ModelCharter

NIST Risk Management Frameworks Compared: CSF, AI RMF and RMF 800-37

NIST, the US National Institute of Standards and Technology, publishes several risk management frameworks, and they are easy to mix up because they share a vocabulary and a house style. If you are trying to manage AI risk, the practical question is which one applies. The short answer: the NIST AI Risk Management Framework is the one written for AI, but understanding how it sits alongside the others helps you avoid duplicating work.

NIST Cybersecurity Framework (CSF)

The CSF, updated to version 2.0 in 2024, is the widely-adopted framework for managing cybersecurity risk. It organises work around six functions: Govern, Identify, Protect, Detect, and Respond, plus Recover. It is not AI-specific, but because most AI risk in a normal business is a data-security risk, the CSF's Identify and Protect functions overlap heavily with what you need for AI tools: knowing what you use and controlling access to data.

NIST AI Risk Management Framework (AI RMF)

The AI RMF, published in January 2023, is the framework built specifically for AI. It uses four functions, GOVERN, MAP, MEASURE, and MANAGE, and is paired with a Generative AI Profile (NIST AI 600-1) that tailors it to tools like ChatGPT. This is the framework enterprise buyers and US agencies mean when they ask how you manage AI risk. For a small team, GOVERN (a policy and a named owner) and MAP (an inventory of AI tools) are the actionable starting points.

NIST RMF (SP 800-37)

The NIST Risk Management Framework in Special Publication 800-37 is a different thing again: a seven-step process (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor) used mainly by US federal agencies and contractors to authorise information systems for operation. Unless you sell to the federal government or handle federal data, 800-37 is probably not the framework you need for everyday AI governance, though its risk vocabulary influenced the others.

Which one to use for AI

For governing the AI tools your team uses, start with the AI RMF, and lean on the CSF for the underlying data-security controls if you already run a security programme. Reserve 800-37 for federal system authorisation. Whichever you adopt, the practical artefacts are the same: a written AI usage policy, a register of approved tools, and a record that staff have read the rules. ModelCharter provides those three, which satisfy the documentation expectations of the AI RMF and map cleanly onto the others. See our frameworks guides for the AI RMF and ISO 42001 in detail.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator