Last reviewed
May 17, 2026
Sources
13 citations
Review status
Source-backed
Revision
v1 ยท 3,494 words
Add missing citations, update stale details, or suggest a clearer explanation.
The NIST AI Risk Management Framework, commonly abbreviated AI RMF, is a voluntary guidance document developed by the United States National Institute of Standards and Technology to help organizations design, develop, deploy, and use artificial intelligence systems in ways that reduce harm and promote trustworthiness. Released as version 1.0 on January 26, 2023, the framework provides a structured but non prescriptive approach centered on four core functions: Govern, Map, Measure, and Manage. Although the AI RMF carries no statutory enforcement power, it has become one of the most widely referenced touchstones for AI governance in the United States. Federal agencies, contractors, sector regulators, and private companies treat alignment with it as a de facto baseline. The framework also serves as the parent document for application specific profiles, including the Generative AI Profile (NIST AI 600-1) released in July 2024.
The AI RMF is structured as a flexible, sector agnostic playbook. NIST describes the document as "rights preserving, non sector specific, and use case agnostic," meaning it is meant to be usable by any organization that builds or operates AI, from a startup to a federal agency. It avoids checklist style compliance language and instead encourages organizations to internalize practices that evolve with the technology. The parent framework is published as NIST AI 100-1, distinct from the companion playbook and the profiles published under the NIST AI 600 series.
The AI RMF rests on three premises. First, AI systems present technical, social, and organizational risks that older approaches such as enterprise or cybersecurity risk management do not fully address. Second, trustworthy AI emerges from many overlapping characteristics rather than a single metric. Third, AI risk management must be continuous and iterative across the lifecycle rather than a one time gate before deployment. These premises explain why governance is treated as a cross cutting function rather than a discrete step.
Congress directed NIST to develop the AI RMF through the National Artificial Intelligence Initiative Act of 2020, enacted as part of the William M. Thornberry National Defense Authorization Act for Fiscal Year 2021. The legislation tasked NIST with creating voluntary guidance to manage risks across the AI lifecycle, building on the institute's long tradition of consensus driven, voluntary technical standards.
NIST initiated the development process in July 2021 with a request for information that gathered hundreds of stakeholder comments. A concept paper followed in December 2021. The first draft of the framework was issued for written comment ahead of a workshop on March 29 through 31, 2022, and the second draft was released ahead of a workshop on October 18 and 19, 2022. Each draft drew extensive comments from industry, civil society, academia, and government, all of which NIST made publicly available.
The final AI RMF 1.0 was released on January 26, 2023, alongside a draft Playbook, a Roadmap, crosswalks to other frameworks, a video explainer, and perspectives documents from contributors. The first complete Playbook arrived on March 30, 2023. NIST has since expanded the ecosystem through additional profiles, the AI Resource Center, and crosswalks that map AI RMF subcategories to standards such as ISO/IEC 42001 and the EU AI Act.
| Date | Milestone |
|---|---|
| January 1, 2021 | National AI Initiative Act of 2020 enacted, directing NIST to develop the framework |
| July 29, 2021 | NIST issues request for information on AI RMF development |
| December 13, 2021 | NIST publishes AI RMF concept paper |
| March 17, 2022 | First draft AI RMF released for public comment |
| August 18, 2022 | Second draft AI RMF released for public comment |
| January 26, 2023 | AI RMF 1.0 released, along with companion Playbook and Roadmap |
| March 30, 2023 | Complete AI RMF Playbook published |
| April 29, 2024 | Initial public draft of the Generative AI Profile (NIST AI 600-1) released |
| July 26, 2024 | Final Generative AI Profile (NIST AI 600-1) released |
| June 2025 | US AI Safety Institute reorganized as the Center for AI Standards and Innovation, retaining stewardship of AI RMF resources |
The AI RMF defines trustworthy AI through seven interrelated characteristics. NIST presents them as overlapping properties that must be balanced against one another through explicit tradeoffs, and warns that addressing each characteristic individually does not guarantee trustworthiness.
| Characteristic | What it covers |
|---|---|
| Valid and reliable | The system performs its intended function accurately and consistently in operational conditions. NIST treats this as the foundation on which the other characteristics rest |
| Safe | The system does not pose unacceptable risks to human life, health, property, or the environment |
| Secure and resilient | The system can withstand adversarial attacks, unexpected inputs, and operational stress, and can recover from failures |
| Accountable and transparent | The organization can document and explain who is responsible for the system, and stakeholders can understand the system's purpose, design, and behavior |
| Explainable and interpretable | Outputs and decisions can be understood by humans in ways appropriate to the use case |
| Privacy enhanced | The system protects personal information and respects privacy norms throughout the lifecycle |
| Fair with harmful bias managed | The system produces outcomes that do not unjustly disadvantage individuals or groups, with documented attention to harmful bias |
NIST treats valid and reliable as the base layer because no other characteristic is meaningful if the system does not work as intended. Accountable and transparent is depicted as a vertical column cutting across the others, reflecting the view that documentation and clear lines of responsibility are required for any property to be verifiable.
The operational core of the AI RMF is the set of four functions, each subdivided into categories and subcategories. They are intended to be performed continuously and in parallel rather than as sequential stages.
| Function | Purpose | Example activities |
|---|---|---|
| Govern | Establish a culture, structure, and set of policies for AI risk management across the organization | Define roles and accountability, establish escalation paths, integrate AI risk into enterprise risk management, allocate budget and staff, set documentation standards |
| Map | Understand the context and impact of an AI system before and during development | Identify stakeholders, document intended and unintended uses, map the value chain, perform impact assessments, decide whether to proceed |
| Measure | Use quantitative, qualitative, and mixed methods to analyze, benchmark, and monitor AI risk | Define metrics, conduct evaluations and red teaming, monitor production performance, document residual risk, perform third party assessments |
| Manage | Allocate resources to mitigate, transfer, accept, or avoid mapped and measured risks | Prioritize risks, implement controls, set up incident response, communicate with stakeholders, decommission systems when warranted |
Govern sits at the center of the framework's visual model because it cuts across the other three functions, which assume the organization has the policies, accountability structures, and culture necessary to act on what Map and Measure surface. NIST emphasizes that the four functions form iterative loops rather than a waterfall, returning to earlier functions as systems evolve and new risks emerge.
Each function contains numbered categories. Govern includes Govern 1 through Govern 6, covering policies and procedures, accountability structures, workforce diversity and training, team culture, engagement with affected communities, and third party risk. Map covers context establishment, categorization, AI capabilities and impacts, risks and benefits, and impact characterization. Measure covers metrics selection, evaluation of trustworthy characteristics, monitoring, and feedback. Manage covers prioritization, risk treatment, response and recovery, and communication.
The framework anchors its functions in a generic AI lifecycle that runs from problem framing and data collection through design, testing, deployment, operation, and decommissioning. NIST emphasizes that risks differ at each stage and may manifest differently for data subjects, developers, deployers, operators, and downstream affected individuals. This perspective is one reason the framework discourages treating AI risk management as a single pre deployment review.
In July 2024, NIST released the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile as document NIST AI 600-1. The profile is a cross sectoral companion to the AI RMF focused on risks introduced or amplified by generative systems, including large language models, image generators, and code assistants. NIST developed it through the Generative AI Public Working Group, which focused on governance, content provenance, pre deployment testing, and incident disclosure, pursuant to Executive Order 14110 on Safe, Secure, and Trustworthy Artificial Intelligence issued by President Biden in October 2023.
The profile organizes generative AI risks into twelve categories, each linked to specific actions mapped to the four AI RMF functions.
| Risk category | What it captures |
|---|---|
| CBRN information or capabilities | Reduced barriers to design or acquire chemical, biological, radiological, or nuclear weapons |
| Confabulation | Generation of confidently asserted false content, sometimes called hallucination |
| Dangerous, violent, or hateful content | Outputs that promote or facilitate violence, self harm, or hate speech |
| Data privacy | Memorization, extraction, or leakage of personal information through training data or prompts |
| Environmental impacts | Energy, water, and emissions associated with training and inference at scale |
| Harmful bias or homogenization | Bias against protected groups and convergence of outputs toward a narrow worldview |
| Human AI configuration | Risks from poorly designed interfaces or automation that lead to over reliance or misuse |
| Information integrity | Erosion of trust in information ecosystems, including synthetic media and disinformation |
| Information security | New attack surfaces such as prompt injection, model theft, and unsafe tool use |
| Intellectual property | Reproduction of copyrighted material or unauthorized use of trademarks |
| Obscene, degrading, or abusive content | Non consensual intimate imagery, child sexual abuse material, and related harms |
| Value chain and component integration | Risks introduced by third party models, datasets, fine tunes, and downstream integrators |
The profile then lays out suggested actions across Govern, Map, Measure, and Manage, with each action linked to specific AI RMF subcategories and to the responsible actors in the value chain. It has become one of the most widely cited US references for generative AI governance, in part because it gives organizations a vocabulary for distinguishing categories of harm that often overlap in public discourse.
NIST has expanded the AI RMF ecosystem with companion resources that translate the framework's outcomes into concrete actions, metrics, and crosswalks.
| Resource | Description |
|---|---|
| AI RMF Playbook | A living set of suggested actions, references, and documentation prompts mapped to each AI RMF subcategory. The Playbook is maintained on the AI Resource Center and updated as practice evolves |
| AI RMF Roadmap | A list of priority topics for further work, including content authenticity, alignment, transparency tooling, and human AI teaming |
| Crosswalks | Mappings from AI RMF subcategories to other standards including ISO/IEC 23894, ISO/IEC 42001, OECD AI Principles, the proposed EU AI Act, and Singapore's AI Verify |
| AI Resource Center (AIRC) | The web hub that hosts the framework, profile documents, playbook, glossary, and use case repository |
| Critical Infrastructure Profile | A draft profile under development for AI systems in critical infrastructure sectors such as energy, water, and transportation |
| AI 100-2 series | Adversarial machine learning taxonomy and mitigation guidance, published as NIST AI 100-2 |
| AI 100-4 series | Reducing risks posed by synthetic content and content authentication |
| Dioptra | An open source software testbed published by NIST to support evaluation of machine learning system robustness |
NIST positions these documents as a layered library rather than a single monolithic standard. Organizations consult the parent AI RMF, then dip into the Playbook, profiles, and adversarial ML guidance as needed.
The AI RMF is closely tied to NIST's broader AI work, organized in part through a dedicated evaluation body. The body was established in 2023 as the US AI Safety Institute, or US AISI, with a mandate to develop guidelines, conduct evaluations, and engage with industry on frontier model risk. In June 2025, the second Trump administration reorganized it as the Center for AI Standards and Innovation, or CAISI, dropping "safety" from the name and reframing the mission around national security and pro innovation standards.
Despite the renaming, CAISI continues to steward and extend the AI RMF. It coordinates several workstreams that build on the framework, including the AI RMF governance layer, the Control Overlays for Securing AI Systems project that maps AI risks onto the NIST SP 800-53 catalog of security controls, and a National Cybersecurity Center of Excellence concept paper on AI agent identity and authorization. CAISI is expected to release additional voluntary guidelines for AI agents and an AI Agent Interoperability Profile, both intended to function as profiles or companion documents under the AI RMF umbrella. The framework has become a stable anchor across two administrations even as the political framing around AI safety has shifted.
Although the AI RMF is voluntary, it has been adopted widely by federal agencies, contractors, sector regulators, and private companies. Several factors drive this adoption.
Federal agencies are encouraged or required to align AI activities with the framework through a series of executive actions. Executive Order 14110, issued by the Biden administration in October 2023, directed agencies to use the AI RMF and related NIST guidance in evaluating AI systems. Although Executive Order 14110 was rescinded early in the second Trump administration, the AI RMF survived the transition because it sits within NIST's ongoing statutory mandate. Subsequent guidance such as America's AI Action Plan and updates from the Office of Management and Budget continue to reference NIST guidance as the operational baseline for federal AI use.
Federal contractors face the most direct expectations. Procurement guidance and agency specific contracting language increasingly require demonstration of NIST aligned AI governance as a condition of award. Sector regulators including the Consumer Financial Protection Bureau, Food and Drug Administration, Securities and Exchange Commission, Federal Trade Commission, and Equal Employment Opportunity Commission have referenced AI RMF principles in expectations for safe deployment.
In the private sector, the framework is commonly used in three ways. Organizations adopt it as the backbone of internal AI policies and review processes. They use it as a crosswalk for aligning multiple obligations across ISO/IEC 42001, the EU AI Act, and sector standards. And vendors publish AI RMF aligned attestations to ease enterprise procurement reviews. Because the AI RMF and ISO/IEC 42001 share substantial conceptual ground, many organizations adopt them together, with the AI RMF supplying the risk vocabulary and ISO/IEC 42001 the certifiable management system structure.
The AI RMF is one of three reference points that dominate global AI governance, alongside ISO/IEC 42001 and the EU AI Act. They differ in legal force, scope, and structure but share substantial conceptual overlap, often estimated at seventy to eighty percent on risk management practices.
| Feature | NIST AI RMF | ISO/IEC 42001 | EU AI Act |
|---|---|---|---|
| Issuing body | US National Institute of Standards and Technology | International Organization for Standardization and International Electrotechnical Commission | European Union (Regulation 2024/1689) |
| Legal status | Voluntary guidance | Voluntary standard, certifiable | Binding regulation with penalties |
| Released | January 26, 2023 | December 18, 2023 | Adopted 2024, phased application through 2027 |
| Scope | Any organization using AI, sector agnostic | Any organization operating an AI management system | AI systems placed on or affecting the EU market |
| Risk approach | Outcome based, four functions across the lifecycle | Management system with policies, controls, and continual improvement | Risk tiered, with prohibited, high risk, limited risk, and minimal risk categories |
| Generative AI coverage | Generative AI Profile (NIST AI 600-1) | General provisions applicable to all AI | Specific obligations for general purpose AI models, including systemic risk tier |
| Enforcement | None directly, but referenced by regulators and procurement | Market enforcement via lost certifications | Administrative fines up to 35 million euros or 7 percent of global turnover |
| Certification | None | Yes, through accredited certification bodies | Conformity assessment for high risk systems |
| Primary users | US federal agencies, contractors, multinationals | Enterprises seeking external assurance | Any provider, importer, distributor, or deployer of AI in the EU |
The three frameworks are complementary rather than competing. The AI RMF provides a shared vocabulary and a flexible scaffold of practices. ISO/IEC 42001 turns those practices into a certifiable management system. The EU AI Act adds binding obligations for high risk uses and for general purpose AI models. A mature governance program typically maps policies to all three, treating the AI RMF as the baseline lexicon, ISO/IEC 42001 as the management system, and the EU AI Act as the binding overlay for EU market access.
The AI RMF's voluntary, outcome based design has proved durable. It allows organizations of vastly different sizes and sectors to use the same vocabulary without forcing each to adopt the same controls, and it is easier to update than a binding regulation, which is why NIST has been able to add the Generative AI Profile and other materials without reopening the parent document. By foregrounding tradeoffs among trustworthiness characteristics, it avoids the pitfall of treating fairness, accuracy, privacy, and security as independent boxes to check. The framework's emphasis on governance as a cross cutting function is also widely viewed as a strength: by forcing organizations to define roles, allocate resources, and create escalation paths before they pick technical metrics, the AI RMF discourages the bolt on compliance approach that has often plagued cybersecurity and privacy programs.
The most frequently cited limitation is that the AI RMF is voluntary. Without statutory teeth, it relies on procurement pressure, sector regulator references, and reputational dynamics to drive adoption. Critics argue this leaves a gap for smaller actors and fast moving consumer products where market pressure alone may not be sufficient.
A second limitation is the abstraction level. Because the AI RMF is sector agnostic, it leaves the hardest questions, including specific metrics, thresholds, and acceptance criteria, to organizations. Smaller organizations without dedicated AI risk staff often struggle to translate outcomes into operational practice, which has fueled a market for consultants, software platforms, and crosswalk tools.
A third concern is the maturity of measurement science. Fairness, robustness, and explainability remain active research areas with no settled metrics. NIST acknowledges this in the Roadmap and through its AI 100-2 work, but practitioners note that the gap between framework expectations and the state of the art can leave organizations unsure how to demonstrate alignment. Finally, the framework's relationship to frontier AI safety, including catastrophic risk from highly capable systems, has shifted with the political environment. The 2025 reorientation of the US AI Safety Institute as CAISI led some observers to argue that frontier safety is receiving less explicit emphasis, although CAISI's workstreams suggest the substantive work continues under different framing.