The Map Function is the second core component of the NIST AI Risk Management Framework (AI RMF), dedicated to the contextual discovery and scoping of AI-related risks by thoroughly examining the specific system, its intended use, and the environment in which it operates.

This function moves from high-level policy (Govern) to concrete analysis. It involves a structured inquiry to understand "what could go wrong" with a specific AI system or portfolio. Mapping requires looking beyond the algorithm to consider the full socio-technical context: the data pipeline, the human operators, the affected individuals, and the broader societal implications. The output is a comprehensive, contextualized understanding of potential impacts and hazards, which creates the necessary foundation for meaningful measurement and management. It ensures risk assessments are not generic but are tailored to the unique characteristics and deployment scenario of each AI application.

Executing the Map Function involves a multi-faceted contextualization process:

System & Context Characterization: Documenting the AI system's intended purpose, capabilities, limitations, architecture, data sources, and the operational ecosystem (including users, deployers, and subjects).

Impact Assessment: Identifying and analyzing the potential beneficial and adverse impacts on individuals, groups, organizations, and society at large, with particular attention to effects on civil rights, privacy, safety, and economic opportunity.

Threat & Vulnerability Identification: Cataloging potential sources of harm, including technical failures (e.g., model drift), security threats (e.g., adversarial attacks), and problematic usage patterns (e.g., misuse or over-reliance).

Stakeholder Mapping: Identifying all internal and external parties affected by or influencing the AI system, from developers and end-users to regulators and community groups.

Regulatory Context: The Map function directly enables compliance with specific regulatory mandates. It is the core activity behind the EU AI Act's required risk management system (Article 9) and the ex-ante Algorithmic Impact Assessment (AIA) or Fundamental Rights Impact Assessment (FRIA). It also fulfills the "context of the organization" and risk assessment requirements (Clauses 4 & 8) of ISO/IEC 42001.

Informed Risk Prioritization: A thorough mapping exercise prevents critical risks from being overlooked. By providing rich context, it allows organizations to prioritize risks based on their likelihood and potential severity within the specific use case, ensuring that limited resources are allocated to mitigate the most significant threats first.

‍