本文目前仅提供英文版本。
What Is the NIST AI Risk Management Framework? The Complete Enterprise Guide
The NIST AI Risk Management Framework (AI RMF 1.0) is the most widely adopted AI governance framework in the world. This is the definitive guide to what it covers, how it works, and how to implement it in your organisation.
Key Takeaways
NIST AI RMF 1.0 was published in January 2023 and is the primary voluntary AI governance framework in the US — increasingly expected by US federal procurement, referenced in sector regulator guidance, and used globally as the operational backbone for AI governance programmes.
The AI RMF is structured around four functions: Govern (AI governance culture and structure), Map (AI risk identification and categorisation), Measure (AI risk assessment), and Manage (AI risk treatment and monitoring). These are not sequential steps — they operate continuously and simultaneously.
The NIST AI RMF Playbook, published alongside the framework, provides specific suggested actions for each subcategory — it is the operational implementation guide that most practitioners use rather than the framework document itself.
NIST has published sector-specific AI RMF Profiles for financial services, healthcare, and other sectors — these translate the general framework into domain-specific implementation guidance that is more immediately actionable than the generic framework.
The AI RMF is complementary to ISO 42001, not a competitor — organisations typically use NIST AI RMF as the operational methodology (how to do AI risk management) and ISO 42001 as the management system standard (the organisational structure and evidence requirements for certification).
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
What the NIST AI RMF actually is
The NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) is a voluntary framework developed by the US National Institute of Standards and Technology through a multi-year, multi-stakeholder process and published in January 2023. It is not a regulation, not a law, and not a certification standard — it is a structured guide to understanding and managing AI risk in organisational contexts. Its voluntary character means organisations are not required to follow it. In practice, it has become the default reference framework for US organisations implementing AI governance, and its influence extends globally.
The AI RMF has achieved the adoption it has because it addresses the practical challenge most AI governance programmes face: translating abstract governance principles into operational practices that specific people with specific roles can implement in specific AI contexts. The Playbook, which accompanies the framework, provides hundreds of specific suggested actions mapped to the framework's categories and subcategories — giving AI governance practitioners a starting point for almost every aspect of implementation.
The Govern function
Govern is the foundational AI RMF function — it addresses the organisational policies, processes, structures, roles, and culture that make AI risk management possible. Without the Govern function, the other three functions have no organisational foundation to operate from. Govern includes: establishing an AI governance policy, defining roles and responsibilities for AI risk management, creating processes for AI system review and approval, building AI literacy and training programmes, and fostering an organisational culture that takes AI risk seriously.
The Govern function is where most AI governance programmes underinvest. It is easier to document AI inventory (Map) or run bias tests (Measure) than to build the governance culture and structures that make those activities sustainable. Organisations whose AI governance consists primarily of Map and Measure activities without adequate Govern infrastructure consistently fail to sustain their governance programmes through leadership changes, organisational restructuring, and the pace of AI development.
Map, Measure, Manage: the operational core
Map identifies and categorises AI risks. It begins with context establishment — understanding the AI system's purpose, the stakeholders affected, the deployment environment, and the relevant regulations and standards. It then identifies risks — the ways the AI system could fail to achieve its intended purpose or could cause unintended harm. Map outputs feed into Measure (assessing the magnitude of identified risks) and Manage (treating risks through controls and monitoring).
Measure assesses identified risks with enough precision to support prioritisation and control design. AI risk measurement is harder than traditional risk measurement because AI risks are often probabilistic, contextual, and dependent on factors that change over time. The AI RMF Measure function includes specific subcategories for bias and fairness assessment, explainability assessment, robustness and reliability assessment, and privacy risk assessment — each requiring different measurement methodologies.
Manage treats measured risks through the design and implementation of controls, and monitors those controls for effectiveness over time. The Manage function is where risk treatment plans are developed, controls are implemented and assigned to owners, residual risk is assessed, and ongoing monitoring activities are designed and executed.