Artificial Intelligence (AI) is transforming industries, automating tasks, and providing insights that were once beyond human reach. But AIs growing power comes significant risks, especially in security. AI is not just another tool—it’s a transformative force that demands careful, strategic oversight. 

In a previous blog, Securing AI: A CISO’s Perspective on Trust and Resilience, we discussed how securing AI goes beyond protecting infrastructure; it’s about safeguarding trust. Without trust, the benefits of AI can quickly be overshadowed by security breaches, violations of privacy, operational failures, and regulatory consequences.

As a CISO specializing in highly regulated sectors, I understand that maintaining a balanced perspective when it comes to AI is critical to maintaining trust.  We need to recognize AI’s potential to improve business outcomes, while also being acutely aware of significant risks like data privacy concerns, novel cybersecurity threats from AI-generated code and malicious actors, and the pressure AI adoption plays within the organization. This pressure highlights the importance in advocating for a responsible, measured approach, emphasizing the need for strong governance, ethical considerations, and a strategic vision for integrating AI as a collaborative partner with human teams to build resilient and effective security programs.

So, we’ve established that to be a true force multiplier, AI must be built on a solid foundation of security and trust, but how does one practically go about this arduous task? The answer is simple we need to assess the risk and have the right partners. 

At Oracle we know that as artificial intelligence (AI) continues to evolve and permeate various sectors—from finance to healthcare to manufacturing and government—ensuring its responsible and ethical deployment becomes paramount. As a company with secure-by-design built into our DNA, Oracle is uniquely positioned to enable AI security by integrating built-in features like data encryption, privacy controls, and governance tools within its OCI Cloud Infrastructure and database secuity. Key advantages include ensuring customer data ownership and isolation, avoiding data mixing with other models, offering robust access control via IAM policies, and providing compliance monitoring tools like Cloud Guard to meet regulatory needs. Oracle’s platform also supports AI data sovereignty by giving customers control over their data location and AI workloads.

To help organizations assess AI risk the National Institute of Standards and Technology (NIST) has created the AI Risk Management Framework (AI RMF) to serve as a comprehensive guide for organizations to identify, assess, and mitigate risks associated with AI systems, which can be used to simplify the process of integrating trust into the design development, deployment and use of AI products.

In this blog, we’ll walk through the core principles of the NIST AI Risk Management Framework, offer practical steps for implementing it in your organization, and take a deeper look at Oracles security features that make us an ideal partner for AI. Whether you’re in the early stages of adopting AI or already scaling AI systems, this guide will help you navigate the complexities of AI risk management and security.

Understanding the NIST AI Risk Management Framework (AI RMF)

The NIST AI RMF provides a structured approach for addressing risks related to AI systems. It focuses on ensuring that AI technologies are used in ways that promote fairness, transparency, accountability, privacy, security, and other societal values. The framework is designed to be flexible, adaptable, and scalable, making it applicable to both small startups and large corporations.

NIST’s AI RMF is built on four key pillars:

  • Govern: Establishing leadership and organizational structures to oversee AI systems.
  • Map: Identifying, analyzing, and evaluating AI-related risks.
  • Measure: Taking steps to reduce or mitigate identified risks.
  • Manage: Ongoing evaluation of AI systems for emerging risks and ensuring compliance with regulations and ethical standards.

The goal is to build AI systems that are not only effective but also responsible and trustworthy.

Step-by-Step Implementation of the AI RMF

Now that we have a high-level understanding of the framework, let’s dive into how you can implement it in your organization.

Step 1: Establish a Strong Governance Structure

A successful AI risk management strategy begins with strong leadership and clear governance. Without a dedicated team to oversee AI development and deployment, risks can be easily overlooked or mishandled.

Action Steps:

  • Form an AI Oversight Committee: This committee should include experts in AI, data science, ethics, legal compliance, and risk management.
  • Define Roles and Responsibilities: Assign clear responsibilities for risk assessment, monitoring, and reporting.
  • Integrate with Corporate Governance: AI risk management should align with overall corporate governance and risk management frameworks.

Governance ensures that the organization has the right people in place to make decisions and enforce accountability.

Step 2: Conduct a Comprehensive Risk Assessment

AI systems pose unique challenges when it comes to risk management. The first step is to systematically assess the risks associated with your AI applications. Risks can be technical, operational, ethical, or regulatory in nature.

Action Steps:

  • Identify AI Risks: Some common risks include algorithmic bias, data privacy violations, security vulnerabilities, and lack of transparency in decision-making. Understand the specific risks based on the AI system’s use case and domain.
  • Categorize Risks: Use a risk matrix to categorize risks by their likelihood and potential impact. This helps prioritize which risks.
  • Assess Stakeholder Impact: Consider how the AI system may impact various stakeholders, including customers, employees, and the public.

Risk assessment is an ongoing process. As AI systems evolve, new risks may emerge, and existing risks may change in nature.

Step 3: Implement Risk Management Strategies

Once risks are identified and assessed, the next step is to manage them effectively. The NIST framework emphasizes that risk management strategies should be adaptive, as AI technologies often evolve rapidly.

Action Steps:

  • Design for Fairness and Transparency: Ensure that AI models are transparent and interpretable. This can be achieved by using explainable AI techniques that make it easier for stakeholders to understand how decisions are being made.
  • Mitigate Bias: Implement measures to detect and mitigate bias in your AI models. This might involve using more diverse training data, implementing fairness audits, or choosing less biased algorithms.
  • Implement Privacy and Security Measures: Encrypt sensitive data, ensure compliance with data privacy laws like GDPR, and safeguard AI models from adversarial attacks.
  • Develop Ethical Guidelines: Establish a code of ethics for AI, which could include principles such as fairness, accountability, and respect for human rights.

Effective risk management requires a combination of technological tools and organizational processes to mitigate potential harm.

Step 4: Monitor and Continuously Improve

AI systems are dynamic, and risks can evolve over time. Continuous monitoring is essential to ensure that AI systems remain compliant with ethical, regulatory, and operational standards.

Action Steps:

  • Set Up Ongoing Audits: Regularly audit AI systems to assess compliance with risk management frameworks and detect new or emerging risks.
  • Utilize Monitoring Tools: Implement tools for monitoring AI system behavior in real-time. This can include performance metrics, anomaly detection, and user feedback mechanisms.
  • Iterate and Improve: Use lessons learned from audits and monitoring to iterate on AI systems, improving transparency, fairness, and security.

An AI system that was safe and ethical today may face new risks tomorrow, especially as societal expectations and regulations evolve.

Step 5: Foster Collaboration and Knowledge Sharing

AI risk management isn’t a one-time effort—it requires collaboration across different sectors and continuous learning. Engaging with industry peers, researchers, and policymakers is essential for staying ahead of emerging risks and trends.

Action Steps:

  • Participate in AI Ethics and Standards Initiatives: Join industry groups and participate in developing AI standards and best practices.
  • Collaborate with External Auditors: Work with independent auditors or third-party organizations that specialize in AI risk management to validate your practices and improve transparency.
  • Educate Your Workforce: Train employees across different departments (data scientists, engineers, legal, etc.) on the principles of AI ethics, risk management, and compliance.

Fostering collaboration helps build a culture of responsible AI development and keeps organizations updated on the latest trends and challenges in AI risk management.

AI & Security at Oracle

As part of this assessment, you will undoubtedly assess the partners you have in space. 

Additionally, Oracle Cloud is well-regarded for AI security because of its “security-first” design, which embeds robust security controls directly into its infrastructure and AI services. Oracle’s approach helps to protect the data that AI models are trained on and the applications that use them, providing layers of protection from the hardware level up to the application layer. 

Core security architecture

Oracle Cloud Infrastructure (OCI) is built on a “zero-trust” security model, which means no user or service is trusted by default. Every access request must be verified, and permissions are granted based on the principle of least privilege. Key architectural features include:

  • Hardware-based root of trust: OCI hardware is engineered with security built-in from the ground up to prevent tampering.
  • Isolated network virtualization: This prevents malware in one customer’s instance from moving to another.
  • Customer isolation: Data and applications are deployed in dedicated environments, physically and logically isolated from other tenants. 

Security for AI and generative AI services

Oracle’s commitment to security is reflected in its generative AI services, where data privacy is a top priority. 

  • Data privacy for large language models (LLMs): When using OCI’s generative AI service, customer data remains private and is not mixed with other companies’ data or shared with model providers like Cohere or Meta. Data used for training models is encrypted and then deleted.
  • Access control for AI applications: The security controls from the underlying OCI platform are inherited by AI applications. Users of AI-powered applications, such as the Autonomous Database with Select AI, can only ask and retrieve data for which they have explicit privileges.
  • Private model endpoints: Customers can create private endpoints for their LLMs to ensure that proprietary data remains within their control. 

Data protection and privacy controls

Protecting sensitive data used for AI training and inference is a major focus for Oracle.

  • Always-on encryption: Data is automatically encrypted both at rest (while stored in databases or storage) and in transit (while moving across networks). This helps ensure that sensitive training data remains secure throughout its lifecycle.
  • Data masking and anonymization: Oracle Data Safe provides tools for data masking and encryption, and supports tokenization. This allows organizations to remove personally identifiable information (PII) from data sets, which protects privacy while still enabling secure AI model training.
  • Key management: OCI’s Key Management Service (KMS) enables customers to control the encryption keys used to secure their data, adding another layer of security and management. 
  • <Add bullet on access control with RAS and DB vault>

AI-powered security features

Oracle also uses AI and machine learning (ML) within its own security products to defend against threats.

  • Cloud Guard: OCI Cloud Guard uses ML models to analyze cloud activity for misconfigurations, security risks, and suspicious behavior in real time, helping to detect and preempt threats.
  • Intrusion detection: Oracle Web Application Firewall (WAF) uses AI-driven threat intelligence to protect against common web attacks and malicious bot traffic.
  • Identity Security Operations Center (SOC): Oracle’s Identity SOC uses ML to provide context-aware, identity-based threat detection and response, helping to quickly identify and manage threats related to user accounts.
  • Access governance: Oracle Access Governance uses AI to automate entitlement management, streamline access requests, and enforce security policies to mitigate unauthorized access. 

Compliance and governance

Oracle’s platform includes features that help organizations maintain compliance with global regulations.

  • Automated compliance monitoring: OCI provides services like Cloud Guard and Audit Service for continuously monitoring AI/ML workloads for compliance with security policies.
  • Support for global regulations: OCI capabilities are aligned with major regulatory requirements, including GDPR, CCPA, and FedRAMP.
  • AI governance and training: Oracle offers resources and encourages training to help customers educate employees on AI usage and data protection, fostering responsible AI adoption. 

Oracle practices strict adherence to over 81 security standards through third-party audits, certifications, and attestations, and can help customers demonstrate compliance readiness to internal security and compliance teams, and to their customers, auditors, and regulators. Additionally, we meet you where you are on your journey through support of third-party software solutions for protecting customer data and resources in the cloud, while enabling your security teams to maintain their single pane of glass.

Challenges in Implementing AI RMF

While the NIST AI RMF provides a solid foundation for managing AI risks, there are several challenges organizations may face during implementation:

  • Resource Constraints: Building a comprehensive risk management strategy requires significant resources, including personnel, tools, and time.
  • Complexity of AI Systems: AI models can be highly complex, making it difficult to fully understand and mitigate all potential risks.
  • Evolving Regulatory Landscape: With governments and regulatory bodies around the world scrambling to develop AI regulations, staying compliant can be a moving target.
  • Cultural Resistance: Some teams may resist adopting new governance frameworks, especially if they perceive AI risk management as an additional burden.

Despite these challenges, the long-term benefits of AI risk management far outweigh the costs. A proactive approach ensures that AI is used responsibly and in ways that align with organizational values and societal expectations.

Conclusion

Oracle offers a complete, end-to-end platform for generative AI, with advanced security, best-in-class data management, and a comprehensive portfolio of cloud applications able to address any business problem.  That’s one of the reasons Gartner identified Oracle as a leader in cloud noting that Oracle is the only Hyperscaler capable of delivering more than 150 AI and cloud services across public, dedicated, and hybrid cloud environments, anywhere in the world in the

2024 Gartner® Magic Quadrant™ for Strategic Cloud Platform Services report.

The NIST AI Risk Management Framework is an essential tool for organizations looking to responsibly develop and deploy AI systems. By following the AI RMF’s structured approach—focusing on governance, risk assessment, risk management, and continuous monitoring—organizations can create AI systems that are transparent, fair, secure, and accountable.

Incorporating the AI RMF into your organization’s processes not only mitigates potential risks but also fosters trust with stakeholders, ensures compliance with ethical standards, and enables AI technologies to deliver their full potential in a responsible manner. The future of AI is bright, but only if we are proactive in managing the risks that come with its power.

References

To learn more visit us at the following links

 

Connect with us

Call +1.800.ORACLE1 or visit oracle.com. Outside North America, find your local office at: oracle.com/contact.

        blogs.oracle.com                        facebook.com/oracle                          twitter.com/oracle

 

Copyright © 2025, Oracle and/or its affiliates. This document is provided for information purposes only, and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. We specifically disclaim any liability with respect to this document, and no contractual obligations are formed either directly or indirectly by this document. This document may not be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without our prior written permission.

Oracle, Java, MySQL, and NetSuite are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners.