NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework from the U.S. National Institute of Standards and Technology for managing AI system risks, built on four functions: Govern, Map, Measure, and Manage.
Source documentWhat is this document?
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework published on 26 January 2023 by the U.S. National Institute of Standards and Technology (NIST). It was developed through an 18-month consensus-driven, open, and transparent process in collaboration with more than 240 organisations from private industry, academia, civil society, and governments.
Although it is a U.S. framework, the NIST AI RMF is widely recognised and used globally, including in the European context as a complementary tool for managing AI system risks alongside the EU AI Act.
Key points
Four core functions
The NIST AI RMF operationalises risk management through four functions:
1. GOVERN
Establishes a culture of AI risk governance within the organisation. It applies to all process phases and encompasses:
- Organisational policies and procedures for AI risks
- Accountability and decision-making
- Organisational culture and risk awareness
- Third-party and supply chain management
2. MAP
Identifies the context in which the AI system operates and potential risks. It encompasses:
- Understanding the intended purpose and context of AI system use
- Identifying interested parties and potential impacts
- Mapping risks specific to the system and context
- Documenting assumptions and system limitations
3. MEASURE
Uses quantitative and qualitative methods for risk analysis and assessment:
- Metrics for AI risk assessment (bias, accuracy, reliability)
- AI system testing and evaluation
- Monitoring system performance in operational environments
- Assessing the effectiveness of mitigation measures
4. MANAGE
Defines and implements measures for risk mitigation and control:
- Risk treatment plans
- Risk communication to interested parties
- Continuous monitoring and updating of measures
- Incident response plans
Key characteristics of the framework
The NIST AI RMF is designed to be:
- Voluntary — Not a regulatory requirement, but a recommended framework
- Sector-neutral — Applicable to all industries
- Use-case independent — Flexible for different AI applications
- Rights-protective — Emphasises respect for fundamental rights and freedoms
- Scalable — Adaptable to organisations of all sizes
Accompanying documents
Alongside AI RMF 1.0, NIST has published a range of supporting resources:
- AI RMF Playbook — Practical guidance for implementing each function and subcategory
- AI RMF Roadmap — Plan for future framework development
- AI RMF Crosswalk — Mapping to other frameworks and standards
- AI RMF Perspectives — Additional perspectives and guidance
Generative AI Profile (AI 600-1)
On 26 July 2024, NIST published NIST AI 600-1 — Generative Artificial Intelligence Profile. This profile:
- Identifies unique risks of generative AI
- Proposes specific measures for managing generative AI risks
- Complements AI RMF 1.0 with focused guidance for the fastest-growing category of AI systems
How does it apply to organisations?
Relevance to the EU AI Act
Although the NIST AI RMF is not a European regulatory requirement, it provides practical value for organisations aligning with the EU AI Act:
| NIST AI RMF function | Connection to the EU AI Act |
|---|---|
| GOVERN | Art. 17 — Quality management system |
| MAP | Art. 9 — Risk identification; Art. 27 — Impact assessment |
| MEASURE | Art. 9 — Risk analysis; Art. 15 — Accuracy testing |
| MANAGE | Art. 9 — Risk mitigation; Art. 72 — Post-market monitoring |
Benefits of using the NIST AI RMF
- Global applicability — Helps organisations operating in both the EU and the U.S.
- Practicality — The Playbook provides concrete implementation steps
- Complementarity — Supplements ISO standards and European harmonised standards
- Flexibility — Adaptable to different organisational sizes and maturity levels
Practical implementation steps
- Maturity assessment — Evaluate the current level of AI risk management in the organisation
- Map functions — Map the four NIST functions to existing organisational processes
- GOVERN — Define AI policies, responsibilities, and decision-making processes
- MAP — Identify all AI systems, their context, and interested parties
- MEASURE — Establish metrics and procedures for measuring AI risks
- MANAGE — Implement mitigation measures and incident response plans
- Integrate — Link the NIST AI RMF with ISO 42001/23894 and EU AI Act requirements
Crosswalk with the EU AI Act
NIST has published a crosswalk document that maps AI RMF categories to the requirements of various regulations, including the EU AI Act. This is useful for organisations that need to simultaneously meet multiple regulatory requirements.
Relevant EU AI Act articles
| Article | Connection to NIST AI RMF |
|---|---|
| Art. 9 | Risk management system -> MAP + MEASURE + MANAGE |
| Art. 15 | Accuracy and robustness -> MEASURE metrics |
| Art. 17 | Quality management system -> GOVERN |
| Art. 27 | Fundamental rights impact assessment -> MAP |
| Art. 72 | Post-market monitoring -> MANAGE continuous monitoring |
Source documents
- NIST AI RMF: AI Risk Management Framework
- NIST AI RMF document (PDF): NIST AI 100-1
- Generative AI Profile: NIST AI 600-1
- NIST AI Resource Center: AI RMF Resources
Need compliance documentation?
Generate AI Inventory, Risk Assessment and other documents automatically — tailored to your system.