The NIST AI Risk Management Framework (AI RMF 1.0) is one of those documents that everyone in AI governance references but few people have actually read. That’s a problem, because it’s genuinely useful — and increasingly relevant as AI regulation tightens globally.
What It Is
The AI RMF is a voluntary framework published by the National Institute of Standards and Technology (NIST) in January 2023. It provides guidance for managing risks associated with AI systems throughout their lifecycle — from design and development to deployment and monitoring.
Unlike the EU AI Act (which is law), the AI RMF is voluntary. Nobody is required to follow it. But it’s becoming the de facto standard for AI risk management in the US, and it’s influencing regulatory approaches worldwide.
Why It Matters Now
Several developments have made the AI RMF more relevant than ever:
Regulatory references. US federal agencies and state legislatures are increasingly referencing the AI RMF in their guidance and legislation. If you’re trying to comply with AI regulations in the US, the AI RMF is your starting point.
EU AI Act alignment. Companies operating in both the US and EU are using the AI RMF as a bridge between American and European approaches. The framework’s risk-based approach is conceptually similar to the EU AI Act’s risk classification system.
Industry adoption. Major companies — Microsoft, Google, IBM, and others — have publicly adopted the AI RMF or incorporated its principles into their AI governance programs. This creates a de facto standard that other companies follow.
Insurance and liability. As AI liability becomes a bigger concern, demonstrating compliance with recognized frameworks like the AI RMF can help companies manage legal risk. It’s not a legal shield, but it shows due diligence.
The Framework Structure
The AI RMF is organized around four core functions:
GOVERN. Establish organizational structures, policies, and processes for AI risk management. This includes defining roles and responsibilities, creating governance boards, and establishing risk tolerance levels. It’s the foundation that everything else builds on.
MAP. Identify and understand the context in which AI systems operate. This means understanding who uses the system, what decisions it influences, what data it uses, and what risks it poses. Mapping is about knowing what you’re dealing with before you try to manage it.
MEASURE. Assess and quantify AI risks using appropriate metrics and methods. This includes testing for bias, evaluating accuracy, measuring solidness, and assessing security vulnerabilities. Measurement turns abstract risks into concrete data points.
MANAGE. Implement controls to address identified risks. This includes technical controls (like bias mitigation), operational controls (like human oversight), and organizational controls (like incident response procedures). Management is where risk assessment turns into risk reduction.
How to Actually Use It
The AI RMF is a 42-page document with an accompanying playbook that provides more detailed guidance. Here’s a practical approach to implementing it:
Start with GOVERN. Before you assess specific AI systems, establish your organizational approach to AI risk management. Who’s responsible? What’s your risk tolerance? How do you make decisions about AI deployment?
Inventory your AI systems. You can’t manage risks you don’t know about. Create a thorough inventory of all AI systems in your organization, including third-party tools and embedded AI features.
Prioritize by risk. Not all AI systems pose the same level of risk. Focus your assessment efforts on systems that make consequential decisions — hiring, lending, healthcare, criminal justice — and systems that affect large numbers of people.
Use the playbook. NIST published a companion playbook with specific suggested actions for each function. It’s more practical than the framework itself and provides concrete steps you can take.
Document everything. Whatever you do, document it. Risk assessments, mitigation decisions, monitoring results, incident responses. Documentation is essential for demonstrating due diligence and for continuous improvement.
Limitations
The AI RMF isn’t perfect:
It’s voluntary. Without legal requirements, adoption is uneven. Companies that take AI risk seriously use it; companies that don’t, ignore it.
It’s generic. The framework applies to all AI systems, which means it can’t provide specific guidance for particular domains or technologies. You’ll need to supplement it with domain-specific standards.
It’s US-centric. While the framework is useful globally, it was designed for the US context. Companies operating internationally need to map it to other frameworks and regulations.
It doesn’t solve hard problems. The framework tells you to assess bias, but it doesn’t tell you how much bias is acceptable. It tells you to implement human oversight, but it doesn’t tell you what effective oversight looks like. The hard decisions are still yours to make.
Where to Get It
The AI RMF 1.0 PDF is freely available on NIST’s website. The companion playbook, crosswalks to other frameworks, and additional resources are also available at no cost. There’s no paywall, no registration required.
My Take
The NIST AI RMF is the best available framework for AI risk management in the US. It’s well-structured, practical, and increasingly recognized as a standard. If you’re building or deploying AI systems, you should be familiar with it.
It’s not a compliance checklist — it’s a thinking framework. It helps you ask the right questions about AI risk, even if it doesn’t always provide the answers. In a field where the technology is advancing faster than the rules, that’s valuable.
🕒 Last updated: · Originally published: March 13, 2026