NIST AI RMF
NIST AI Risk Management Framework 1.0 · U.S. National Institute of Standards and Technology
The NIST AI RMF is a voluntary, practical framework for managing AI risks across the lifecycle. It is organised around four functions (Govern, Map, Measure and Manage) and is paired with a Generative AI Profile (NIST AI 600-1, July 2024) that tailors it to generative tools like ChatGPT.
Who it applies to
Voluntary; widely adopted by US organisations and increasingly referenced in contracts and by enterprise buyers as the expected baseline for responsible AI.
Key points
Govern
Put policies, accountability and culture in place. An AI usage policy and a named owner are the core of the Govern function.
Map
Understand the context and catalogue where AI is used and what could go wrong. In practice, keep an AI tool register.
Measure
Assess and track the risks you mapped, using metrics and testing appropriate to the use.
Manage
Prioritise and act on risks, and review regularly.
Generative AI Profile
NIST AI 600-1 lists generative-AI-specific risks (data leakage, confabulation, IP, etc.) and suggested actions.
What a small team should do
You don't need a formal programme to benefit. Doing the Govern (policy + owner) and Map (tool register) functions well already puts a small team ahead of most, and it maps neatly onto what enterprise customers ask about in security reviews.
FAQ
- Is the NIST AI RMF mandatory?
- No, it's voluntary. But it has become the de-facto baseline that US enterprise buyers and partners expect, so adopting it helps you pass vendor security reviews.
- What are the four NIST AI RMF functions?
- Govern, Map, Measure and Manage. Govern sets policy and accountability; Map catalogues AI use and context; Measure assesses risk; Manage acts on it.