Map
NIST AI RMF 1.0 · MAP function
Establish AI context: intended purpose, use cases, capabilities, and risks.
What this function means
MAP is about understanding what the AI system actually does, who it affects, what it depends on, and what failure modes exist. This is largely a transparency function — vendors who publish model cards, intended-use scopes, and dependency disclosures make MAP tractable for buyers.
How TrustAtlas dimensions support it
Transparency captures published model documentation and intended-use scope; dependency chain maps the upstream model topology; data handling covers data-flow surface; IP exposure covers the legal-rights boundary that bounds intended use.
See methodology for how each dimension is scored across the catalog.
Example NIST categories under Map
- MAP 1: Context including intended purpose is established
- MAP 3: AI capabilities, targeted usage, and limitations are documented
- MAP 5: Impacts to people and organisations are characterised
Drawn from NIST AI RMF 1.0; the catalog evidence below maps onto these categories at the vendor-evaluation layer.
Questions to ask vendors
Use as part of your procurement diligence or as a structured profile-review aid alongside the vendor's TrustAtlas page.
- Do you publish a model card for each production model that documents intended use, known limitations, and out-of-scope use?
- Can you produce a complete upstream dependency map (foundation models, training datasets, third-party plug-ins) on request?
- What data-flow diagram or DPIA can you share that maps customer data through your system, including any sub-processors?
- How is "intended use" scoped contractually so customers know when they have moved outside it?
Related
- Back to the full NIST AI RMF cross-walk
- OWASP LLM Top 10 cross-walk — the application-security companion framework
- Vendors that claim NIST AI RMF alignment
- TrustAtlas methodology — how the 8 risk dimensions are scored