Lattice
Workspace
All frameworks
U.S. National Institute of Standards and Technology

NIST AI RMF

Voluntary framework to manage AI risks across Govern, Map, Measure, Manage functions.

Audience
Organizations of any size deploying AI.
Unit of analysis
Organizational AI risk management practice.
Lifecycle coverage
Full lifecycle.
Outputs
Risk management practice; profiles.
Strengths
Operational, lifecycle-aware, widely adopted.
Cautions
Voluntary; does not prescribe specific controls.
Jurisdictional scope
United States; widely adopted globally.
Evidentiary weight
Voluntary; referenced in OMB M-24-10 and several state laws as a reasonable practice baseline.
Cost to adopt
Low to moderate — process-based, scales with organization maturity.
Certification path
No certification; NIST publishes profiles (e.g., GenAI Profile) and a companion Playbook.
History

Released January 2023 after 18 months of public consultation. Generative AI Profile released July 2024.

Items
21
Stages
6
Cross-links
13
Version: 1.0 + Generative AI Profile (NIST AI 600-1)Last reviewed: 2026-04-30

NIST AI Risk Management Framework

Indexed at the structural level. Excerpts are quoted under fair-use; full text is linked, not rehosted.

Functions04

  • GOVERNframingdeploymentmonitoringretired

    Govern

    Cultivate a culture of risk management. Policies, processes, accountability structures, and workforce diversity for AI risks.

    AI RMF 1.0, Function: GovernView sourceItem detail & relationships
  • MAPframingdatamodel

    Map

    Establish context to frame risks. Categorize the AI system; identify intended purposes and potential harms.

  • MEASUREmodeldeploymentmonitoring

    Measure

    Use quantitative, qualitative, and mixed-method tools to analyze, assess, benchmark, and monitor AI risks and impacts.

    AI RMF 1.0, Function: MeasureView sourceItem detail & relationships
  • MANAGEdeploymentmonitoringretired

    Manage

    Allocate resources to mapped and measured risks on a regular basis and as defined by the Govern function.

    AI RMF 1.0, Function: ManageView sourceItem detail & relationships

Categories10

  • GOVERNGOVERN 1framingdeployment

    Policies, processes, procedures

    Policies, processes, and procedures to manage AI risks are in place, transparent, and implemented effectively.

  • GOVERNGOVERN 2framingdeployment

    Accountability structures

    Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks.

  • GOVERNGOVERN 3framing

    Workforce diversity, equity, inclusion

    Workforce diversity, equity, inclusion, and accessibility processes are prioritized in mapping, measuring, and managing AI risks.

  • GOVERNGOVERN 5framingmonitoring

    Engagement with AI actors

    Processes are in place for robust engagement with relevant AI actors, including affected communities.

  • MAPMAP 1framing

    Context is established

    Context is established and understood; intended purposes, potentially beneficial uses, and harmful uses are defined.

  • MAPMAP 3framingmodel

    Capabilities and limitations

    AI capabilities, targeted usage, goals, and expected benefits and costs are examined.

  • MAPMAP 5framingmonitoring

    Impacts on individuals & society

    Impacts to individuals, groups, communities, organizations, and society are characterized.

  • MEASUREMEASURE 2modelmonitoring

    Trustworthiness characteristics

    AI systems are evaluated for trustworthy characteristics: validity & reliability, safety, security & resilience, accountability & transparency, explainability & interpretability, privacy, and fairness with bias managed.

  • MANAGEMANAGE 1deploymentmonitoring

    Risk responses planned

    AI risks based on assessments and other analytical output from the MAP and MEASURE functions are prioritized, responded to, and managed.

  • MANAGEMANAGE 4monitoringretired

    Continual monitoring & improvement

    Risk treatments, including response and recovery, and communication plans for the identified and measured AI risks are documented and monitored regularly.

Subcategories06

  • GOVERN 1GOVERN 1.1framing

    Legal and regulatory requirements

    Legal and regulatory requirements involving AI are understood, managed, and documented.

  • GOVERN 1GOVERN 1.5monitoring

    Ongoing monitoring and review

    Ongoing monitoring and periodic review of the risk management process are planned and resourced.

  • MAP 1MAP 1.1framing

    Mission and goals

    Intended purposes, potential beneficial uses, context-specific laws, norms, and expectations are understood and documented.

  • MEASURE 2MEASURE 2.7modeldeploymentmonitoring

    Security and resilience evaluated

    AI system security and resilience — as identified in MAP — are evaluated and documented.

  • MEASURE 2MEASURE 2.11modelmonitoring

    Fairness and bias evaluated

    Fairness and bias — as identified in MAP — are evaluated and results documented.

  • MEASURE 2MEASURE 2.12modeldeployment

    Environmental impact evaluated

    Environmental impact and sustainability of AI model training and management activities are assessed and documented.

Controls01

  • GOVERN 1GOVERN 1.4framingdeployment

    Risk management roles & accountability

    Processes for risk management are in place and documented; roles and lines of communication are clear and accountable.

Command palette

Search frameworks, systems, glossary, and pages