NIST AI RMF 1.0 · Govern, Map, Measure, Manage

§ I · The framework

What the AI RMF actually is, in plain English.

The NIST AI Risk Management Framework: NIST AI 100-1: was published on 26 January 2023 in response to the National AI Initiative Act of 2020. NIST built it the way NIST builds frameworks: through ~18 months of multi-stakeholder workshops, three RFI rounds, and consensus drafting. The result is a voluntary, non-sector-specific, non-prescriptive framework structured in two parts: Part 1: Foundational Information (risk framing, trustworthy-AI characteristics, AI lifecycle, AI actors) and Part 2: Core & Profiles (the four functions, 19 categories, 72 sub-categories, and the Profile concept).

The four core functions are the operational unit of the RMF: Govern (the cultivate-a-risk-aware-culture function, cross-cutting), Map (establish context and identify AI risks), Measure (analyze and assess), and Manage (allocate resources and respond). Govern sits at the center, intersecting all three operational functions. Each function decomposes into categories (e.g. Govern 1.1, Govern 1.2…), and each category into sub-categories: the granular outcomes you actually evidence.

The framework is supplemented by a Playbook (an interactive companion offering suggested actions, references, and documentation per sub-category), a series of Profiles (published or self-built: the Generative AI Profile NIST AI 600-1 is the most consequential), and the AI Resource Center (AIRC): NIST's hub for crosswalks (to ISO 42001, OECD AI Principles, EU AI Act, etc.), case studies, and ongoing updates.

What the RMF is not: a certifiable standard. There is no certification body. There is no accredited audit. There is no public registry of "RMF-conformant" organizations. NIST is explicit about this in the framework itself: the RMF is a resource, not a compliance regime. That distinction makes it powerful (you can adopt without procurement friction) and limited (a buyer asking for proof of trustworthy-AI maturity needs more).

Senior practitioner's note

The RMF is the methodology. You still need an evidence regime.

Clients adopt RMF and stop: "we're aligned to NIST AI RMF" goes on the trust page. That's not nothing, but it isn't enough for buyers, regulators, or your own risk committee. We treat RMF as the substantive content: the questions to ask, the risks to track, the artifacts to produce: and pair it with ISO 42001 as the evidence regime. RMF tells you what to do; 42001 makes the auditor believe you did it.

§ II · Fit check

Should you adopt RMF first?

Three questions. The answer tells you whether NIST AI RMF is a strong starting point, or whether you should jump directly to a certifiable standard.

Interactive · 3 questions

NIST AI RMF fit check

1. Where are you in your AI governance journey?

2. Who is asking you for AI governance evidence?

3. Are you shipping generative AI features in product?

Answer above: we’ll tell you whether NIST AI RMF is the right starting place.

§ III · The Core

Govern, Map, Measure, Manage.

The RMF Core is four functions that operate continuously and iteratively across the AI lifecycle. Govern is foundational and cross-cutting; the other three are operational and run in roughly that order: but in practice they loop.

Function	What it does	Categories
Govern	Cultivates a risk-aware culture across the org. Cross-cutting: informs Map, Measure, and Manage. Roles, accountability, policies, third-party engagement, diversity considerations.	6 categories · 19 sub-categories
Map	Establishes the context AI is operating in: identifies and frames AI risks. Use cases, stakeholders, lifecycle stage, capabilities and limits.	5 categories · 18 sub-categories
Measure	Analyzes, assesses, benchmarks, and monitors AI risks. Quantitative and qualitative methods. Trustworthy-AI characteristics evaluated here.	4 categories · 18 sub-categories
Manage	Allocates resources to mapped & measured risks. Prioritization, response (mitigate, transfer, avoid, accept), monitoring effectiveness.	4 categories · 13 sub-categories

The trustworthy-AI characteristics: valid & reliable, safe, secure & resilient, accountable & transparent, explainable & interpretable, privacy-enhanced, fair with harmful bias managed: are the substantive frame the framework's outcomes are measured against. Auditors operating outside the RMF (ISO 42001 CBs, EU AI Act notified bodies) borrow these directly.

§ IV · The Categories

A tour of the 72 sub-categories.

Click each function below for the categories an RMF-aligned program produces evidence against. The Playbook expands every sub-category with suggested actions, documentation, and references: including ISO 42001 Annex A crosswalks.

GovernFoundation: where culture lives

Six categories covering policies, accountability, workforce, engagement, third-party risk, and risk-aware culture. The most under-invested function in early-stage programs: and the one auditors and CBs sample first.

Govern 1

Policies, processes, procedures & practices

AI policy ratified by leadership; risk tolerance defined; mapping to legal & regulatory requirements.

Govern 2

Accountability structures

Roles, responsibilities, lines of authority: documented and assigned.

Govern 3

Workforce diversity, equity & inclusion

Diverse teams across the AI lifecycle; bias considerations baked into design.

Govern 4

Risk-aware culture

Training, communication channels, psychological safety to surface concerns.

Govern 5

Engagement with AI actors

Stakeholder engagement: affected communities, end users, regulators.

Govern 6

Third-party considerations

Vendor risk management for AI value-chain partners: foundation models, data providers, MLOps tooling.

MapEstablish context: frame the risk

Five categories: contextual establishment, AI capabilities & usage, AI mission & goals, mapping risks to specific AI categories, and risk identification with rationale. This is where AI System Impact Assessments live in the RMF vocabulary.

Map 1

Context established & understood

Use case, lifecycle stage, deployment environment, AI actors documented.

Map 2

Categorization of AI system

System type (classification, generative, recommendation), risk tier, regulatory exposure.

Map 3

AI capabilities, usage, & assumptions

Intended use, foreseeable misuse, capability limits documented.

Map 4

Risks & benefits mapped

Risks to individuals, groups, society, environment: with severity and likelihood.

Map 5

Impacts to individuals, groups, society

Concrete impact statements per stakeholder class: the impact-assessment artifact.

MeasureAnalyze & assess: the technical hard part

Four categories: identify methods, evaluate trustworthy-AI characteristics, mechanisms for tracking, and feedback for human review. This is where eval, red-teaming, fairness testing, and drift monitoring all live.

Measure 1

Methods for measuring identified

Quantitative & qualitative methods documented: with rationale and limits.

Measure 2

Systems evaluated against trustworthy-AI characteristics

Validity, reliability, safety, security, resilience, accountability, transparency, explainability, interpretability, privacy, fairness/bias.

Measure 3

Mechanisms for tracking risks

Telemetry, dashboards, KPIs, drift detection: operational, not annual.

Measure 4

Feedback & mechanisms for review

Channels for affected parties, internal review boards, periodic reassessment.

ManageAllocate resources, respond to risk

Four categories: prioritize risks, treat them, document third-party risks, and continuously improve. This is where the RMF rubber meets MLOps reality: tracking which risks were accepted vs mitigated, and why.

Manage 1

Risks prioritized

Prioritization scheme tied to severity × likelihood × reversibility.

Manage 2

Strategies to maximize benefits & minimize harms

Mitigation, transfer, avoidance, acceptance: per-risk treatment decisions logged.

Manage 3

Third-party risks documented

Per-vendor risk decisions, contractual flow-down, monitoring.

Manage 4

Risk treatments documented & monitored

Treatment effectiveness, residual-risk tracking, lessons-learned loop.

TrustworthyThe seven characteristics

The substantive frame the RMF measures AI against. Every category in Measure points back to one or more of these. Every framework downstream of the RMF (42001, AI Act, OECD) re-uses the same vocabulary.

T.1

Valid & reliable

Performs as intended within stated context. Evidence: eval datasets, performance KPIs, drift metrics.

T.2

Safe

Doesn't endanger life, health, property, environment. Foreseeable misuse considered.

T.3

Secure & resilient

Withstands adversarial attack: data poisoning, model evasion, prompt injection, extraction.

T.4

Accountable & transparent

Decisions traceable to humans; system behavior disclosed appropriately.

T.5

Explainable & interpretable

Outputs explainable to relevant audiences at appropriate fidelity.

T.6

Privacy-enhanced

Privacy preserved across training data, inference inputs, telemetry. PETs where applicable.

T.7

Fair: harmful bias managed

Bias identified, measured, mitigated. Disparate-impact testing across protected classes.

§ V · The GenAI Profile

NIST AI 600-1: the generative-AI overlay.

On 26 July 2024, NIST published AI 600-1: the AI RMF Generative AI Profile: in response to the Biden Executive Order 14110. It is the most operationally useful artifact NIST has published on generative AI to date. The Profile identifies twelve risks unique or amplified by GenAI and maps them to specific RMF Core sub-categories with concrete suggested actions.

The twelve GenAI-specific risks are: CBRN information, confabulation (hallucination), dangerous, violent, or hateful content, data privacy, environmental impacts, harmful bias / homogenization, human-AI configuration, information integrity, information security, intellectual property, obscene, degrading, abusive content, and value chain & component integration. For each, the Profile lists suggested actions across all four core functions plus references to additional NIST work (red-teaming guidance, eval methods, transparency artifacts).

The Profile is doing real work in 2026. Federal agencies under OMB M-24-10 reference it directly. Enterprise procurement teams cite it in security questionnaires. ISO 42001 CBs use it as the de-facto baseline for what "responsible GenAI" looks like under Annex A.5 and A.6. If you ship GenAI features, your team should know the twelve risks by name.

§ VI · Profiles & Use

Three ways organizations use the framework.

RMF is non-prescriptive by design: you tailor it to your context. The three usage patterns we see, in order of program maturity:

Starting

Self-alignment

Walk your org through the four functions. Identify gaps. Document where you stand. Used as an internal organizing principle: "we're aligned to NIST AI RMF" goes on trust pages.

Effort4-8 weeks
CostInternal time + light advisory
OutputSelf-attested alignment & gap report
Used byEarly-stage AI programs
Buyer signalModest

Where most engagements live

Custom Profile

Build an organization-, sector-, or system-specific Profile: tailored sub-categories, prioritized outcomes, target maturity per outcome. The Profile becomes your AI-program operating manual. Pairs with the GenAI Profile for shipping GenAI products.

Effort10-16 weeks
CostSenior advisory engagement
OutputProfile document + roadmap + Playbook tailored
Used byMid-stage programs preparing for 42001
Buyer signalStrong: substantive evidence

Top of stack

RMF + 42001

RMF as the substantive methodology, ISO 42001 as the audited management-system shell. The RMF Profile becomes the input to your AIMS scope & Statement of Applicability. One coherent program; two artifacts.

Effort9-15 months total
CostRMF advisory + 42001 readiness + CB
OutputProfile + AIMS + accredited certificate
Used byAI-product companies, regulated sectors
Buyer signalMaximal

§ VII · The clock

From kickoff to a defensible RMF Profile: 10 – 16 weeks.

RMF on its own is fast: no audit, no CB. The work is substantive: identifying AI systems, framing risks, picking outcomes, building evidence, training the org. We sequence it so a 42001 readiness can pick up directly from the Profile output.

Wk 0 – 2

Inventory & context

AI system inventory, AI-actor mapping, lifecycle-stage tagging, regulatory exposure, current-state assessment.

Wk 2 – 6

Govern + Map

AI policy ratified, accountability matrix built, Map sub-categories worked through per system, impact assessments drafted.

Wk 6 – 10

Measure

Eval methods agreed, trustworthy-AI characteristics scored, GenAI Profile applied where applicable, measurement instrumentation deployed.

Wk 10 – 14

Manage

Risk treatments decided, third-party risks documented, monitoring cadence established, residual-risk register signed off.

Wk 14 – 16

Profile finalized

Profile document published internally, leadership sign-off, training rolled out, roadmap to 42001 readiness articulated.

§ VIII · How Nexurion runs it

RMF is the methodology. We make it operational.

Every Nexurion RMF engagement is led by a senior practitioner: the person on the engagement letter is the person walking your AI inventory, sitting in your risk-committee reviews, and on the call when leadership needs to make a tradeoff between shipping speed and risk acceptance. Read our methodology »

We use the NIST Playbook as a starting point for every sub-category, then tailor: not every suggested action fits every org, and a Profile copy-pasted from the Playbook is exactly the wallpaper we don't ship. Every outcome we accept gets a defensible rationale; every outcome we defer gets a roadmap entry with an owner and a date.

The artifacts that come out of an RMF engagement are reusable: AI policy, AI inventory, impact assessments, risk register, trustworthy-AI scorecards, third-party-risk DD records, monitoring KPIs, and the Profile document itself. Each one is built once and feeds 42001, EU AI Act conformity assessments, OMB M-24-10 evidence, and enterprise security questionnaires.

Engagement structure

Built to graduate: not park.

Most clients adopt RMF as a stepping stone to ISO 42001 or to EU AI Act readiness. We architect the Profile so the artifacts feed both. The same risk register that satisfies Manage 1 is your 42001 risk register. The same impact assessments that satisfy Map 5 satisfy 42001 A.5 and AI Act Articles 9 & 27. Build once, evidence many.

§ IX · Where engagements stall

Six places an RMF program becomes wallpaper.

RMF's voluntary, non-prescriptive design is its great strength and its great weakness. Without discipline, alignment becomes self-deception.

01 / Govern-skip

Jumping straight to Measure.

Engineering wants to talk evals and red-teaming. Govern feels boring: policies, accountability, training. Skip it and your Measure outputs have nowhere to land. Govern first, always.

02 / Inventory drift

"We have three AI systems."

A real inventory finds 12-30. Internal Copilots, RPA-with-LLM, fraud models, support chatbots, marketing-content GenAI, and the foundation-model APIs five teams call directly. You can't Map what you can't list.

03 / Trustworthy-as-checklist

Seven green checkmarks, no evidence.

"Valid & reliable: yes. Safe: yes. Secure: yes." with no methodology behind any answer. The Measure function exists exactly to prevent this; the Playbook tells you how. Do the work.

04 / GenAI without 600-1

A GenAI shop ignoring the twelve risks.

If you ship GenAI and your Profile doesn't reference the GenAI Profile, your risk identification is incomplete. Confabulation, value-chain integration, IP, information integrity: these are not optional considerations.

05 / Profile-as-PDF

A 60-page document nobody reads.

Profiles that aren't operationalized are dead on delivery. We treat the Profile as the input to dashboards, training, design reviews, and incident triage: not as a deliverable to file.

06 / Stuck at alignment

Three years "aligned", never certified.

RMF alignment is a great starting point and a poor ending. If buyers, regulators, or your board are asking for evidence, voluntary self-attestation isn't enough. Graduate to 42001 on a 12-18 month horizon.

§ X · Cross-mapping

RMF against the rest of the AI stack.

NIST publishes crosswalks for the major frameworks; we maintain our own with finer granularity. The shape that matters: RMF tells you the substance, the others tell you the shell.

Framework	Overlap with RMF	Where they differ
ISO/IEC 42001	~70% conceptual: Govern/Map/Measure/Manage maps to clauses 4-10 + Annex A.	RMF is voluntary & non-certifiable; 42001 is auditable. Run RMF as methodology under 42001.
EU AI Act	~50%: risk-mgmt, data gov, transparency, post-market monitoring map cleanly.	RMF is voluntary; AI Act is binding law with conformity assessment, registration, fines.
OECD AI Principles	~85%: trustworthy-AI characteristics align directly.	OECD is principles-only, no operational structure.
OMB M-24-10	~80%: federal agency AI use governed by M-24-10 references RMF directly.	M-24-10 adds federal-specific obligations (rights-impacting, safety-impacting categories).
SOC 2	~15%: nearly orthogonal. CC9 vendor mgmt and CC3 risk identification touch.	SOC 2 is service-org security; RMF is AI risk substance.
ISO/IEC 23894	~75%: AI risk management guidance, similar substance.	23894 is non-certifiable; designed to inform 42001.

§ XI · 2026 outlook

RMF in year four.

The RMF was published in early 2023. The GenAI Profile arrived July 2024. Three things to watch in 2026:

Sector-specific Profiles. Healthcare, financial services, and HR communities are publishing tailored Profiles. Where one exists for your sector, start there.
Federal alignment. OMB M-24-10 obligations on agencies cascade to vendors via FAR / contract terms; RMF alignment is becoming a procurement floor for federal AI work.
Updated GenAI guidance. NIST has signaled additional GenAI evaluation guidance in the AI RMF Knowledge Base: particularly around evaluation methodology, red-teaming, and content provenance.

Read our deeper take in Field Notes Vol. III.

§ XII · Pairs with

RMF rarely stands alone.

In order of how often the question comes up alongside it.

Pairs always

ISO/IEC 42001

RMF as methodology, 42001 as the audited shell. The default architecture for serious AI governance.

→

Regulatory bridge

EU AI Act

RMF artifacts feed directly into Article 9, 10, 13, and 27 obligations. Strong overlap, gaps remain.

→

Buyer floor

SOC 2 Type 2

For US enterprise procurement. Different scope; do both.

→

Security floor

ISO 27001

The ISMS underneath. RMF Govern 6 / Manage 3 reference 27001 vendor controls directly.

→

If health AI

HIPAA

For ePHI in AI training/inference. Sector overlay on RMF.

→

If federal AI

CMMC

DoD-prime AI work. RMF + CMMC + M-24-10 form the triad.

→

§ XIII · FAQ

Frequently asked.

Can we get certified to NIST AI RMF? +

No. NIST does not certify and does not accredit certifiers. The framework is voluntary by design. You can self-attest alignment, build a Profile, and reference RMF in trust-page material: but no third-party certificate exists. For an auditable credential, pair with ISO 42001.

How long does an RMF Profile take? +

A defensible custom Profile, end to end: 10-16 weeks for a mid-sized AI program. Faster if your AI inventory is small and well-documented; longer if you're discovering shadow AI as you go.

What does it cost? +

A senior-led RMF Profile engagement is typically a fraction of a 42001 program: no CB fees, no annual surveillance. The investment is in artifact rigor: senior time across 10-16 weeks. See pricing structure »

Do federal customers require RMF alignment? +

Increasingly: particularly for AI products sold to agencies covered by OMB M-24-10. Some agency RFIs reference RMF directly; CISA and DHS work has cited it.

What's the GenAI Profile add to all this? +

NIST AI 600-1 identifies 12 GenAI-specific risks (confabulation, IP, info integrity, value-chain, etc.) and maps suggested actions to RMF Core sub-categories. If you ship generative AI features, the GenAI Profile is operationally required reading.

Should we adopt RMF or jump straight to 42001? +

Depends on maturity. If you have no formal AI governance: start RMF, build a Profile, then layer 42001 in 6-12 months. If you're already running a mature program with internal risk frameworks: scope 42001 directly with RMF as the substantive methodology underneath. We help calibrate at scoping.

Can RMF satisfy EU AI Act obligations? +

Partially. RMF artifacts (risk register, impact assessments, third-party DD, monitoring) feed AI Act Article 9 (risk mgmt), 10 (data), 12 (logging), 13 (transparency), 27 (FRIA). RMF does not substitute for conformity assessment, EU registration, or specific GPAI obligations. See EU AI Act »

Does the RMF have a maturity model? +

Not formally. The framework is non-prescriptive. We layer a maturity rubric on top: Initial / Defined / Managed / Optimized per outcome: so leadership can track progress and target tiers. Some sector-specific Profiles include their own.

§ XIV · From the Brief

Field notes on NIST AI RMF.

Pieces from The Field Notes directly relevant to the framework.

Vol. I · Field note

Why we run RMF as the methodology under every 42001.

The case for treating NIST as substance and ISO as shell: and the artifact reuse that makes both cheaper.

Coming · Vol. III

The 12 GenAI risks, ranked by what we actually see fail.

Confabulation, value-chain, IP, info integrity: what's tractable in 2026 and what isn't.

Coming · Vol. IV

RMF ↔ AI Act ↔ 42001, line-by-line.

A working crosswalk we ship to clients running all three regimes simultaneously.

NIST AI RMF 1.0.