Insights

  • Home
  • Insights
  • NIST Updates Its Privacy Framework to Address AI

Share

PUBBanner_NIST Updates Its Privacy Framework to A

NIST Updates Its Privacy Framework to Address AI

The National Institute of Standards and Technology ("NIST") recently updated its 2020 Privacy Framework 1.0 to include artificial intelligence ("AI") risk management.

May 09, 2025 Alert

On April 14, 2025, NIST released a draft of its Privacy Framework 1.1 ("PF 1.1"), an update to its Privacy Framework 1.0. NIST developed PF 1.1 to help organizations that use AI identify and manage privacy risk and "build innovative products and services while protecting individuals' privacy." 

Summary of Updates

PF 1.1 aims to provide a flexible standard that could be applied to any legal, technology, or sector requirements. PF 1.1 also aligns with the Cybersecurity Framework 2.0 ("CSF 2.0"), allowing practitioners to simultaneously apply both standards in their organizations. Like CSF 2.0, PF 1.1 is composed of three components: Core, Organizational Profiles, and Tiers.

  • Core consists of key privacy activities and outcomes that allow organizations to effectively communicate and manage privacy risk. It is comprised of five functions: Identify, Govern, Control, Communicate, and Protect.
  • Organizational Profiles are designed to assist in the evaluation of an organization's current privacy practices, its desired privacy profile, and gaps and priorities to achieve its privacy targets.
  • Tiers support organizational decision-making by classifying an organization's privacy risk posture based on the sufficiency of the processes in place to manage those risks.

One notable aspect of PF 1.1 is that it acknowledges the emergence of AI and its unique implications for enterprise risk management. It contains a new section that expressly addresses privacy risks arising from the interaction of AI and personal data, such as:

  • The inadvertent exposure of personally identifiable information used to train AI systems;
  • Statistical and cognitive bias affecting AI-assisted decisions; and
  • Use of AI to directly infringe an individual's likeness rights (e.g., deepfakes).

According to NIST, proper management of privacy risks "can make AI systems more trustworthy and support responsible AI practices." NIST recommends implementing PF 1.1 with other NIST standards (e.g., AI Risk Management Framework and CSF 2.0) to fully account for the risks inherent in AI.

Looking Ahead 

PF 1.1 demonstrates a continuing effort to integrate AI risk into broader enterprise risk management practices. In doing so, NIST is seeking to align comprehensive oversight of AI-related privacy risk with key business objectives. PF 1.1 is open for public comments until June 13, 2025. NIST expects to release the final draft in Q4 2025.

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at www.jonesday.com. This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.
Contributors
You May Also Be Interested In

May 08, 2025 Alert

FTC Finalizes Amendments to the Children's Online Privacy Protection Act Rule

May 06, 2025 Alert

OMB Directs Agencies to Accelerate AI Adoption and Devise Governance Strategy

April 08, 2025 Commentary

Belgium Adopts New Act on Private Investigations

April 04, 2025 Newsletters

EU Geopolitical Risk Update - Key Policy & Regulatory Developments No. 120

Before sending, please note:

Information on www.jonesday.com is for general use and is not legal advice. The mailing of this email is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Anything that you send to anyone at our Firm will not be confidential or privileged unless we have agreed to represent you. If you send this email, you confirm that you have read and understand this notice.