NIST AI Risk Management Framework (NIST AI RMF): A Detailed Compliance Guide

Currently Voluntary

Promotes Responsible & Sector-Agnostic AI

Aligned With Other AI Standards, Promoting Interoperability

Utah AI Policy Act Compliance
Table of Contents
2
3

A Deep-Dive on the NIST AI Risk Management Framework

Steps to Comply with NIST AI RMF

The NIST logo. NIST created the NIST AI RMF.

NIST AI RMF: An Overview

The NIST AI Risk Management Framework (NIST AI RMF) is a voluntary AI standard published by the U.S. National Institute of Standards and Technology. It was developed to help organizations identify, mitigate, and manage risks for their AI systems. Although NIST is part of the U.S. government, their standards are available to and used by organizations all over the world.

The NIST AI RMF is not written as a one-size-fits-all “checklist” to be followed. Rather, the Framework and accompanying Playbook provide a set of broad goals for organizations engaged in AI risk management, and provide extensive lists of procedures, methods, and options for how best to achieve those goals. It is up to organizations to determine which of these options are best suited to their current needs.

For this reason, the NIST AI RMF can be useful to organizations of any size and level of maturity. It is also entirely compatible with laws that have more specific requirements, such as the EU AI Act, or other frameworks, such as ISO/IEC 42001.

Who is in scope for the NIST AI Risk Management Framework?

The framework applies broadly to anyone involved in the design, development, deployment, or maintenance of AI systems.

AI systems under NIST’s definition cover a wide range of solutions. They include any “engineered or machine-based system that can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions influencing real or virtual environments.” 

Although most current attention is focused on GenAI tools developed in the last few years, AI risk management should also cover other sorts of AI systems, many of which have been in use for years or even decades. Even if an organization hasn’t adopted GenAI technology, they may still have systems in scope for NIST.

Why adopt the NIST AI RMF?

The NIST AI standard helps organizations ensure their AI systems are trustworthy and safe while maintaining accountability.

NIST’s high degree of flexibility and focus on AI system-level governance make it a logical place for many organizations to start building out their AI governance functions. The AI RMF contains numerous potential approaches that governance and technical teams can consider together depending on the risks and needs of an individual system.

Developers of AI systems may adopt the framework as a way to demonstrate to stakeholders or customers that they are taking steps to ensure the AI that they’ve built has been designed responsibly.

Deployers of AI systems often adopt the NIST AI RMF as a framework to ensure the AI that they are purchasing from third parties and vendors is well-managed and aligned with their internal policies.

A Risk-Based Approach

Similar to other AI standards and regulations like ISO 42001 and the EU AI Act, the NIST AI RMF takes a risk-based approach to AI governance.

This means that NIST encourages organizations to classify their AI systems based on the amount of risk and potential harms that the AI system poses. This approach to classifying each AI system helps organizations ensure that the riskiest systems are monitored the most closely.

As an example: an AI hiring tool is considered riskier than a meeting note summarizing tool because of its impact on employment outcomes. Under a risk-based model, the summarizing tool might be subject to annual reviews and monitoring, but the hiring tool might require quarterly bias testing to ensure fair outcomes.

Contents of the AI Risk Management Framework

The NIST AI RMF is divided into two main parts:

Risks, Audience, and Trustworthiness

This section describes how organizations should frame their AI risks and risk management processes in general. Then, it discusses the audience of different AI actors within the organization who should be involved in the process. Finally, it lays out key characteristics of all trustworthy AI systems.

The Core Framework

The main body of the NIST AI RMF describes four primary functions key to managing AI risks – Govern, Map, Measure, and Manage:

Function Function Description Why It Matters
Govern Focuses on establishing the policies, procedures, and culture to manage AI risks effectively. Integrates with the other three functions. Provides organizations with a framework for developing the ecosystem in which their AI activities are managed.
Map Identifies and contextualizes AI risks within their operational environment. Helps organizations triage risks and differentiate how they manage each AI system.
Measure Uses metrics and methodologies to track AI system risk and performance over entire lifecycle. Offers guidance on how to test and monitor each AI system based on the risks and impacts.
Manage Allocates resources to effectively handle the risks identified, ensuring proactive responses. Establishes approaches to “maximize AI benefits and minimize negative impacts.”

 

These functions allow organizations to comprehensively address AI risks, from design and development to long-term management and mitigation. Each function is further broken down into categories and sub-categories of goals to achieved. These goals, alongside the specific tactics and practices recommended in the accompanying NIST AI Risk Management Framework Playbook, can be thought of as a checklist for broad program alignment.

    Non-compliance penalties for NIST AI Risk Management Framework

    There are no legal penalties for non-compliance, as the framework is voluntary.

    However, many state laws — including the Colorado AI Act — explicitly reference the NIST AI RMF as an acceptable foundation for required risk programs. That means alignment could help organizations pre-emptively meet additional regulatory requirements.

    When was the AI RMF released?

    NIST officially released Version 1.0 of the AI Risk Management Framework in January 2023.

    The framework was developed through extensive collaboration between public and private sector experts. This multi-stakeholder effort aimed to create a practical, adaptable method to help organizations use AI responsibly while managing risks such as safety, bias, and lack of oversight.

    In July 2024, NIST also released a companion document with supplementary context specifically for generative AI, which outlines risks that are specific to, or made more pronounced by, GenAI.

     

    Steps to achieve alignment with the NIST AI RMF

    To align with the NIST AI RMF, organizations should focus on the following steps:

      • Adopt Governance Structures: Establish policies, mechanisms for accountability, and procedures to effectively oversee AI risks.
      • Identify and Map Risks: Frame AI risks in relation to their operational context. Consider how AI systems will interact with their intended users and impacted populations.
      • Measure Risks: Continuously monitor the AI system using established metrics to evaluate its performance and trustworthiness over time.
      • Manage Risks: Allocate resources to address and mitigate the impact of risks identified in the earlier steps, ensuring a comprehensive risk management approach.

    Where can I learn more?

    The AI Risk Management Framework is free to the public and can be downloaded online, along with other accompanying resources. Most important of these is the Playbook, which includes a more extended discussion of each of the categories and sub-categories, including actions that organizations might take to help achieve these goals.

    AI compliance tools

    While the NIST framework is clear, implementation can be resource-intensive. Specialized AI governance platforms help reduce manual work and accelerate compliance.

    FairNow’s platform supports alignment with the NIST AI RMF by offering:

    • A centralized AI inventory with intelligent risk flagging and tailored risk leveling guidance

    • Controls that are harmonized with ISO 42001, the EU AI Act, and other US/global regulations

    • Prebuilt templates and auto-generated documentation mapped to NIST controls

    • Streamlined compliance workflows, reducing reporting times and coordination costs

    • Live dashboards and alerts for ongoing, always-on monitoring of AI risks

    These features help organizations transform the NIST AI RMF into a living, operational program — not just a checklist.

      See the FairNow platform in action. Book a free demo.

      Explore the leading AI governance platform

      Book Time