MANAGE-3 — Manage 3: Third-Party Resource Management
16 requirements in the Manage 3: Third-Party Resource Management function
MANAGE 3.1AI risks and benefits from third-party resources are regularly monitored, and risk controls are
MG-3.1-001Apply organizational risk tolerances and controls (e.g., acquisition and procurement processes
MG-3.1-002Test GAI system value chain risks (e.g., data poisoning, malware, other software and hardware
MG-3.1-003Re-assess model risks after fine-tuning or retrieval-augmented generation implementation and for
MG-3.1-004Take reasonable measures to review training data for CBRN information, and intellectual property
MG-3.1-005Review various transparency artifacts (e.g., system cards and model cards) forthird-party models
MANAGE 3.2Pre-trained models which are used for development are monitored as part of AI system regular
MG-3.2-001Apply explainable AI (XAI) techniques (e.g., analysis of embeddings, model
MG-3.2-002Document how pre-trained models have been adapted (e.g., fine-tuned, or retrieval-augmented
MG-3.2-003Document sources and types of training data and their origins, potential biases present in the
MG-3.2-004Evaluate user reported problematic content and integrate feedback into system updates
MG-3.2-005Implement content filters to prevent the generation of inappropriate, harmful, false, illegal, or
MG-3.2-006Implement real-time monitoring processes for analyzing generated content performance and
MG-3.2-007Leverage feedback and recommendations from organizational boards or committees related to the
MG-3.2-008Use human moderation systems where appropriate to review generated content in accordance with
MG-3.2-009Use organizational risk tolerance to evaluate acceptable risks and performance metrics and