NIST AI Risk Management Framework
The NIST AI RMF 1.0 is a voluntary, widely-adopted framework for managing AI risk across the lifecycle. It is organized around four functions — Govern, Map, Measure and Manage — and a set of characteristics of trustworthy AI (valid and reliable, safe, secure and resilient, accountable and transparent, explainable, privacy-enhanced, and fair with harmful bias managed). A companion Generative AI Profile adapts it to GenAI risks. Unlike the EU AI Act it is not law, but it is a common backbone for operational AI governance.
Definition
The NIST AI Risk Management Framework is a voluntary framework that helps organizations govern, map, measure and manage the risks of AI systems while pursuing the characteristics of trustworthy AI.
Scope
Any organization designing, developing, deploying or using AI, in any sector. It is voluntary and outcome-focused, designed to be tailored to context and used alongside standards and regulation.
Key requirements
- Four core functions: Govern (culture & accountability), Map (context & risks), Measure (assess & track), Manage (prioritize & respond).
- Govern is cross-cutting — it underpins the other three.
- Defines characteristics of trustworthy AI to aim for, not just risks to avoid.
- A companion Generative AI Profile (NIST AI 600-1) addresses GenAI-specific risks.
- Voluntary and flexible — meant to be tailored, not certified against.
- Pairs well with ISO/IEC 42001 (management system) and the EU AI Act (law).
Controls
- Govern
- Establish the policies, accountability, culture and roles that make risk management real — the foundation the other functions stand on.
- Map
- Establish context: intended use, stakeholders, and the risks and impacts of the AI system before building.
- Measure
- Use quantitative and qualitative methods to assess, benchmark and monitor risk and trustworthiness — you can't manage what you don't measure.
- Manage
- Prioritize, respond to and track risks over time, including incident response and decommissioning.
- Trustworthiness characteristics
- Steer toward valid, safe, secure, accountable, explainable, privacy-enhanced and fair outcomes as explicit design targets.
Checklist
- 01Stand up the Govern function: policy, accountability and roles.
- 02Map each system's context, intended use, stakeholders and risks.
- 03Define metrics and Measure validity, safety, security, bias and robustness.
- 04Manage: prioritize risks, plan responses and track them over time.
- 05Apply the Generative AI Profile for GenAI systems.
- 06Set incident response and monitoring for deployed systems.
- 07Map the framework to your obligations under ISO 42001 and the EU AI Act.
Common pitfalls
- Doing Map and Measure but neglecting Govern, so nothing is accountable.
- Measuring what's easy instead of what matters for trustworthiness.
- Treating it as a checklist rather than a continuous risk practice.
- Ignoring the Generative AI Profile for LLM and agentic systems.
Examples
- A team using Map to document an agent's intended use and stakeholders before building.
- A Measure step benchmarking a model for bias and robustness against an eval set.
- A Manage process with incident response for a deployed GenAI assistant.
FAQs
- Is the NIST AI RMF mandatory?
- No. It is a voluntary framework. But it is widely adopted as a common language and backbone for operational AI risk management, and often referenced in policy and procurement.
- What are the four functions?
- Govern, Map, Measure and Manage. Govern is cross-cutting and supports the other three, which run across the AI lifecycle.
- How does it handle generative AI?
- Through the companion Generative AI Profile (NIST AI 600-1), which identifies GenAI-specific risks and suggested actions mapped to the four functions.