Guide to NIST AI Risk Management Framework (AI RMF)

The NIST AI Risk Management Framework (AI RMF) is a voluntary guidance document from the US National Institute of Standards and Technology that helps organizations identify, assess, and reduce risks linked to artificial intelligence systems across their full lifecycle.

NIST published the framework in January 2023, and it supports organizations that design, develop, deploy, or use AI, regardless of size or sector. It gives a shared structure to technical teams and leadership, but does not replace law or certification.

This guide walks through what the framework covers, how its four core functions work, and how a business can put it into practice.

NIST AI Risk Management Framework: summary

• The NIST AI RMF is voluntary, sector-neutral, and use-case agnostic. It applies to traditional machine learning (ML), generative AI, and AI features embedded in larger products.
• The framework defines trustworthy AI through seven characteristics: 1) valid and reliable, 2) safe, 3) secure and resilient, 4) accountable and transparent, 5) explainable and interpretable, 6) privacy-enhanced, and 7) fair with harmful bias managed.
• Its Core has four functions: Govern, Map, Measure, and Manage. Govern is the cross-cutting function at the center.
• NIST published the Generative AI Profile (NIST AI 600-1) on July 26, 2024, to extend the framework to large language models, copilots, and agentic systems.
• AI RMF 1.0 is being revised, and the AI RMF Playbook will be updated after AI RMF 1.1 is published.
• AI RMF is not the EU AI Act. The EU AI Act is a binding law. NIST AI RMF supports good practice and pairs well with standards such as ISO/IEC 42001 and ISO/IEC 23894.

What is the NIST AI Risk Management Framework

NIST AI RMF, formally titled Artificial Intelligence Risk Management Framework (AI RMF 1.0), is a voluntary framework developed by the National Institute of Standards and Technology. NIST describes its goal as helping organizations that design or use AI to manage AI risks.

A few facts about the framework:

• It is voluntary. No business is legally required to adopt it.
• It is rights-preserving. NIST built it to support civil rights, civil liberties, equity, and privacy.
• It works across sectors and use cases. The same framework applies to a healthcare diagnostic tool, a fraud model in a bank, and a customer support chatbot.
• It is designed for organizations of all sizes, from startups to enterprises and public sector bodies.

The framework is structured around two main ideas. First, a description of what trustworthy AI looks like, expressed through seven characteristics. Second, a Core that breaks risk work into four functions. NIST also publishes a companion AI RMF Playbook with practical suggested actions, plus Profiles that adapt the framework to specific contexts.

The framework focuses on AI risk, which includes harms to people, organizations, and ecosystems. It also covers harms to civil liberties, physical safety, financial loss, reputational damage, environmental impact, and harm to democratic institutions. In other words, AI RMF is more than a security checklist.

Why businesses need a structured approach to AI risk

AI risk is different from traditional software risk because an AI system, especially a model trained on large datasets, behaves probabilistically. It can drift, produce biased outputs, leak training data, or be manipulated through adversarial inputs. The same model can be safe in one use case and unsafe in another.

Another problem is that without a framework, AI risk ownership can remain unclear. Whichever team or leader is most involved at the moment ends up making the decisions. But with a framework, the same set of questions and the same vocabulary apply across teams.

When organizations have a structure in their approach to AI risk, they get several advantages:

• A shared language across teams (e.g., legal, security, product, data science, procurement).
• A clear way to compare AI use cases by severity and likelihood.
• A consistent record of decisions—that matters for audits and incident investigations.
• An easier way to align with future regulations, since most laws lean on the same risk concepts NIST uses.
• Better third-party governance, because vendors and integrations introduce risks that the buyer often inherits.

In short, the NIST AI RMF gives that structure without prescribing tools or techniques. It tells organizations which risks to address.

Core functions of the NIST AI Risk Management Framework

The AI RMF Core has four functions: Govern, Map, Measure, and Manage. They form a continuous risk process across the AI lifecycle. NIST breaks each function into categories and subcategories.

Govern is a cross-cutting function: it feeds the other three. Map sets context, Measure assesses risk, and Manage acts on it. Work in any function can trigger updates in the others.

1. Govern (cross-cutting)
2. Map (context and use cases)
3. Measure (assess risks and trustworthiness)
4. Manage (treat and monitor risks)

1. Govern: NIST AI RMF governance and responsibilities

Govern sets the culture, policies, roles, accountability, and oversight that hold the other three functions together. It connects technical AI choices to legal, ethical, and societal considerations. It also covers risks from third-party AI systems, datasets, and services.

In a typical organization, the Govern function answers questions such as:

• Who owns AI risk at the executive level?
• Which policies apply to AI use across the company?
• Who approves a new AI use case, and what triggers a re-review?
• How are documentation, model cards, and decisions recorded?
• How does the company manage AI vendors, foundation models, and open-source components?
• How are workers trained on responsible AI practices?

NIST AI RMF governance should sit within the broader enterprise risk and security program. Microsoft’s AI governance guidance, for example, states that it follows the NIST AI RMF and the NIST AI RMF Playbook, and places AI risk inside its wider enterprise risk approach.

What’s the practical sign that Govern is working? One person or committee can stop or approve an AI use case, and they rely on documented criteria rather than personal judgment.

2. Map: understanding where AI is used

Map establishes context for AI risk. It identifies the intended purpose, users, stakeholders, assumptions, constraints, benefits, and known risks of a specific AI system. It also covers how the system depends on other parts of the stack—the data pipeline, the model provider, and the business process it feeds into.

A Map activity usually produces:

• An AI system inventory that lists tools, owners, vendors, data sources, model types, and deployment status.
• An intended-use description that names the users, affected groups, and out-of-scope uses.
• A list of assumptions and constraints, such as the data quality that the system requires to work safely.
• A first cut of risks, including misuse and abuse scenarios.

Teams often skip this process straight to model selection without writing down who the system is for, what counts as success, and what counts as harm. But without that context, later measurement and treatment work has no anchor.

NIST encourages organizations to use Map for clear go or no-go decisions. Sometimes the right answer is no—and that decision should happen before any model is built.

3. Measure: evaluating AI risks and performance

Measure uses qualitative, quantitative, or mixed methods to assess AI risks and trustworthiness. NIST links this function to testing, evaluation, verification, and validation (sometimes shortened to TEVV). Measurement happens before deployment and continues throughout the lifecycle.

Typical Measure activities include:

• Model performance tests across representative and edge-case data.
• Bias and fairness tests across relevant subgroups.
• Security tests, including red team exercises against the model and its surrounding stack.
• Privacy assessments, including data minimization and re-identification risk.
• Robustness checks under data drift, adversarial inputs, and prompt injection where relevant.
• Independent review, especially for high-impact use cases.

Note that AI measurement methods are still maturing, and visibility into third-party model training data is often limited. The right response is not to skip measurement, but to be transparent about what was tested and what was not.

4. Manage: reducing and controlling AI risk

Manage prioritizes and acts on the risks identified through Map and Measure. It covers resource allocation, risk response plans, decisions on what residual risk to accept, monitoring, incident response, as well as recovery.

In day-to-day work, Manage answers questions such as:

• Which risks are accepted, mitigated, transferred, or avoided?
• Where do humans need to stay in the loop, and with what authority?
• How are model outputs monitored after launch, and who reviews drift or incident signals?
• What happens when the system produces an unsafe output or a customer complaint reveals harm?
• How are models retired or replaced safely?

A strong oversight plan defines human review points, override rights, escalation paths, and rules for high-risk decisions where a human must approve before action is taken.

Manage is also where third-party AI controls turn into actual operations. Vendor SLAs, model update policies, and integration monitoring fall under this function.

How the framework fits into daily business operations

Any framework is only useful if it survives real work. NIST AI RMF usually does.

Consider a mid-sized B2B software company that wants to launch an AI assistant inside its product. Without AI RMF, engineering, security, and legal hold the conversation ad hoc. With AI RMF, the same conversation looks like this:

• Govern.

  • The company updates its AI policy to cover generative AI use.
  • It names a product owner accountable for the assistant.
  • Sets a review checkpoint before launch.
• Map. The product team writes a short intended-use document. It lists:

  • who the assistant is for,
  • what data it can access,
  • what it must refuse, and
  • which user actions count as misuse.
• Measure. Engineering and security run

  • model evaluations,
  • prompt injection tests,
  • content safety checks. They benchmark accuracy on a representative test set, plus edge cases drawn from real support tickets.
• Manage.

  • Customer support gets a runbook for unsafe outputs.
  • Product analytics tracks usage, refusal rates, and user feedback.
  • A monthly review checks for drift and new misuse patterns.

NIST AI RMF guidance also helps with procurement. A vendor selling an AI feature can be asked to describe how they Govern, Map, Measure, and Manage their system. Vague answers are themselves a risk signal.

Benefits of using the NIST AI Risk Management Framework

Adopting NIST AI RMF brings benefits beyond a tidy risk register. Some of the most consistent ones reported by organizations that have rolled it out are:

• A common language across functions. Legal, security, data science, product, and procurement can use the same terms for risks, controls, and decisions. That alone removes a large share of friction in AI projects.
• Easier alignment with other standards. AI RMF crosswalks help organizations compare it with ISO/IEC 42001, ISO/IEC 23894, OECD AI Principles, and security frameworks. ISO/IEC 42001:2023 is the first international AI management system standard, while ISO/IEC 23894 provides guidance for AI-related risk management. A team that has done the AI RMF work has most of the inputs needed for these standards.
• Better preparation for regulation. AI RMF is not law, but it leans on the same risk concepts that show up in regulations such as the EU AI Act, which is a binding, risk-based legal framework with four risk levels, with prohibitions on unacceptable-risk practices applying from February 2025. Companies that have already built Govern, Map, Measure, and Manage muscles can adapt faster.
• Stronger security posture for AI. AI RMF makes its “secure and resilient” characteristic concrete when paired with security-focused resources such as Google’s Secure AI Framework (SAIF), CISA, NSA, and FBI joint guidance on deploying externally developed AI systems, Mandiant’s AI risk and resilience report, OWASP’s Top 10 for LLM Applications, and MITRE ATLAS.
• Clearer customer and partner conversations. Enterprise buyers keep asking about AI governance during procurement. A documented AI RMF program shortens those conversations and builds trust.
• Less rework over time. Decisions, assumptions, and test results are captured in artifacts that survive team changes. New hires can pick up an existing system without rediscovering its risk context from scratch.
• A practical structure for generative AI. The NIST AI 600-1 Generative AI Profile lists specific risk categories that matter for LLM-based systems: CBRN information or capabilities, confabulation (often called hallucination in everyday AI discussions), dangerous violent or hateful content, data privacy, environmental impacts, harmful bias or homogenization, human-AI configuration, information integrity, information security, intellectual property, obscene degrading or abusive content, and value chain and component integration.

NIST AI Risk Management Framework limitations

It is fair to flag the limits of the framework, because overselling it leads to disappointment.

It is voluntary, not a compliance shortcut. AI RMF adoption does not equal EU AI Act compliance, nor does it produce a certificate.

It does not prescribe controls. AI RMF tells you what outcomes to aim for, not which controls or tools to deploy. Organizations need to translate categories into controls themselves, often by pulling from ISO standards, OWASP, MITRE ATLAS, CISA guidance, or vendor frameworks.

Measurement methods are still immature. NIST itself notes that AI measurement is a developing field. Many useful tests, especially for generative AI, do not yet have agreed benchmarks. Visibility into the training data of foundation models is often limited.

It assumes organizational maturity. Govern, Map, Measure, and Manage all require people, time, and authority. A small startup with no formal risk function will struggle to apply every category in depth.

It moves slower than the technology. AI RMF 1.0 was published in January 2023. Generative AI has changed substantially since then. NIST has signaled that AI RMF 1.0 is being revised and that the Playbook will be updated after AI RMF 1.1 is published. A Trustworthy AI in Critical Infrastructure Profile is also in development.

Political and policy context can shift. Executive Order 14110 on Safe, Secure, and Trustworthy AI, issued on October 30, 2023, was rescinded on January 20, 2025. The Generative AI Profile was created in that EO context, but the EO itself is no longer active. The framework remains valid, but readers should not treat the original policy backdrop as current authority.

These limits do not undermine the framework; they simply mean it works best combined with other resources.

NIST AI Risk Management Framework implementation

Luckily, a NIST AI risk management framework implementation does not require a year-long program. Most teams can produce a usable first pass in a few weeks.

A sequence can look like this:

1. Set governance first. Name an executive owner for AI risk. Write or update a short AI policy that covers acceptable use, approval steps, third-party AI rules, and incident response basics. Define a small approval body that can review AI use cases.
2. Build an AI system inventory. List every AI tool in use, including embedded features in SaaS products. For each entry, capture owner, vendor, use case, data sources, model type, and deployment status. This is the foundation for every other artifact.
3. Map each significant use case. For high-impact systems, fill an intended-use worksheet that names users, affected groups, assumptions, constraints, and misuse cases. Decide early whether the use case should proceed at all.
4. Stand up an AI risk register. Track risks, likelihood, impact, controls, owners, residual risk, and review dates. Tie entries to the use cases in your inventory.
5. Build a testing and evaluation plan. Define metrics, test methods, benchmarks, red team scope, acceptance thresholds, and retest cadence. For generative AI, include prompt injection, data leakage, and content safety tests.
6. Set up human oversight. Define human review points, override rights, escalation paths, and rules for high-risk decisions. Document who is responsible at each step.
7. Create an AI incident response plan. Cover model failures, data leakage, unsafe outputs, harmful bias, abuse, and service disruption. Tie it into the existing security incident process.
8. Add monitoring and review. Track drift, performance, misuse, user feedback, incidents, and control effectiveness after deployment. Schedule periodic reviews of the inventory and risk register.
9. Use the AI RMF Playbook. The NIST AI risk management framework playbook offers suggested actions, references, and practical guidance under Govern, Map, Measure, and Manage. Pick the actions that fit your maturity and resources.
10. Apply a Profile where helpful. Profiles adapt AI RMF to a specific sector, technology, use case, or risk context. The Generative AI Profile is a strong starting point for LLM-based systems. A Current Profile and a Target Profile can reveal gaps and shape a roadmap.

NIST AI risk management framework key points: conclusion

The NIST AI Risk Management Framework offers a clear structure for handling AI risk without locking organizations into a specific technology, vendor, or regulation. Its strength comes from three things: a shared vocabulary across teams, a Core built around four functions that mirror real risk work, and an open design that pairs well with ISO standards, OECD principles, EU regulation, and security frameworks from CISA, Google, Mandiant, OWASP, and MITRE.

For most businesses, the practical move is to treat NIST AI RMF as a backbone, build the basic artifacts, and grow the program in step with AI adoption.