Skip to content

NIST AI Risk Management Framework (AI RMF)

Provenance & licence

Source: nist.gov/itl/ai-risk-management-framework · Last observed: 2026-06-16 · Version: AI RMF 1.0 (2023) + GenAI Profile 600-1 (2024) · Status: pilot · Licence: U.S. Government work — public domain (public-domain)

Summary

The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) is a voluntary framework published in January 2023 to help organisations manage risks across the AI lifecycle. It is organised around four core functions — GOVERN, MAP, MEASURE, MANAGE — and a set of characteristics of trustworthy AI. The Generative AI Profile (NIST AI 600-1, July 2024) is a companion that enumerates twelve GenAI-specific risks and suggested actions. The Adversarial Machine Learning taxonomy (NIST AI 100-2e2025) supplies the attack/mitigation vocabulary. NIST has signalled an AI Agent / Agentic Profile for late 2026, since agentic systems sit outside the original frame of RMF 1.0 and 600-1.

In plain language

Our explanation, not the official text

Plain-language summary in our own words — not the normative text. Follow the source for the authoritative wording. This is general information, not legal advice.

The AI RMF is a voluntary playbook for managing the risks of building and using AI. It doesn't mandate a specific tool; it gives you four things to do continuously — set up accountability (GOVERN), understand your system and its context (MAP), test how trustworthy it is (MEASURE), and act on the risks you find (MANAGE). The GenAI Profile adds a checklist of risks specific to generative AI. It's the shared vocabulary most other AI-risk frameworks borrow.

Key terms

  • Trustworthy AI — AI that is valid, safe, secure, transparent, explainable, privacy-respecting and fair.
  • Profile — a tailored selection of the framework for a specific context (e.g. the GenAI Profile).
  • GOVERN / MAP / MEASURE / MANAGE — the four continuous functions of the framework.

In depth: the four functions — the source's words and ours

Reading guide: boxed “Source text” quotes are NIST's own wording (verbatim; NIST publications are U.S. Government works in the public domain). Text marked “In our words” is our explanation, written to make the framework easier to grasp.

Source text — NIST AI RMF 1.0 (public domain)

The GOVERN function: cultivates and implements a culture of risk management within organizations designing, developing, deploying, evaluating, or acquiring AI systems; outlines processes, documents, and organizational schemes that anticipate, identify, and manage the risks a system can pose …

In our words — GOVERN is the backbone. It sets the culture, roles, policies and accountability that make the other three functions actually happen, and it is the only cross-cutting function: without it, mapping, measuring and managing are ad-hoc and won't survive an audit.

Source text — NIST AI RMF 1.0 (public domain)

The MAP function establishes the context to frame risks related to an AI system.

In our words — MAP is the "know what you're dealing with" step: intended purpose, context of use, data, stakeholders and foreseeable misuse. You can't meaningfully assess a system you haven't framed.

Source text — NIST AI RMF 1.0 (public domain)

The MEASURE function employs quantitative, qualitative, or mixed-method tools, techniques, and methodologies to analyze, assess, benchmark, and monitor AI risk and related impacts.

In our words — MEASURE is the evidence function: it turns "we think it's risky" into tested, benchmarked, monitored metrics for trustworthiness (accuracy, robustness, bias, security, and so on).

Source text — NIST AI RMF 1.0 (public domain)

The MANAGE function entails allocating risk resources to mapped and measured risks on a regular basis and as defined by the GOVERN function.

In our words — MANAGE is "act, and keep acting": prioritise, treat, respond, recover, and keep monitoring after deployment — recording the decisions and trade-offs an auditor will later inspect.

From my training — University of Oxford · Managing Enterprise AI Risks (2026)

In my Oxford certification I worked NIST's four functions as an operational control set — cross-mapped across ~24 standards (NIST · ISO/IEC 42001 · EU AI Act · DORA) and split into risk of AI vs risk due to AI. In an audit I anchor GOVERN / MAP / MEASURE / MANAGE to that cross-map and the Three Lines of Defence, with Model Cards, an AI-SBOM and a living risk register as the evidence base. Verify certificate ↗

Key Sections

  • GOVERN — cross-cutting culture, policies, accountability, and roles for AI risk.
  • MAP — establish context; frame the system, its purpose, and its impacts.
  • MEASURE — analyse, benchmark, and monitor AI risks with quantitative and qualitative methods.
  • MANAGE — prioritise, respond to, and recover from risks; allocate resources.
  • Trustworthy AI characteristics — valid & reliable, safe, secure & resilient, accountable & transparent, explainable & interpretable, privacy-enhanced, and fair (with harmful bias managed).
  • GenAI Profile (600-1) — 12 risks incl. confabulation, dangerous/CBRN information, data privacy, harmful bias, information integrity, information security, IP, and value-chain/component integration.
  • AI RMF Playbook — actionable, suggested-action companion to the four functions (maintained as a living web resource on the AI Resource Center).

Audit-Relevant Anchors

  • GOVERN 1.1 / 1.2 — legal and regulatory requirements are understood, documented, and managed; trustworthy-AI characteristics are reflected in policy.
  • MAP 1.x — intended purpose, context of use, and foreseeable misuse are documented (the basis of an audit scope).
  • MEASURE 2.x — system performance and trustworthiness are evaluated with named metrics and test sets.
  • MANAGE 2.x / 4.x — risk responses and post-deployment monitoring are documented and maintained — the audit trail an assessor inspects.

Auditor Checklist

Evidence-oriented checks for an engagement that relies on the AI RMF:

  • A documented AI governance structure with named accountability exists (GOVERN 1.x–2.x).
  • Each AI system's intended purpose, context of use, and foreseeable misuse is documented (MAP 1.x).
  • Trustworthiness characteristics are evaluated with named metrics and test sets (MEASURE 2.x).
  • Risk-response and prioritisation decisions are recorded (MANAGE 1.x–2.x).
  • Post-deployment monitoring is operating and producing records (MANAGE 4.x).
  • For generative systems, the twelve GenAI-Profile risks (600-1) are assessed.
  • Third-party / component (supply-chain) risks are mapped (MAP 4.x).

Cross-Framework Mapping

Indicative cross-references, not authoritative equivalences — confirm against the official NIST AIRC crosswalks before relying on them.

NIST AI RMF ISO/IEC 42001 EU AI Act ISO/IEC 23894
GOVERN Cl. 5 (leadership & policy) Art. 17 (QMS) Cl. 5 (framework)
MAP Cl. 6.1 + Cl. 8 (risk ID, impact) Art. 9 + Annex III (risk, scope) Cl. 6.2–6.4
MEASURE Cl. 9 (performance evaluation) Art. 15 (accuracy, robustness) Cl. 6.4 (analysis)
MANAGE Cl. 8 + Cl. 10 (operation, improvement) Art. 9 (risk treatment) Cl. 6.5 (treatment)

Recent Changes (rolling, last 5)

Date Severity What changed
2026-06-16 baseline Initial baseline: AI RMF 1.0, GenAI Profile 600-1, Adversarial ML 100-2e2025 captured. Agentic Profile noted as forthcoming (NIST, ~Q4 2026).

Sources