in July 2024 as a companion to the AI RMF specifically for generative and foundation models. It does not replace the four-function Core; it applies Govern, Map, Measure and Manage to risks that are distinctive to generative systems.

    The profile documents risk across twelve categories, including confabulation (hallucinated outputs presented as fact), data privacy, harmful bias and homogenisation, information integrity, information security, intellectual property, and value-chain and component integration risk from third-party foundation models. For a research office, several of these map directly onto everyday research-computing and grant-compliance exposure:

    • Confabulation in AI-assisted literature review or preliminary-data summaries submitted in a proposal narrative
    • Data privacy exposure when researchers paste sponsor-restricted or human-subjects data into a public generative-AI tool
    • Intellectual property risk when proprietary or pre-publication research content is used as a prompt input to a third-party model that retains data for training
    • Information security gaps in export-controlled or ITAR-restricted research computing environments running locally hosted generative models

    How should research offices map RMF functions to grant compliance and research computing?

    Applying the AI RMF in a research office starts with an honest inventory, not a policy document. Most institutions already run parallel compliance regimes — IRB, export control, data use agreements, conflict of interest — and the AI RMF’s four functions slot into that existing governance architecture rather than requiring a new one.

    RMF function Research-office action Compliance touchpoint
    Govern Define who approves AI use in proposal preparation, peer review, and award administration Grant-compliance office; research integrity policy
    Map Inventory AI tools touching sponsor data, human-subjects data, or export-controlled research IRB, data use agreements, export-control review
    Measure Evaluate vendor AI tools for data retention, training-data use, and bias before procurement Procurement security review; research-computing vendor assessment
    Manage Maintain an incident-response path for AI-related data exposure or integrity failures Research integrity office; sponsor notification obligations

    Funders are beginning to require disclosure of AI use in proposal preparation and review; UKRI and the US National Institutes of Health have each issued guidance addressing generative-AI use in grant applications and peer review. A documented AI RMF-aligned policy gives a research office a defensible, auditable answer when a sponsor, an IRB, or an internal audit asks how AI risk is managed.

    How does the NIST AI RMF compare to ISO 42001 and the EU AI Act?

    The NIST AI RMF, ISO/IEC 42001, and the EU AI Act address the same problem — AI risk — through three different mechanisms, and international research offices often need to satisfy more than one at once.

    • NIST AI RMF: voluntary US guidance, published January 2023, no certification mechanism, technology-neutral
    • ISO/IEC 42001:2023: an internationally certifiable AI management system standard, published December 2023, auditable by an accredited body
    • EU AI Act (Regulation (EU) 2024/1689): binding law, entered into force August 2024, with risk-tiered obligations phasing in through August 2027 for high-risk systems

    Institutions with Horizon Europe funding, EU partners, or EU-based subsidiaries generally need to track the EU AI Act’s binding obligations separately from a voluntary AI RMF programme; the AI RMF’s four functions nonetheless provide a practical operational baseline that can be extended toward either ISO 42001 certification or EU AI Act compliance evidence without rebuilding the governance structure from scratch.

    Answer-first questions on the NIST AI RMF

    What are the seven steps of the NIST Risk Management Framework?

    The seven steps — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — belong to NIST Special Publication 800-37, the general-purpose cybersecurity Risk Management Framework, not the AI RMF. The NIST AI Risk Management Framework uses a separate four-function structure (Govern, Map, Measure, Manage) with no authorisation-cycle requirement. Research offices should not conflate the two documents.

    What is the difference between ISO 42001 and the NIST AI RMF?

    ISO/IEC 42001:2023 is a certifiable AI management system standard that an accredited body can audit, published December 2023. The NIST AI RMF is voluntary US guidance with no certification mechanism. Many research offices use the AI RMF’s four functions to build the internal controls that ISO 42001 certification later formalises against an external auditor.

    What are the four types of AI risk?

    NIST’s AI RMF and its Generative AI Profile group AI risk broadly into performance risk (validity, reliability), societal risk (harmful bias, fairness), security risk (adversarial manipulation, data leakage), and third-party or value-chain risk from vendor models and training data. Research offices typically encounter all four simultaneously when adopting AI-assisted research tools.

    What are 5 risks of AI?

    For research administration specifically, the highest-priority risks are data privacy breaches in sponsor-data pipelines, confabulation in AI-assisted literature synthesis, intellectual property exposure through third-party model training on prompts, harmful bias in automated review or scoring tools, and information security gaps in procured generative-AI platforms.

    Implications for research administration

    The AI RMF’s voluntary status will not last as a governance shortcut. Grant-making agencies and international funders are moving toward AI-use disclosure requirements in proposal and reporting workflows, and institutions without a documented, RMF-aligned policy will increasingly answer ad hoc rather than from a defensible framework.

    Research offices already manage layered compliance regimes across research administration functions — export control, human-subjects protection, conflict of interest — and the AI RMF’s four functions sit inside that structure rather than replacing it. Starting with Govern (assign accountability) and Map (inventory AI touchpoints in sponsored work) gives most offices a defensible position within one administrative cycle, ahead of any future mandatory requirement.