NIST AI Risk Management Framework

The NIST AI Risk Management Framework is the most influential AI governance instrument in the world that is not, technically, a regulation. That contradiction is where its actual significance lives. The dominant narrative about the AI RMF is that it…

Executive summary

The NIST AI Risk Management Framework is the most influential AI governance instrument in the world that is not, technically, a regulation. That contradiction is where its actual significance lives.

The dominant narrative about the AI RMF is that it is a voluntary framework for managing AI risk. The description is accurate but loses the structural picture. NIST does not regulate. NIST publishes consensus-based technical standards that, once published, become the operational vocabulary of an entire ecosystem: federal agencies that procure AI, sector regulators that supervise it, courts that adjudicate disputes about it, and companies that need to demonstrate due care. The AI RMF is not voluntary in any meaningful operational sense for organisations that operate in regulated American sectors or sell AI to the U.S. federal government. It is voluntary in the same way the NIST Cybersecurity Framework was voluntary in 2014, which is to say: voluntary on paper, expected in practice, defaulted to in litigation.

The framework is built on a different conceptual model than the EU AI Act. The Act regulates products through conformity assessment. The RMF organises risk management through process functions. The Act asks: did you place a compliant product on the market? The RMF asks: do you have a defensible risk management process across the AI lifecycle? Both can produce similar artefacts, but they answer different legal questions. An organisation that adopts the AI RMF demonstrates a structured approach to AI risk that satisfies the duty of care expected by U.S. regulators. An organisation that achieves EU AI Act conformity demonstrates that a specific product meets specific legal requirements. The two are complementary, not equivalent.

The RMF organises everything around four functions: Govern, Map, Measure, Manage. These are not four sequential steps; they are four continuous activities that operate in parallel across the lifecycle. Govern establishes the organisational context. Map identifies the AI system, its purpose, its actors, and its risks. Measure analyses, evaluates, and tracks AI risks. Manage prioritises, responds to, and monitors those risks. Within these four functions, the framework defines 19 categories and 72 subcategories that operationalise the functions into specific outcomes.

The RMF is also explicitly designed to be a living document. NIST publishes companion resources — the Playbook, profiles for specific contexts, crosswalks to other frameworks — that extend the framework without changing its core. The Generative AI Profile published in July 2024 is the most important of these companion resources because it adds the risk dimensions that emerged after RMF 1.0 was finalised: hallucination, prompt injection, training data integrity, content provenance, and intellectual property exposure. The Critical Infrastructure Profile concept note from April 2026 is the second major extension, and the AI Agent Interoperability Profile planned for Q4 2026 will be the third.

What the RMF actually does, then, is not “manage AI risk” in the abstract. It establishes a structured, process-based language that allows organisations, regulators, courts, and counterparties to talk about AI risk using the same categories, the same evidence types, and the same expectations of due care. That common vocabulary is the operative function of the framework, and it explains why the RMF has become the de facto operational layer beneath multiple regulatory regimes including the EU AI Act.

Who it addresses. The AI RMF identifies a typology of “AI Actors” across the lifecycle, drawn from the OECD definition: organisations and individuals that play an active role in the AI system lifecycle. These include AI design actors, AI development actors, AI deployment actors, AI operations actors, test/evaluation/verification/validation (TEVV) actors, and human factors specialists. The framework is intentionally agnostic about organisational form: it applies to a startup of three engineers as readily as to a Fortune 500 corporation, to a federal agency as readily as to a private hospital network. What changes between contexts is the depth of implementation, not the applicability of the framework.

U.S. federal agencies that procure or use AI are required to align with NIST guidance under multiple Executive Orders and OMB memoranda, most recently OMB M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of AI) and the policies that succeeded EO 14110 after the change of administration in 2025. Federal contractors providing AI to government are increasingly required to demonstrate alignment with the RMF as part of procurement evaluation.

Sector regulators reference the RMF without making it binding. The Consumer Financial Protection Bureau cites it in supervisory expectations for credit decisioning. The Food and Drug Administration aligns its AI/ML medical device guidance with RMF concepts. The Equal Employment Opportunity Commission references RMF principles when evaluating algorithmic hiring tools under Title VII. The Federal Trade Commission has signalled that the RMF informs its enforcement posture under Section 5 of the FTC Act.

State legislators have started to incorporate the RMF more directly. The Colorado AI Act (SB 24-205), effective February 2026, requires deployers of high-risk AI systems to implement a risk management programme “that complies with the latest version of the artificial intelligence risk management framework published by the National Institute of Standards and Technology, or another nationally or internationally recognised risk management framework.” This drafting pattern — RMF as the named, default-acceptable framework — is being copied by other state bills under negotiation.

What it covers. The RMF applies to any AI system as defined in the OECD/NIST taxonomy: a machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs such as predictions, content, recommendations, or decisions that can influence real or virtual environments. The framework is intentionally use-case agnostic and sector-agnostic, but specific risks are addressed through the profiles. The GenAI Profile addresses risks specific to generative models. The Critical Infrastructure Profile addresses risks in operational technology and infrastructure contexts. The forthcoming Agent Profile will address risks specific to agentic systems.

Obligations

The AI RMF is not a system of legal obligations in the strict sense. It is a system of expected practices that operationalises a duty of care. Implementation is structured around the four core functions, each broken into categories and subcategories with associated outcomes.

GOVERN — Organisational risk culture

The GOVERN function establishes the organisational context within which AI risk management operates. It is the function that makes the other three possible because it defines authority, accountability, and resourcing. GOVERN has six categories covering legal and regulatory awareness, integration of trustworthy AI characteristics into policies, risk management process design, accountability structures, workforce diversity and competencies, and engagement with external actors. Outcomes include written AI risk management policies, defined roles and responsibilities (including the figure of an accountable executive), documented risk tolerance, and processes for incident reporting and post-deployment monitoring.

The critical insight of GOVERN is that AI risk cannot be managed without organisational structure. An organisation that deploys AI without clear ownership of risk decisions, without documented tolerance thresholds, and without escalation paths is not managing risk; it is hoping for the best. GOVERN exists to make that distinction operational and auditable.

MAP — Context establishment and risk identification

The MAP function establishes the context for individual AI systems and identifies the risks associated with them. It has five categories covering context (the system’s intended purpose, deployment setting, users, and impacts), categorisation of the AI system within the organisation’s portfolio, identification of capabilities and limitations, identification of risks and benefits, and characterisation of impacts on individuals, groups, communities, organisations, and society.

MAP is the function where most AI risk management programmes fail in execution. Organisations attempt to manage risk before they have established the context, and end up measuring the wrong things or managing risks that are not material while ignoring risks that are. A serious MAP exercise produces a documented system description, a stakeholder map, an impact analysis, and an enumeration of foreseeable risks ranked by likelihood and consequence. Without these artefacts, the MEASURE and MANAGE functions operate in the dark.

MEASURE — Quantitative and qualitative risk analysis

The MEASURE function analyses, evaluates, and tracks AI risks identified during MAP. It has four categories covering selection of measurement approaches, evaluation of trustworthy AI characteristics (validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy enhancement, fairness with harmful bias managed), tracking of identified and emergent risks, and feedback collection from relevant AI actors.

MEASURE is where the framework intersects most directly with technical AI evaluation. Bias audits, robustness testing, adversarial testing, explainability assessments, privacy impact analyses, and TEVV activities all live here. The trustworthy AI characteristics defined in the framework form the evaluation criteria. The challenge is that no single measurement approach captures all characteristics, and the state of the art for measuring some of them (particularly fairness in context-dependent applications) is still evolving. The framework is explicit about this limitation and instructs organisations to document the rationale for the measurement approaches they select.

MANAGE — Risk prioritisation, response, and monitoring

The MANAGE function prioritises identified and measured risks, allocates resources to risk response, monitors AI systems in deployment, and communicates with affected actors. It has four categories covering prioritisation based on impact and likelihood, treatment strategies (mitigate, transfer, avoid, accept), risk monitoring across the lifecycle, and continuous improvement through feedback loops.

MANAGE is the function that turns risk identification into operational decisions. It also covers the post-deployment monitoring obligations — incident detection, performance drift tracking, retraining triggers, end-of-life decisions — that are central to maintaining AI systems safely over time. The framework recognises that AI risk is not a one-time assessment problem; it is a continuous management problem.

The Generative AI Profile (NIST AI 600-1)

Published in July 2024, the Generative AI Profile extends the framework with 12 risks unique to or exacerbated by generative AI systems and approximately 200 suggested actions mapped to the four functions:

  1. CBRN information or capabilities — lowering barriers to chemical, biological, radiological, or nuclear weapons design.
  2. Confabulation — generation of false content presented as factual.
  3. Dangerous, violent, or hateful content — production of content that incites harm.
  4. Data privacy — leakage of personal information from training data or inference.
  5. Environmental impacts — energy consumption and emissions of training and inference.
  6. Harmful bias and homogenization — reinforcement of stereotypes and reduction of viewpoint diversity.
  7. Human-AI configuration — misalignment between human intent and system behaviour.
  8. Information integrity — erosion of authentic information through synthetic content.
  9. Information security — new attack surfaces and vulnerabilities introduced by generative systems.
  10. Intellectual property — infringement on copyrighted, trademarked, or licensed material.
  11. Obscene, degrading, or abusive content — generation of CSAM, NCII, or unlawful content.
  12. Value chain and component integration — risks introduced by upstream models, datasets, or tools.

The profile is the operational instrument that organisations actually use when deploying generative AI. Because it maps each risk back to GOVERN, MAP, MEASURE, MANAGE subcategories, it allows existing RMF implementations to absorb GenAI risks without restructuring.

The Critical Infrastructure Profile (concept note, April 2026)

NIST released the concept note on 7 April 2026. The profile, when finalised, will guide critical infrastructure operators on AI risk management practices when engaging AI-enabled capabilities in operational technology environments. Sectors in scope include energy, water, transportation, healthcare, financial services, and communications. The profile is expected to align with sector-specific cybersecurity frameworks (NERC CIP, TSA Security Directives, NIS2 in transatlantic deployments) and to address the operational technology dimension that RMF 1.0 does not specifically cover.

The AI Agent Interoperability Profile (planned Q4 2026)

NIST has indicated that an AI Agent Interoperability Profile is planned for release in Q4 2026, developed through the Center for AI Standards and Innovation (CAISI, formerly AISIC). The profile will address governance gaps specific to agentic AI systems: temporal gaps between agent action and human observation, distributed accountability across orchestrating and sub-agents, prompt injection through tool outputs, cross-session memory persistence, and tool-chain poisoning. The AI Agent Standards Initiative announced by CAISI in February 2026 frames this work.

Timeline / Implementation

The AI RMF has no statutory implementation calendar because it is not a statute. Its operational timeline is the publication and revision cadence of the framework and its companion resources:

  • 26 January 2023 — NIST AI 100-1 (AI RMF 1.0) published.
  • March 2023 — Trustworthy and Responsible AI Resource Centre launched, hosting the Playbook and use cases.
  • 26 July 2024 — NIST AI 600-1 (Generative AI Profile) published.
  • February 2026 — AI Agent Standards Initiative announced through CAISI.
  • April 2026 — Critical Infrastructure Profile concept note released.
  • Q4 2026 (planned) — AI Agent Interoperability Profile expected for release.
  • No later than 2028 — Formal community review of AI RMF 1.0, with potential RMF 2.0 release.

Organisations implementing the RMF should treat the publication of profiles as triggering events that require gap analysis. Each new profile expands the operational expectations for organisations operating in the relevant context, and procurement processes, audit programmes, and supervisory expectations adjust accordingly within months of publication.

How Zertia covers it

The RMF does not have an enforcement architecture in the regulatory sense because it is not law. It has an adoption architecture that operates through three channels: federal procurement, sector regulators, and private market expectations.

Federal procurement. OMB M-24-10 and successor policies require federal agencies to establish AI governance programmes, designate Chief AI Officers, and apply NIST guidance when procuring or operating AI systems with safety-impacting or rights-impacting effects. The General Services Administration incorporates RMF alignment requirements into AI procurement vehicles. The Department of Defense uses the RMF as a baseline reference within DoD-specific AI risk frameworks. For any organisation selling AI to the federal government, RMF alignment is no longer optional in practice.

Sector regulators. Banking regulators (CFPB, OCC, Federal Reserve), insurance regulators (state DOIs, NAIC), healthcare regulators (FDA, OCR), employment regulators (EEOC, DOL), and consumer protection regulators (FTC) cite the RMF in supervisory letters, enforcement actions, and guidance documents. The RMF does not become binding through these citations, but it does become the operational standard against which regulators evaluate organisational practice. An organisation that has not aligned with the RMF in a regulated sector is operating below the standard of care that regulators expect.

Private market expectations. Procurement teams at large enterprises increasingly require AI vendors to demonstrate RMF alignment as part of vendor due diligence. Cyber insurance underwriters reference the RMF in AI risk underwriting. Boards of directors expect management to articulate AI governance in RMF terms. Audit firms structure AI assurance engagements around RMF categories. The framework has become the lingua franca of enterprise AI governance in the United States.

The Center for AI Standards and Innovation (CAISI). CAISI, formerly the AI Safety Institute Consortium (AISIC), operates within NIST and is the locus of the framework’s continued evolution. CAISI develops profiles, conducts evaluations, runs the AI Agent Standards Initiative, and coordinates international engagement on AI standards. While CAISI does not enforce the RMF, it sets the agenda for what the framework will cover next.

Regulation you understand is regulation you can turn into competitive advantage.

Not sure if this framework applies to your organization? Talk to us.