AI Governance Assessment  ·  NIST AI RMF 1.0

← Back to Home

The NIST AI Risk Management Framework

A practical overview of the framework guiding responsible AI development and deployment — what it is, why it was created, and how organizations use it to govern AI risk.

What Is the NIST AI RMF?

The NIST AI Risk Management Framework (AI RMF) is a voluntary guidance document published by the National Institute of Standards and Technology in January 2023. It provides organizations with a structured, flexible approach to identifying, assessing, and managing the risks that AI systems create, including harms to individuals, organizations, and society, while preserving the benefits AI can deliver.

Unlike compliance checklists, the AI RMF does not prescribe specific controls. Instead, it gives organizations a common language and structured methodology for thinking about AI risk that scales across system types, sectors, and organizational sizes. It is designed to work alongside existing risk management practices, not replace them.

The framework was developed through an extensive public-private collaboration process involving thousands of comments, workshops, and iterative drafts. That breadth is why it is broadly applicable and not specific to any single technology, vendor, or sector.

Why Was It Created?

The Problem AI Poses

AI systems introduce a category of risk that existing frameworks were not designed to handle. Unlike traditional software, AI systems can produce unexpected outputs, exhibit biased behavior, degrade over time as the world changes, and make or influence consequential decisions in ways that are difficult to explain or audit. The harms are not always immediate or obvious, and responsibility is often distributed across developers, deployers, and users.

Before the AI RMF, organizations faced a fragmented landscape: no shared terminology, no consistent structure for AI-specific risk, and no bridge between technical AI safety considerations and enterprise risk management.

The Executive Order That Initiated It

The AI RMF was developed in response to the National AI Initiative Act of 2020, which directed NIST to develop a framework for managing the risks and opportunities of AI. The work predates and independently parallels the 2023 Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, which later directed federal agencies to use the AI RMF and referenced it as the foundation for U.S. government AI governance standards.

What It Addresses

The AI RMF is designed to help organizations:

  • Identify and categorize AI-related risks before and after deployment
  • Apply appropriate governance structures and accountability mechanisms
  • Measure and test AI systems against trustworthiness criteria
  • Respond to AI risks and manage them throughout the AI lifecycle
  • Communicate about AI risk in a common language across technical and business stakeholders

The Four Core Functions

The actionable core of the AI RMF is organized into four functions that together cover the full lifecycle of responsible AI governance, from initial context-setting through active management and response:

  • GOVERN: Establishes the policies, processes, roles, and accountability structures that enable responsible AI risk management across the organization. GOVERN is foundational. Without it, the other three functions have no organizational home. It covers executive ownership, approval workflows, staff training, vendor management, and human oversight policies.
  • MAP: Identifies and categorizes AI risks in context. MAP frames the risk landscape by clarifying who is affected, what harms are possible, how consequential those harms are, and what the broader organizational and societal context looks like. It is the function that connects technical AI characteristics to real-world impact.
  • MEASURE: Applies quantitative and qualitative methods to assess, analyze, and track AI risks. MEASURE covers testing and evaluation: performance metrics, bias analysis, adversarial testing, go/no-go criteria, and ongoing monitoring after deployment. It is the function that turns risk identification into documented evidence.
  • MANAGE: Prioritizes and addresses identified AI risks through treatment, response, and recovery activities. MANAGE closes the loop. It covers what organizations do when they find a problem: incident response, risk treatment decisions, vendor controls, and human-in-the-loop oversight mechanisms.

Key design principle: GOVERN sits at the center and enables MAP, MEASURE, and MANAGE. An organization cannot MAP its AI risks without governance structures that define who is responsible for doing so, and cannot MANAGE them without knowing which risks have been MEASURED and prioritized.

Trustworthy AI: The Foundation

The AI RMF is built on the concept of trustworthy AI — the idea that AI systems should demonstrate a set of characteristics that make them worthy of the trust placed in them by users, operators, and affected parties. These characteristics are not independent: a system can be accurate but not fair, or transparent but not secure.

Valid & Reliable Produces accurate outputs consistently and degrades predictably under stress
Safe Avoids harmful conditions; has mechanisms for human intervention and graceful degradation
Secure & Resilient Withstands adversarial inputs and environmental disruptions; detects and recovers from attacks
Explainable & Interpretable Outputs can be understood and explained in terms users and operators can act on
Privacy-Enhanced Protects individual privacy and handles personal data with appropriate safeguards
Fair & Bias-Managed Treats people equitably; does not produce discriminatory or disproportionate harm across groups
Transparent & Accountable Discloses AI use, maintains audit trails, and assigns clear ownership for AI decisions
Human-Overseen Maintains appropriate human control relative to the autonomy and stakes of the system

The DMS AI Governance Assessment evaluates your organization across all eight of these dimensions. The resulting policies address the gaps specific to your system and context.

Who Maintains It?

The National Institute of Standards and Technology

The AI RMF is developed and maintained by NIST, a non-regulatory federal agency within the U.S. Department of Commerce. NIST has no enforcement authority and the framework is entirely voluntary, but its standards carry significant weight because of NIST's technical credibility, its history of developing widely adopted security and measurement standards, and the rigorous, transparent process by which its guidance is developed.

NIST published the AI RMF alongside a companion document, AI RMF Playbook, which provides more detailed practices and actions for each function. NIST also maintains an online AI RMF Resource Center with sector-specific profiles, use-case guidance, and supplementary materials.

AI RMF 1.0 and What Comes Next

  • AI RMF 1.0 (January 2023): The foundational framework, establishing the four-function structure and trustworthy AI characteristics. Built from over 200 technical reviewers and a 400+ comment public review process.
  • Generative AI Profile (July 2024): NIST published NIST AI 600-1, a companion profile specifically addressing the unique risks of generative AI systems: hallucinations, data provenance, misuse, and novel attack surfaces. Organizations using generative AI tools should consult this alongside AI RMF 1.0.
  • AI RMF 2.0 (anticipated): NIST has indicated plans to update the core framework as the field matures, incorporating lessons from early adoption and emerging regulatory alignment needs.

The Regulatory Context

United States

The AI RMF is voluntary but is rapidly becoming the de facto standard for U.S. AI governance. Federal agencies are directed to implement the framework under multiple executive orders and OMB policies. A growing number of state laws reference AI risk assessments and impact assessments without specifying a particular framework. The AI RMF is the most credible voluntary standard available to satisfy those requirements.

State laws with AI governance implications include the Colorado AI Act (effective 2026), the Illinois Artificial Intelligence Video Interview Act, the Texas AI in Healthcare law, and many others at various stages of enactment. These laws share a common thread: organizations that can demonstrate systematic AI risk management are better positioned to demonstrate compliance, and the AI RMF is designed precisely to support that.

International

The EU AI Act (Regulation (EU) 2024/1689), which began phased enforcement in 2024, requires conformity assessments, risk management systems, and post-market monitoring for AI systems classified as high-risk. While the EU AI Act has its own risk classification structure, the AI RMF's approach to documenting risk management, testing, and human oversight maps closely to what the EU Act requires. Organizations subject to both frameworks can use AI RMF implementation as the organizational foundation for EU AI Act compliance.

The GDPR intersects with AI governance wherever AI systems process personal data. Data minimization, purpose limitation, automated decision-making rights, and privacy impact assessments all appear in both GDPR requirements and the AI RMF's MAP and MANAGE functions.

Why Voluntary Frameworks Matter

Voluntary frameworks like the AI RMF serve a different purpose than mandatory regulations. They allow organizations to build the internal practices, culture, and documentation that make compliance with future regulations achievable. Organizations that implement the AI RMF now are building the accountability structures, testing processes, and governance policies that regulation will eventually require. Waiting for regulation to arrive means building under pressure rather than building deliberately.

Who Should Use It?

Any Organization That Deploys AI

The AI RMF explicitly addresses three distinct audiences: AI developers who build systems, AI deployers who put systems into use, and AI operators who use systems to affect their customers or employees. Most organizations that use commercial AI tools, including off-the-shelf generative AI assistants, are deployers and operators with governance responsibilities under the framework even when they did not build the underlying system.

This is an important distinction. An organization using a third-party AI product for hiring decisions, customer service, or employee performance evaluation is responsible for the AI risk that deployment creates, not just the vendor. The AI RMF's GOVERN function makes this responsibility explicit.

Small and Mid-Sized Organizations

The AI RMF is designed to scale down. It does not require a dedicated AI safety team, enterprise-grade tooling, or large compliance budgets. The framework is outcome-oriented — organizations choose the depth of implementation appropriate to their risk level, available resources, and maturity. A small organization using a low-risk internal AI tool has different governance requirements than a healthcare organization using AI for clinical decision support.

The DMS AI Governance Assessment translates this scalability into practice: the risk tier, scoring, and governance package are calibrated to your organization's actual context, not to a hypothetical enterprise with unlimited compliance resources.

Common Misconceptions

"We're too small to need this"

The AI RMF was explicitly designed to be applicable to organizations of any size. The relevant question is not organizational size but the risk level of the AI system being deployed. A small organization using AI to make or influence employment decisions, handle sensitive personal data, or affect customers' access to services has real governance obligations regardless of headcount.

"Our vendor handles AI risk, not us"

Vendors manage risk within the products they build. As the deployer, your organization manages the risk created by how you use those products: the contexts you deploy them in, the people they affect, and the oversight you provide or fail to provide. The AI RMF makes this deployer responsibility explicit. The vendor risk questionnaire artifact in the governance package is designed to document what your vendor is responsible for and what remains your responsibility.

"We just need policies, not a full framework"

Policies without risk assessment are frameworks without foundations. The AI RMF's value is that it connects policies to the specific risks of specific systems in specific contexts. Generic AI policies that were not derived from a structured risk assessment tend to be aspirational rather than operational, and provide less assurance to regulators, auditors, and stakeholders than policies grounded in documented analysis.

Further Resources

All of these resources are published by NIST and available at no cost.

  • NIST AI RMF 1.0 (NIST AI 100-1) — The core framework document, January 2023. The authoritative source for the four-function structure and trustworthy AI characteristics.
  • AI RMF Playbook — Companion document providing suggested actions and informative references for each of the four functions. Practical implementation guidance.
  • NIST AI 600-1: Generative AI Profile — Published July 2024. Addresses the specific risks of generative AI: hallucinations, data provenance, misuse, and novel attack surfaces.
  • AI RMF Resource Center (airc.nist.gov) — The central hub for AI RMF resources: sector profiles, use-case guidance, implementation examples, and community contributions.