The NIST AI Risk Management Framework: A Plain-English Guide

Photo: Nataliya Vaitkevich / Pexels
The NIST AI Risk Management Framework, published by the US National Institute of Standards and Technology in January 2023, is a voluntary framework that helps organisations identify, assess, and manage risks arising from AI systems. Unlike the EU AI Act, it carries no legal force, but it has become the reference standard that US federal agencies, regulated industries, and enterprise procurement teams point to when they ask 'how do you manage AI risk?'
The four core functions: GOVERN, MAP, MEASURE, MANAGE
The NIST AI RMF organises AI risk management into four functions. GOVERN sets the culture and accountability structures: who owns AI risk, what policies exist, how decisions are made. MAP identifies which AI systems you use and what risks they create. MEASURE evaluates those risks using qualitative or quantitative methods. MANAGE puts controls in place and monitors their effectiveness over time. For most SMBs, the GOVERN and MAP functions are the most immediately actionable starting point.
GOVERN in practice for a small team
Governance at SMB scale means naming a single owner for AI decisions, writing down your AI usage policy, and making sure staff know the rules. You do not need a risk committee or a quarterly review cycle. A one-page policy with a named owner and annual review is a credible implementation of GOVERN for a team of under 50 people. The goal is documented accountability, not administrative complexity.
MAP: knowing what you are actually using
You cannot manage AI risk you do not know about. MAP starts with an inventory: what AI tools does your organisation use, who uses them, and what data flows into them? This is the AI tool register that also satisfies ISO 42001 and EU AI Act documentation requirements. Once you have the inventory, you can classify each tool by risk level and apply appropriate controls. Shadow AI, tools your team uses without IT's knowledge, is usually the biggest gap in any MAP exercise.
How NIST AI RMF relates to EU AI Act and ISO 42001
The three frameworks are designed to complement each other. The EU AI Act sets legal minimums. ISO 42001 provides a management system for meeting and demonstrating them. NIST AI RMF offers a risk-management lens, particularly useful for US organisations or those with international operations. Many compliance professionals map controls across all three, since the overlapping requirements mean satisfying one framework does much of the work for the others.
Getting started without a risk team
Pick up GOVERN and MAP first. Publish an AI usage policy, name an owner, build a register of approved tools. ModelCharter handles all of that. From there, MEASURE and MANAGE add depth as your AI use grows, but you do not need them on day one. Governance that exists beats a perfect framework that is still being designed.