AIRiskAware
What Is...
Framework Guide

What Is the NIST AI Risk Management Framework?

Published in January 2023 by the US National Institute of Standards and Technology, the AI RMF is the most widely adopted voluntary AI governance framework globally, used by organisations in every sector and jurisdiction.

Definition

NIST AI Risk Management Framework, a voluntary, sector-agnostic framework published by the US National Institute of Standards and Technology that organises AI risk management around four functions: Govern, Map, Measure, and Manage.

The NIST AI RMF is the most widely adopted AI risk framework in the US enterprise market. Unlike the EU AI Act, it is not law: it is reference guidance. The Govern function is foundational and addresses organisational accountability for AI risk; the other three functions are operational. NIST has also published companion profiles for generative AI (NIST AI 600-1) and other high-risk contexts.

Source: NIST AI Risk Management Framework 1.0 (January 2023)

The Four Core Functions

GOVERN

Establish AI risk management culture, policies, processes, and accountability structures across the organisation.

MAP

Identify and categorise AI risks, context, stakeholders, potential harms, and applicable regulations.

MEASURE

Assess the magnitude of identified AI risks through quantitative and qualitative methods including bias testing.

MANAGE

Treat AI risks through controls, monitoring, incident response, and continuous improvement.

Key facts about the NIST AI RMF

Is it mandatory?
No, it is voluntary. But it is increasingly expected by US federal procurement requirements, referenced in sector regulator guidance, and used as the basis for EU AI Act conformity assessments.
Who should use it?
Any organisation developing, deploying, or using AI. It applies regardless of organisation size, sector, or geography, it was designed to be adaptable to diverse contexts.
How does it relate to ISO 42001?
NIST AI RMF provides the operational methodology; ISO 42001 provides the certifiable management system structure. Most organisations use both, NIST for implementation, ISO 42001 for certification.
How does it relate to the EU AI Act?
The NIST AI RMF is not a compliance tool for the EU AI Act, but its documentation practices and risk assessment methodology substantially address the EU AI Act's technical documentation and risk management requirements.