Attest Your AI Governance
Against the NIST AI Framework

The NIST AI Risk Management Framework (AI RMF) is a voluntary framework developed by the United States National Institute of Standards and Technology to guide organizations in managing risks associated with artificial intelligence throughout its lifecycle. The framework is structured around four core functions: Govern, Map, Measure, and Manage. It provides practical guidance for systematically identifying, assessing, and mitigating AI risks, and is widely recognized as a reference in the US market and across organizations with global operations.

No. The NIST AI RMF is not a certifiable standard. There is no NIST AI RMF certificate issued by certification bodies. It is a guidance framework that organizations adopt voluntarily to structure their AI risk management. The assessment Zertia conducts measures the degree of alignment and maturity of the organization against the framework's functions and principles, providing a clear picture of the current position and areas for improvement.

Organizations that develop or deploy AI systems operating in the US market, that collaborate with US federal agencies, that need to demonstrate AI risk governance to US-based investors or partners, or that want to structure their AI governance program on an internationally recognized framework. It is also relevant for organizations outside the United States that operate in markets where the NIST AI RMF is used as a best practice reference.

The standard timeline is approximately four weeks, depending on the scope, the number of AI systems assessed, and the operational complexity of the organization. Organizations with multiple AI systems or distributed operations across several jurisdictions may require a longer timeline.

The assessment requires access to internal AI governance policies, an inventory of AI systems, technical documentation for the models, risk management procedures, human oversight controls, post-deployment monitoring mechanisms, and any prior evidence of impact assessments or internal audits conducted.

A structured report that includes a maturity assessment against the four NIST AI RMF functions (Govern, Map, Measure, Manage), identification of control gaps, a risk prioritization matrix, and an actionable AI governance improvement roadmap with recommended timelines. The report is an auditable document that can be presented to regulators, investors, or procurement teams.

The NIST AI RMF and ISO/IEC 42001 certification are complementary. The NIST AI RMF provides detailed guidance on AI risk management, while ISO/IEC 42001 provides the certifiable management system framework to operationalize that governance. Organizations that first carry out the NIST AI RMF alignment assessment can use the results to strengthen the risk management dimension within their AI management system under ISO/IEC 42001. Zertia offers both services and can design an engagement covering both assessments in an integrated manner.

Yes. In the absence of a comprehensive federal AI law in the United States, the NIST AI RMF has established itself as the primary AI governance reference for organizations operating in the US market. Having a documented NIST AI RMF alignment assessment provides evidence of structured AI risk management, which is relevant to federal and state regulators, in investor due diligence processes, and as a demonstration of good practice against state AI laws coming into force in states such as Colorado, California, and New York.

The NIST Cybersecurity Framework (CSF) focuses on cybersecurity risk management. The NIST AI RMF focuses specifically on risks associated with artificial intelligence, including algorithmic bias, transparency, explainability, human oversight, and training data governance. Both frameworks are complementary, and many organizations implement them together to cover both security risks and AI-specific risks.