The National Institute of Standards and Technology ("NIST") recently updated its 2020 Privacy Framework 1.0 to include artificial intelligence ("AI") risk management.
On April 14, 2025, NIST released a draft of its Privacy Framework 1.1 ("PF 1.1"), an update to its Privacy Framework 1.0. NIST developed PF 1.1 to help organizations that use AI identify and manage privacy risk and "build innovative products and services while protecting individuals' privacy."
Summary of Updates
PF 1.1 aims to provide a flexible standard that could be applied to any legal, technology, or sector requirements. PF 1.1 also aligns with the Cybersecurity Framework 2.0 ("CSF 2.0"), allowing practitioners to simultaneously apply both standards in their organizations. Like CSF 2.0, PF 1.1 is composed of three components: Core, Organizational Profiles, and Tiers.
- Core consists of key privacy activities and outcomes that allow organizations to effectively communicate and manage privacy risk. It is comprised of five functions: Identify, Govern, Control, Communicate, and Protect.
- Organizational Profiles are designed to assist in the evaluation of an organization's current privacy practices, its desired privacy profile, and gaps and priorities to achieve its privacy targets.
- Tiers support organizational decision-making by classifying an organization's privacy risk posture based on the sufficiency of the processes in place to manage those risks.
One notable aspect of PF 1.1 is that it acknowledges the emergence of AI and its unique implications for enterprise risk management. It contains a new section that expressly addresses privacy risks arising from the interaction of AI and personal data, such as:
- The inadvertent exposure of personally identifiable information used to train AI systems;
- Statistical and cognitive bias affecting AI-assisted decisions; and
- Use of AI to directly infringe an individual's likeness rights (e.g., deepfakes).
According to NIST, proper management of privacy risks "can make AI systems more trustworthy and support responsible AI practices." NIST recommends implementing PF 1.1 with other NIST standards (e.g., AI Risk Management Framework and CSF 2.0) to fully account for the risks inherent in AI.
Looking Ahead
PF 1.1 demonstrates a continuing effort to integrate AI risk into broader enterprise risk management practices. In doing so, NIST is seeking to align comprehensive oversight of AI-related privacy risk with key business objectives. PF 1.1 is open for public comments until June 13, 2025. NIST expects to release the final draft in Q4 2025.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
