The NIST AI Risk Management Framework (AI RMF 1.0) was published by the National Institute of Standards and Technology in January 2023. It provides voluntary guidance for organisations to manage risks associated with AI systems throughout their lifecycle. Unlike the EU AI Act, it is not legislation — but it is rapidly becoming the de facto AI governance standard for US federal agencies, defence contractors, and regulated industries.
Why NIST AI RMF Matters
US federal agencies are required to align AI governance with NIST AI RMF under OMB guidance. Many defence contractors and critical infrastructure operators face similar requirements. Beyond government, enterprise procurement teams are beginning to ask vendors to evidence NIST AI RMF alignment — particularly for AI systems that touch sensitive data or automated decisions.
The Framework Structure
NIST AI RMF is organised around four core functions. These are not sequential steps — they operate simultaneously across the AI lifecycle.
GOVERN
Govern establishes the organisational foundation for AI risk management. It is the function most organisations implement last but should implement first.
Key activities:
- Define organisational values and risk tolerance for AI
- Establish AI governance roles and accountability structures
- Develop AI-specific policies, processes, and procedures
- Build a culture of AI risk awareness across all teams
- Engage external stakeholders on AI impacts and risks
MAP
Map involves identifying and categorising AI risks in context. This is where you assess what could go wrong with a specific AI system in its specific deployment environment.
Key activities:
- Define the AI system's intended purpose, capabilities, and limitations
- Identify affected stakeholders and use contexts
- Categorise risks: technical (accuracy, robustness), societal (bias, privacy), operational (reliability, security)
- Assess AI trustworthiness characteristics: valid, reliable, safe, secure, explainable, privacy-enhanced, fair, accountable
MEASURE
Measure involves quantifying AI risks using metrics, benchmarks, and evaluation methods. Many organisations find this the hardest function because AI risks are notoriously difficult to measure.
Key activities:
- Select and apply evaluation metrics appropriate to the AI context
- Test for bias, fairness, and performance across demographic groups
- Conduct adversarial testing (red-teaming) for high-risk systems
- Establish ongoing monitoring to detect performance drift
- Document measurement results as evidence
MANAGE
Manage involves responding to identified AI risks — deciding which to accept, mitigate, transfer, or avoid.
Key activities:
- Prioritise risks based on likelihood and impact
- Implement risk mitigations (technical controls, process changes, human oversight)
- Establish incident response procedures for AI failures
- Track residual risks and mitigation effectiveness over time
- Decide whether to deploy, restrict, or decommission based on risk posture
NIST AI RMF vs ISO 42001
NIST AI RMF is a framework — guidance for thinking about AI risk. ISO 42001 is a certifiable standard — a set of requirements you can be audited against. They are complementary. Many organisations use NIST AI RMF as their operational methodology while pursuing ISO 42001 certification as their external proof point. The two frameworks have significant conceptual overlap, making dual implementation efficient.