The shared vocabulary that turns scattered tests into a process an organization can stand behind
Day 46 of 60
You've spent nine weeks learning to find, measure, and reason about failures: threat models, taxonomies, red-teams, evals, robustness, alignment, interpretability. Each is a sharp tool. But a pile of sharp tools is not a process, and an organization can't deploy on a pile. Someone has to sign off, and what they sign is not "we ran some evals" — it's "we have a repeatable, documented way of managing this system's risk." That's what a framework gives you: a structure that makes your scattered work add up to a claim.
A risk framework doesn't tell you what to test — you already know that. It tells you how to organize, document, and govern the testing so the result is auditable, repeatable, and ownable. It's the difference between a talented individual and a function a company can rely on.
Part C is the governance layer. This week you learn to think in these structures so that everything you built in Parts A and B has a home — a place to be filed, owned, and defended. We start with the framework that has become the shared language of AI risk across industry and government: the NIST AI Risk Management Framework.
The NIST AI RMF organizes the whole job of risk management into four functions. They're deliberately generic — they fit any AI system — and learning to name them is the single most useful piece of governance vocabulary you can carry into an interview.
Who owns risk decisions? What policies, roles, and processes are in place? Govern is the connective tissue: it sits across the other three functions and makes them stick. A team that "does evals" but has no one accountable for acting on them has skipped Govern — and it shows the first time a result is inconvenient.
What is this system, who uses it, in what setting, and what could go wrong? This is your threat model (Week 1) wearing a governance hat. Map is where you frame the problem before measuring anything.
Quantify and characterize the risks you mapped — with metrics, evals, and red-team results. This is Part A's entire toolkit (Weeks 3–5) feeding the framework. Measure is where your safety eval harness and robustness report become evidence.
Allocate resources to the risks that matter, apply mitigations, accept or transfer residual risk, and monitor over time. Manage is where the risk register you build on Day 48 lives — the decision layer that turns measurement into action.
Govern is the accountability around it all. Map is "what could go wrong here?" Measure is "how bad, how likely, by what evidence?" Manage is "so what do we do, and who owns it?" Your Part A work isn't replaced by the framework — it's slotted into it.
A framework tells you to map risks; it doesn't hand you the list. For that, the best resource in the field is the MIT AI Risk Repository — a living database of over a thousand documented AI risks, organized by two taxonomies: a causal one (who caused it, when, was it intentional) and a domain one (discrimination, misinformation, malicious use, and so on). It's the single best answer to "have I missed a whole category of risk?" — and exactly the kind of external reference a rigorous Map step should cross-check against.
When you Map a system, don't enumerate from memory and stop. Cross-check your list against a structured external taxonomy like the AI Risk Repository. The risks you forget are the ones that hurt you, and the whole point of a framework is to make forgetting harder.
The full curated, verified resource list for this week is at the bottom of the page — start with the ones marked Start here.
An enthusiast describes their testing. An expert describes their process — and names the framework it maps to. The altitude jump is from "here's what I did" to "here's the structure my work fits into, so it's repeatable and auditable by anyone, not just me." Speaking in Govern/Map/Measure/Manage signals you think like a function, not a hobbyist.
Say this in an interview: "I don't treat evals as one-off projects — I map them into a recognized framework like the NIST AI RMF. My threat model is Map, my eval and robustness work is Measure, my risk register is Manage, and Govern is the accountability that ties it together. That's what makes the work auditable instead of just impressive."