NIST AI governance framework

The NIST AI Risk Management Framework (AI RMF) is a voluntary framework published by the US National Institute of Standards and Technology that helps organizations identify, assess, and manage AI-related risks across the full AI lifecycle through four core functions: Govern, Map, Measure, and Manage.

Structure of the NIST AI RMF

The AI RMF organizes AI risk management around four functions. Govern establishes the organizational context for risk management: policies, roles, culture, and resources. Map identifies and classifies AI risks in the context of the specific system and deployment environment. Measure analyzes and prioritizes identified risks using quantitative and qualitative methods. Manage implements risk treatments — mitigations, controls, and residual risk acceptance — and monitors their effectiveness. The framework is not prescriptive about specific controls; it provides a structure that organizations populate with practices appropriate to their context and risk appetite. A companion Playbook offers more detailed implementation guidance and suggested practices for each function.

How the AI RMF is used in practice

Organizations typically use the AI RMF in three ways. As a starting point for building an AI governance program: the four-function structure provides an organizational scaffold that teams can fill in with their specific policies and processes. As a common language for communicating about AI risk with regulators, auditors, and partners — the RMF terminology is recognized broadly enough to support cross-organizational alignment. As a self-assessment tool: the AI RMF Profile concept allows organizations to document their current practices against each function and identify gaps. The voluntary nature of the framework means adoption varies widely — some organizations implement it comprehensively, others adopt specific elements, and many use it as a reference alongside sector-specific guidance.

Relationship to other standards and regulations

The NIST AI RMF does not duplicate or replace other standards — it is designed to complement them. ISO AI management standards, sector-specific regulatory guidance, and the EU AI Act each address different aspects of AI governance; the RMF provides a common risk management scaffold that organizations can use alongside any of them. NIST has published alignment documents mapping the AI RMF to ISO standards, the EU AI Act, and other frameworks, which helps organizations that need to demonstrate alignment with multiple requirements from a single set of organizational practices.

NIST AI governance framework — FAQ

Is compliance with the NIST AI RMF required for US government contractors?

As of its publication, the NIST AI RMF is voluntary. However, NIST frameworks often become de facto requirements for federal contractors over time, as government agencies reference them in procurement and contract requirements. Organizations working with federal agencies should monitor for specific contract language or agency guidance that references the AI RMF, which would create practical compliance obligations even without formal regulatory mandate.

How does the NIST AI RMF differ from the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework addresses information security risks — protecting data and systems from unauthorized access and attacks. The NIST AI RMF addresses the full range of risks that AI systems introduce, which includes but goes well beyond cybersecurity: bias and fairness, transparency, explainability, operational reliability, and human-AI interaction risks. They use similar structural approaches and can be used together, but they address different risk domains.