NIST AI RMF
Voluntary framework to manage AI risks across Govern, Map, Measure, Manage functions.
- Audience
- Organizations of any size deploying AI.
- Unit of analysis
- Organizational AI risk management practice.
- Lifecycle coverage
- Full lifecycle.
- Outputs
- Risk management practice; profiles.
- Strengths
- Operational, lifecycle-aware, widely adopted.
- Cautions
- Voluntary; does not prescribe specific controls.
- Jurisdictional scope
- United States; widely adopted globally.
- Evidentiary weight
- Voluntary; referenced in OMB M-24-10 and several state laws as a reasonable practice baseline.
- Cost to adopt
- Low to moderate — process-based, scales with organization maturity.
- Certification path
- No certification; NIST publishes profiles (e.g., GenAI Profile) and a companion Playbook.
Released January 2023 after 18 months of public consultation. Generative AI Profile released July 2024.
NIST AI Risk Management Framework
Indexed at the structural level. Excerpts are quoted under fair-use; full text is linked, not rehosted.
Functions04
- GOVERNframingdeploymentmonitoringretired
Govern
“Cultivate a culture of risk management. Policies, processes, accountability structures, and workforce diversity for AI risks.”
- MAPframingdatamodel
Map
“Establish context to frame risks. Categorize the AI system; identify intended purposes and potential harms.”
- MEASUREmodeldeploymentmonitoring
Measure
“Use quantitative, qualitative, and mixed-method tools to analyze, assess, benchmark, and monitor AI risks and impacts.”
- MANAGEdeploymentmonitoringretired
Manage
“Allocate resources to mapped and measured risks on a regular basis and as defined by the Govern function.”
Categories10
- GOVERNGOVERN 1framingdeployment
Policies, processes, procedures
“Policies, processes, and procedures to manage AI risks are in place, transparent, and implemented effectively.”
- GOVERNGOVERN 2framingdeployment
Accountability structures
“Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks.”
- GOVERNGOVERN 3framing
Workforce diversity, equity, inclusion
“Workforce diversity, equity, inclusion, and accessibility processes are prioritized in mapping, measuring, and managing AI risks.”
- GOVERNGOVERN 5framingmonitoring
Engagement with AI actors
“Processes are in place for robust engagement with relevant AI actors, including affected communities.”
- MAPMAP 1framing
Context is established
“Context is established and understood; intended purposes, potentially beneficial uses, and harmful uses are defined.”
- MAPMAP 3framingmodel
Capabilities and limitations
“AI capabilities, targeted usage, goals, and expected benefits and costs are examined.”
- MAPMAP 5framingmonitoring
Impacts on individuals & society
“Impacts to individuals, groups, communities, organizations, and society are characterized.”
- MEASUREMEASURE 2modelmonitoring
Trustworthiness characteristics
“AI systems are evaluated for trustworthy characteristics: validity & reliability, safety, security & resilience, accountability & transparency, explainability & interpretability, privacy, and fairness with bias managed.”
- MANAGEMANAGE 1deploymentmonitoring
Risk responses planned
“AI risks based on assessments and other analytical output from the MAP and MEASURE functions are prioritized, responded to, and managed.”
- MANAGEMANAGE 4monitoringretired
Continual monitoring & improvement
“Risk treatments, including response and recovery, and communication plans for the identified and measured AI risks are documented and monitored regularly.”
Subcategories06
- GOVERN 1GOVERN 1.1framing
Legal and regulatory requirements
“Legal and regulatory requirements involving AI are understood, managed, and documented.”
- GOVERN 1GOVERN 1.5monitoring
Ongoing monitoring and review
“Ongoing monitoring and periodic review of the risk management process are planned and resourced.”
- MAP 1MAP 1.1framing
Mission and goals
“Intended purposes, potential beneficial uses, context-specific laws, norms, and expectations are understood and documented.”
- MEASURE 2MEASURE 2.7modeldeploymentmonitoring
Security and resilience evaluated
“AI system security and resilience — as identified in MAP — are evaluated and documented.”
- MEASURE 2MEASURE 2.11modelmonitoring
Fairness and bias evaluated
“Fairness and bias — as identified in MAP — are evaluated and results documented.”
- MEASURE 2MEASURE 2.12modeldeployment
Environmental impact evaluated
“Environmental impact and sustainability of AI model training and management activities are assessed and documented.”
Controls01
- GOVERN 1GOVERN 1.4framingdeployment
Risk management roles & accountability
“Processes for risk management are in place and documented; roles and lines of communication are clear and accountable.”