The Measure Function is the third core component of the NIST AI Risk Management Framework (AI RMF), focused on the quantitative and qualitative assessment of identified AI risks and the performance of the system against the core Trustworthiness Characteristics.

This function translates the qualitative understanding from the Map stage into actionable data. It involves developing and applying metrics, benchmarks, tests, and analytics to evaluate how well an AI system demonstrates properties like validity, security, and fairness. Measurement provides the evidentiary basis to determine whether risks are within the organization's tolerance levels and whether mitigation controls are effective. It turns subjective concerns about "bias" or "unreliability" into objective, trackable performance indicators that can be monitored over time, enabling data-driven governance.

Implementing the Measure Function requires developing and deploying a suite of evaluative techniques:

Metric Definition & Benchmarking: Establishing measurable indicators for each relevant Trustworthiness Characteristic (e.g., disparate error rates for Fairness, attack success rates for Security, F1 scores for Validity) and setting performance benchmarks or thresholds.

Testing & Evaluation: Conducting rigorous technical evaluations, such as bias audits, adversarial robustness testing (red-teaming), accuracy validation, and simulations to gather performance data against the defined metrics.

Analysis & Gap Assessment: Analyzing the collected data to quantify the level of risk, identify performance gaps, and compare current system behavior against the organization's risk tolerance and compliance requirements.

Tool & Methodology Selection: Choosing appropriate software tools, statistical methods, and auditing procedures (e.g., using SHAP for explainability or differential privacy verification tools) to conduct reliable and repeatable measurements.

Regulatory Context: Measurement is central to demonstrating compliance with technical mandates. It provides the evidence required for the EU AI Act's conformity assessment (e.g., performance metrics in technical documentation) and post-market monitoring. It also satisfies the "performance evaluation" and "monitoring and measurement" requirements (Clause 9) of ISO/IEC 42001.

Evidence-Based Decision Making: Robust measurement moves risk management from conjecture to fact. It allows organizations to confidently make "go/no-go" deployment decisions, substantiate claims of trustworthiness to customers and regulators, and precisely target areas for improvement, thereby increasing the efficacy and credibility of the entire AI RMF process.