What Is AI TriSM, and Why Is It Critical for Government AI?
Gartner describes AI TRiSM as a framework for managing AI model governance, trustworthiness, fairness, reliability, security and data protection.
The framework has gained traction as agencies recognize that AI systems require continuous oversight rather than one-time governance reviews.
“The security space likes frameworks,” Rosiek says. “They like ways to define what needs to be done and define all the different components so they can figure out how to mitigate the risk.”
He says AI TRiSM is intended to help organizations get ahead of AI’s rapid evolution rather than react after problems emerge.
“AI is moving so fast,” Rosiek says. “Frameworks and compliance can’t keep up with technology.”
That challenge becomes even more complicated as agencies begin experimenting with agentic AI systems that can autonomously pass information between applications, models and workflows.
“You may have good boundaries and controls on the first stage of that conversation,” Rosiek says, “but then it goes two or three other levels where you have no visibility.”
READ MORE: AI sandboxes allow governments to experiment safely.
How To Operationalize AI TRiSM: A Three-Step Framework
While AI governance can seem overwhelming, agencies can begin operationalizing AI TRiSM through several foundational steps.
Step 1: Establish AI oversight policy aligned to existing governance
Rosiek says agencies should begin with visibility into their data and clear internal governance policies.
“The foundational part of AI within your organization comes down to your IT infrastructure, and understanding and having visibility into your data,” he says.
That means identifying what data exists, where it resides, who has access to it and what types of information should never be exposed to public AI systems.
Rosiek also warns agencies about “shadow AI,” where employees may already be using commercial AI tools without oversight.
“Making sure you have policies and training within the organization” is critical, he says.
Rather than creating entirely separate AI governance programs, agencies can often build on existing cybersecurity, compliance and data governance structures. AI TRiSM becomes a framework for extending those controls into AI environments.
“If you really have supercritical data, you absolutely need to figure out this plan and start rolling that out,” Rosiek says.
Step 2: Implement model monitoring to detect bias, drift and accuracy degradation
Continuous monitoring is another core component of AI TRiSM.
AI systems can drift over time as data changes, and models may begin producing inaccurate or biased outputs without obvious warning signs.
Rosiek says monitoring becomes even more important because of the speed at which AI systems operate.
“The biggest benefit of AI is the speed at which it can do stuff,” he says. “It can analyze data, conduct actions, and it never gets tired.”
That speed also creates risk. A small mistake or misconfiguration can quickly scale into a larger operational problem.
“AI in some ways is unpredictable,” Rosiek says. “It will make a decision, and sometimes you may not know why.”
He compares AI agents with both insider threats and overly enthusiastic interns.
“You don’t just turn the summer intern loose in your organization,” Rosiek says. “You’ve got lots of training, mentoring and controls around them.”
In early deployments, agencies may still need humans reviewing outputs and approving actions. Over time, however, organizations will increasingly rely on “humans on the loop” rather than “humans in the loop,” where staff monitor systems rather than approve every individual action.
“But the only way you can really get the benefit of AI is in that scenario,” Rosiek says.
