Framework Guide

What Is the NIST AI Risk Management Framework?

Published in January 2023 by the US National Institute of Standards and Technology, the AI RMF is the most widely adopted voluntary AI governance framework globally — used by organisations in every sector and jurisdiction.

The Four Core Functions

GOVERN

Establish AI risk management culture, policies, processes, and accountability structures across the organisation.

MAP

Identify and categorise AI risks — context, stakeholders, potential harms, and applicable regulations.

MEASURE

Assess the magnitude of identified AI risks through quantitative and qualitative methods including bias testing.

MANAGE

Treat AI risks through controls, monitoring, incident response, and continuous improvement.

Key facts about the NIST AI RMF

Is it mandatory?

No — it is voluntary. But it is increasingly expected by US federal procurement requirements, referenced in sector regulator guidance, and used as the basis for EU AI Act conformity assessments.

Who should use it?

Any organisation developing, deploying, or using AI. It applies regardless of organisation size, sector, or geography — it was designed to be adaptable to diverse contexts.

How does it relate to ISO 42001?

NIST AI RMF provides the operational methodology; ISO 42001 provides the certifiable management system structure. Most organisations use both — NIST for implementation, ISO 42001 for certification.

How does it relate to the EU AI Act?

The NIST AI RMF is not a compliance tool for the EU AI Act, but its documentation practices and risk assessment methodology substantially address the EU AI Act's technical documentation and risk management requirements.

NIST AI RMF: The Complete Enterprise Guide ISO 42001 vs NIST vs EU AI Act: Which Framework?ISO 42001: 6-Month Implementation Guide

Build your AI governance framework →

What Is the NIST AI Risk Management Framework?

The Four Core Functions

Key facts about the NIST AI RMF

Related articles