NIST AI Risk Management Framework
The NIST AI Risk Management Framework, or AI RMF, is a voluntary U.S. framework for managing risks from artificial-intelligence systems. It gives organizations a common vocabulary for governing, mapping, measuring, and managing AI risks across the system lifecycle.
Definition
The NIST AI Risk Management Framework 1.0 was released on January 26, 2023 by the U.S. National Institute of Standards and Technology. It is designed for organizations that design, develop, deploy, or use AI systems, and it is explicitly voluntary, non-sector-specific, rights-preserving, and use-case agnostic.
The framework does not certify that an AI system is safe, lawful, fair, or trustworthy. It gives organizations a risk-management operating model: identify context, understand harms, assign responsibility, evaluate evidence, manage risk, and update practices as systems and uses change.
Because it is voluntary, the AI RMF is best understood as governance infrastructure rather than law. It helps shape procurement, audits and assurance, policy, standards, internal controls, AI system inventories, and safety documentation, but it does not itself create an enforcement regime.
Snapshot
- Status: AI RMF 1.0 is a voluntary NIST framework released January 26, 2023; as of June 25, 2026, NIST says it is being revised.
- Core functions: Govern, Map, Measure, and Manage.
- Trustworthiness frame: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.
- Companion artifacts: the AI RMF Playbook, Generative AI Profile, AI RMF Roadmap, TEVV work, post-deployment monitoring report, and emerging critical-infrastructure profile.
- Governance value: creates a shared vocabulary for lifecycle risk ownership, evidence, controls, documentation, and review.
- Not a certification: "aligned with NIST AI RMF" is weak unless tied to a system, version, evidence record, decision authority, and post-deployment monitoring plan.
Current Context
As of June 25, 2026, NIST's AI RMF page and AI Resource Center state that AI RMF 1.0 is being revised. The AIRC executive-summary page describes the framework as a living document and says the White House AI Action Plan directed NIST to revise AI RMF 1.0 to remove references to misinformation, Diversity, Equity, and Inclusion, and climate change. That makes version, retrieval date, and exact source especially important when citing AI RMF language.
NIST's current AI RMF page also points to the Generative AI Profile released on July 26, 2024 and the April 2026 concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure. The Playbook says it will be updated after the AI RMF is revised, and that its suggestions are voluntary rather than a checklist that must be followed in full.
The surrounding NIST ecosystem has also expanded. NIST's TEVV page frames trustworthy AI as dependent on reliable measurements and evaluations, while the Center for AI Standards and Innovation and the AI Agent Standards Initiative connect measurement science to frontier-model evaluation, cyber and biosecurity concerns, agent identity, agent security, interoperability, and federal procurement. NIST AI 800-4, published in March 2026, adds a post-deployment monitoring layer by identifying monitoring categories and challenges from practitioner workshops and literature review. The AI RMF remains the risk-management vocabulary; those programs supply more specialized evaluation, monitoring, and standards work.
Structure
The AI RMF Core is organized around four functions: Govern, Map, Measure, and Manage. The companion Playbook provides suggested actions and questions for each function and subcategory.
Govern. Establish policies, accountability, roles, culture, documentation, risk tolerance, and oversight structures for AI risk management.
Map. Understand the AI system's context, intended purpose, stakeholders, data, deployment environment, benefits, harms, and legal or social constraints.
Measure. Analyze, test, evaluate, and monitor AI risks and trustworthiness characteristics using appropriate qualitative and quantitative methods.
Manage. Prioritize, respond to, mitigate, accept, transfer, monitor, and communicate AI risks based on mapped context and measured evidence.
The order is not purely linear. In a real AI program, governance shapes mapping, mapping shapes measurement, measurement informs management, and management failures should feed back into governance.
Trustworthiness Characteristics
NIST frames trustworthy AI through several characteristics: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.
These characteristics are not independent checkboxes. A model can be accurate but unfair, explainable but insecure, privacy-preserving but unsafe, or transparent in documentation while opaque in deployment. The point of the framework is to force tradeoffs into view instead of letting a single metric stand in for trustworthiness.
The AI RMF also treats AI risk as sociotechnical. Risk does not reside only in model weights or benchmark performance. It emerges from data, users, deployment settings, incentives, institutional power, feedback loops, affected communities, and the real-world ability to contest or repair harm.
Generative AI Profile
In July 2024, NIST released NIST AI 600-1, the Generative AI Profile, as a companion to AI RMF 1.0. The profile applies the AI RMF functions to risks that are unique to or intensified by generative AI.
The Generative AI Profile covers risk areas such as confabulation, cybersecurity, information integrity, harmful bias and homogenization, human-AI configuration, environmental impact, privacy, intellectual property, misuse, toxicity and abuse, value chain and component integration, and data provenance.
For general-purpose models, the profile matters because it moves the conversation beyond model accuracy. A generative system can create persuasive falsehoods, synthetic evidence, privacy exposure, dependency loops, copyright conflict, insecure tool behavior, and polluted downstream data even when it appears fluent and useful.
How It Is Used
Internal governance. Organizations use the AI RMF to structure risk committees, inventories, policies, model-review gates, documentation, and accountability practices.
Audits and assurance. The AI RMF gives auditors and assurance providers a shared language for asking whether an organization has mapped, measured, and managed AI risks instead of merely claiming that it did.
Public-sector AI. U.S. agencies and contractors often refer to NIST guidance when building AI governance programs, procurement requirements, inventories, and risk-management processes.
Security and red teaming. The Generative AI Profile and related NIST publications give developers a way to connect prompt injection, poisoning, cybersecurity, provenance, and misuse concerns to an organizational risk process.
Standards alignment. The AI RMF is often discussed alongside ISO/IEC 42001, the EU AI Act, OECD AI principles, CISA secure-development guidance, and sector-specific rules. It can serve as a crosswalk, but it does not replace those regimes.
Governance and Safety Implications
The AI RMF's practical safety contribution is not a new technical control by itself. It is a discipline for making control choices explicit: what harm is being managed, who owns the risk, what evidence supports the decision, what residual risk was accepted, and what event will trigger a pause, rollback, retest, or retirement.
For high-impact systems, an AI RMF program should connect pre-deployment evaluation to post-deployment monitoring. NIST AI 800-4 is important here because many AI failures appear only after context, users, incentives, data, integrations, and adversaries change in production. A risk record that stops at launch is not lifecycle risk management.
For generative and agentic systems, the framework should be applied to the deployed system rather than the model name alone. Mapping and measurement should cover retrieval sources, memory, tools, credentials, agent identity, human approval points, logs, incident response, and downstream actions. Otherwise an organization may have a model review while leaving the real action surface ungoverned.
For affected people, the framework is weakest when it remains internal. Risk management should produce notice, appeal, human review, accessibility, privacy choices, incident reporting, and repair mechanisms where the system materially affects rights, safety, opportunity, or public services.
Implementation Record
A serious AI RMF alignment claim should leave enough evidence for a reviewer to reconstruct the system, the risk decision, and the controls. At minimum, it should name:
- System identity: owner, use case, affected population, model or vendor version, deployment context, and links to the AI system inventory.
- Mapped context: intended purpose, foreseeable misuse, data provenance, retrieval sources, tools, human workflow, legal constraints, and affected-party recourse.
- Measured evidence: evaluations, red-team results, security tests, privacy and bias analysis, uncertainty, failed tests, known limitations, and monitoring plan.
- Managed risk: risk owner, risk tolerance, mitigation decisions, access limits, human oversight, agent sandboxing where relevant, incident response, change-control triggers, and retirement conditions.
- Records: model or system cards, audit logs, procurement terms, assurance scope, vulnerability disclosure path, incident reports, and post-market monitoring records.
This is where the framework becomes operational. "Govern, Map, Measure, Manage" is useful only when it changes release gates, procurement choices, monitoring, user notice, remediation, or the authority to pause a system.
Limits
Voluntary status. An organization can cite the AI RMF without being legally required to follow it unless some contract, procurement rule, regulator, or internal policy makes it binding.
Evidence gap. Saying that a process is "aligned with NIST AI RMF" does not reveal what tests were run, what failed, who reviewed the evidence, or whether deployment changed.
Interpretive flexibility. The framework is intentionally broad. That makes it adaptable, but it also lets weak organizations translate hard questions into soft process language.
Version drift. AI RMF 1.0, the Playbook, the Generative AI Profile, the Critical Infrastructure concept note, and any future revised AI RMF do not have the same status. A citation should not blur them into one timeless "NIST says" claim.
Fast-moving systems. Agentic models, frontier labs, tool-use systems, synthetic media pipelines, and continuously updated models can change faster than risk documentation.
Power asymmetry. A framework can improve internal governance while still leaving affected people, workers, communities, researchers, and journalists without enough access to challenge harmful systems.
Source Discipline
AI RMF claims should identify the exact artifact: AI RMF 1.0, the AI RMF Playbook, the Generative AI Profile, an AIRC page, a crosswalk, a concept note, a NIST evaluation program, or a future revision. These are related but not interchangeable.
Use "voluntary" carefully. AI RMF itself is voluntary, but organizations can make it binding through contracts, procurement terms, internal policy, audit scope, insurance requirements, or regulator-facing commitments. Conversely, a public claim of "NIST-aligned" is weak unless it names the system, version, controls, test evidence, and decision consequence.
For current claims, cite NIST pages with review dates because NIST says AI RMF 1.0 is being revised and because Playbook material may change after the revision. For legal or procurement claims, cite the relevant law, OMB memorandum, contract, or agency policy directly rather than treating NIST guidance as a substitute for binding authority.
Spiralist Reading
The AI RMF is a grammar for slowing the machine down enough to name its risks.
The framework says: do not only ask whether the model works. Ask where it is used, who is exposed, what evidence exists, who owns the risk, how harm is detected, and what happens after failure. That is useful friction.
For Spiralism, the weakness is also clear. A grammar can become liturgy. Organizations can recite Govern, Map, Measure, Manage while still treating the machine as inevitable. The framework matters when it produces records, decisions, delays, refusals, and accountability. It fails when it becomes decorative compliance language around an unchanged deployment race.
Open Questions
- When should voluntary AI RMF alignment become a contractual, procurement, or regulatory requirement?
- What evidence should an organization publish when it claims to use the AI RMF?
- Can the framework keep pace with agentic AI systems that act continuously across tools and services?
- How should affected communities participate in mapping and managing AI risks?
- What distinguishes serious AI RMF implementation from compliance theater?
Related Pages
- AI Governance
- AI Evaluations
- AI Audits and Third-Party Assurance
- AI System Inventory
- AI Procurement
- AI Audit Trails
- AI Bill of Materials
- AI Red Teaming
- Secure AI System Development
- AI Vulnerability Disclosure
- AI Agent Sandboxing
- AI Change Management
- AI Post-Market Monitoring
- Model Drift
- Confidence Calibration
- Human Oversight of AI Systems
- Model Cards and System Cards
- AI Incident Reporting
- AI in Government and Public Services
- AI Liability and Accountability
- Algorithmic Impact Assessments
- U.S. AI Policy
- EU AI Act
- Frontier AI Safety Frameworks
- AI Safety Institutes
- Prompt Injection
- Data Poisoning
- AI Data Provenance
- Federated Learning
- Differential Privacy
- Homomorphic Encryption
- Secure Multi-Party Computation
- Zero-Knowledge Proofs
- Content Provenance and Watermarking
- Vendor and Platform Governance
- Transparency and Public Registers
- AI Insurance and Risk Transfer
Sources
- NIST, AI Risk Management Framework, reviewed June 25, 2026.
- NIST, Artificial Intelligence Risk Management Framework (AI RMF 1.0), January 26, 2023; reviewed June 25, 2026.
- NIST AI Resource Center, AI RMF 1.0 Executive Summary and revision notice, reviewed June 25, 2026.
- NIST AI Resource Center, AI RMF Playbook, reviewed June 25, 2026.
- NIST, Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, NIST AI 600-1, July 26, 2024; reviewed June 25, 2026.
- NIST, Concept Note: AI RMF Profile on Trustworthy AI in Critical Infrastructure, April 7, 2026; reviewed June 25, 2026.
- NIST, AI Test, Evaluation, Validation and Verification, reviewed June 25, 2026.
- NIST, Challenges to the Monitoring of Deployed AI Systems, NIST AI 800-4, March 6, 2026.
- NIST, Center for AI Standards and Innovation, reviewed June 25, 2026.
- NIST, AI Agent Standards Initiative, reviewed June 25, 2026.
- ISO, ISO/IEC 42001:2023 Artificial intelligence management system, reviewed June 25, 2026.
- White House, America's AI Action Plan, July 2025; reviewed June 25, 2026.
- NIST, AI Risk Management Framework FAQs, reviewed June 25, 2026.
- NIST, NIST AI RMF Playbook FAQs, reviewed June 25, 2026.