Glossary · Frameworks & standards
What is NIST AI RMF?
Also known as: AI Risk Management Framework, NIST AI 100-1, AI RMF 1.0
NIST AI RMF (AI Risk Management Framework) is a voluntary US framework published by the National Institute of Standards and Technology to help organizations identify, measure, and manage the risks of designing, developing, and deploying AI systems. It is organized around four functions: Govern, Map, Measure, and Manage.
Key takeaways
- Voluntary, non-regulatory framework from NIST intended for any organization building or using AI.
- Built around four core functions: Govern, Map, Measure, and Manage.
- Aims to make AI systems more trustworthy across qualities like validity, safety, fairness, transparency, and accountability.
- Pairs naturally with the certifiable ISO 42001 AI management system and the regulatory EU AI Act.
- Supported by a companion Playbook and the Generative AI Profile for LLM-specific risks.
What problem does the NIST AI RMF solve?
AI systems introduce risks that traditional security and software controls do not fully address, including bias, harmful outputs, model drift, and opaque decision-making. The NIST AI RMF gives organizations a structured, common vocabulary and process to reason about these risks across the AI lifecycle, from data collection and design through deployment and decommissioning.
Because it is voluntary and sector-agnostic, the framework is widely used as a baseline for responsible AI programs even where no specific law applies. It emphasizes context: the same model can carry very different risks depending on how and where it is used.
Organizations often adopt the AI RMF alongside a formal AIMS to turn its guidance into auditable, repeatable governance.
What are the four functions of the AI RMF?
The framework's core is organized into four functions, each broken into categories and subcategories of outcomes:
- Govern — cultivate a culture of risk management with policies, roles, accountability, and oversight that cut across the other functions.
- Map — establish the context, intended purpose, and potential impacts of an AI system so risks can be framed accurately.
- Measure — analyze, assess, and track AI risks using quantitative and qualitative methods and trustworthiness metrics.
- Manage — prioritize and act on risks, allocating resources to treat, monitor, and respond to them over time.
Govern is treated as continuous and foundational, while Map, Measure, and Manage are applied iteratively throughout the AI lifecycle.
How does it relate to ISO 42001 and the EU AI Act?
The AI RMF describes outcomes and practices but is not certifiable. ISO 42001 provides a certifiable management-system standard that can operationalize many of the same governance goals, while the EU AI Act imposes binding legal obligations for higher-risk AI in the EU market.
Many organizations use the AI RMF as the conceptual backbone, ISO 42001 as the auditable framework, and the EU AI Act as the compliance obligation, mapping controls across all three to avoid duplicated effort.
A combined platform like CATAAM can both govern AI under these frameworks and attack-test AI systems via BAS in one place.
Frequently asked questions
- Is the NIST AI RMF mandatory?
- No. It is a voluntary framework with no legal force on its own, though it is frequently referenced as a benchmark and may be required contractually or by certain US agency guidance.
- Who publishes and maintains it?
- The US National Institute of Standards and Technology (NIST) publishes and maintains it, with a companion Playbook and profiles such as the Generative AI Profile.
- Does the AI RMF cover generative AI specifically?
- Yes. NIST released a Generative AI Profile that applies the four functions to risks unique to large language models and other generative systems.
- Can you get certified against the NIST AI RMF?
- Not directly, since it is not a certifiable standard. Organizations wanting certification typically pursue ISO 42001 while using the AI RMF to shape their controls.