NIST AI Risk Management Framework (AI RMF): The Complete Guide

The NIST AI Risk Management Framework (AI RMF) is voluntary guidance from the U.S. National Institute of Standards and Technology that helps organizations identify, measure, and manage the risks of building and using artificial intelligence. NIST published it as AI 100-1 in January 2023. It gives teams a common, outcome-based way to make AI systems more trustworthy across their entire lifecycle.

This guide is written for the people now accountable for AI risk: security and GRC leaders, compliance officers, CISOs, and AI program owners. It explains what the framework is, how its four functions fit together, the seven characteristics of trustworthy AI it works toward, the 2024 Generative AI Profile, how it compares to ISO 42001 and the EU AI Act, and a practical roadmap for adopting it. If you want the broader picture of how all of this fits into a wider governance program, start with our guide to AI governance and use this page for the framework itself.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework is a voluntary framework for managing the risks of artificial intelligence. NIST released version 1.0 as publication AI 100-1 on January 26, 2023, answering a Congressional directive to create guidance that helps organizations build trustworthiness into the design, development, use, and evaluation of AI products, services, and systems.

The word "framework" matters here. The AI RMF is not a checklist, a certification, or a law. It describes the outcomes a trustworthy AI program should achieve and leaves each organization to decide how to achieve them. That flexibility is deliberate. NIST built it to apply across sectors, company sizes, and use cases, from a single predictive model to a fleet of autonomous agents.

At its core, the framework does three things. It defines what "trustworthy AI" means through a set of characteristics, it organizes the work of managing AI risk into four functions, and it provides companion resources (profiles and a playbook) that help teams put those functions into practice.

What the AI RMF is and is not

• It is voluntary. No U.S. law requires you to adopt it, though federal agencies increasingly reference it in procurement and regulatory guidance, which makes it a de facto baseline.
• It is outcome-based. It tells you what good looks like, not the exact controls to deploy.
• It is not certifiable. There is no formal assessment or audit that produces a NIST AI RMF certificate. That is what ISO/IEC 42001 is for.
• It is not the EU AI Act. The EU AI Act is binding law with penalties. The AI RMF is guidance you choose to follow.

Why the NIST AI RMF matters

AI risk is now a board-level concern. Generative AI put powerful, unpredictable models into the hands of every employee. Third-party and embedded models sit inside software you did not build. And autonomous agents increasingly take actions, call tools, and access data on their own. Each of these expands the surface where AI can cause harm, whether that is leaking data, producing wrong or biased output, or acting outside its intended scope.

The AI RMF matters because it gives organizations a shared language and a repeatable method for that problem. Regulators reference it. Procurement teams ask about it. And it crosswalks cleanly to other standards, so adopting it rarely means throwing away work you have already done for security or privacy.

Here is the part most explainers miss. The framework's first function, GOVERN, is about culture, accountability, and policy, and for most enterprises that is the easy part. Writing an AI policy and standing up a committee is achievable in a quarter. The hard part is everything after it: actually mapping, measuring, and managing risk for AI you cannot fully see. Shadow AI that employees adopt without approval, third-party models embedded in your stack, and autonomous agents acting under their own identities all resist the neat boundaries a policy assumes. The framework only pays off if you can continuously discover, measure, and control AI in production, and that is a much harder problem than authoring a document. We come back to that frontier later in this guide.

The AI RMF Core: the four functions

The center of the framework is the AI RMF Core, which organizes the work of managing AI risk into four functions: GOVERN, MAP, MEASURE, and MANAGE. Each function breaks down into categories and then into specific, actionable subcategories. GOVERN is continuous and cuts across everything else. MAP, MEASURE, and MANAGE form an operating cycle you run throughout the AI lifecycle, not a set of one-time steps.

Function	What it does	Categories	Subcategories
GOVERN	Cultivates a culture of AI risk management: accountability, policies, processes, and oversight across the lifecycle	6	23
MAP	Establishes the context to frame risk: intended use, capabilities, stakeholders, and potential benefits and harms	5	15
MEASURE	Analyzes, assesses, benchmarks, and monitors AI risk using quantitative, qualitative, and mixed methods	4	18
MANAGE	Allocates resources to treat risk, respond to and recover from incidents, and communicate about them	4	11

GOVERN

GOVERN is the foundation. It establishes the culture, accountability structures, policies, and processes that make AI risk management real rather than aspirational. This is where you define who owns AI risk, what your risk tolerance is, how AI decisions are reviewed, and how the other three functions are resourced. GOVERN is not a phase you finish. It runs continuously and informs every MAP, MEASURE, and MANAGE activity.

MAP

MAP establishes context. Before you can manage the risk of an AI system, you have to understand what it is for, what it can do, who it affects, and what could go wrong. MAP is where you identify intended and unintended uses, document assumptions, catalog stakeholders, and frame benefits and harms in concrete terms. Done well, MAP is also where you build your AI inventory, including the AI you never formally procured.

MEASURE

MEASURE turns risk from a hunch into evidence. It uses quantitative, qualitative, and mixed-method tools to analyze, assess, benchmark, and monitor AI risk and its impacts. That means testing for accuracy and robustness, evaluating for bias and security, and, crucially, monitoring systems in production rather than only at launch. Without MEASURE, an organization is governing AI it cannot actually see.

MANAGE

MANAGE acts on what the other functions surface. It allocates resources to treat prioritized risks, choosing to avoid, mitigate, transfer, or accept each one, and it builds the plans to respond to, recover from, and communicate about AI incidents. MANAGE closes the loop and feeds the lessons back into GOVERN, completing the framework's continuous approach.

The seven characteristics of trustworthy AI

The four functions are the how. The seven characteristics of trustworthy AI are the what: the outcomes a well-run AI program works toward. NIST treats "valid and reliable" as foundational, because an AI system that does not work as intended cannot be safe, fair, or accountable in any meaningful way.

Characteristic	What it means
Valid and Reliable	The system performs accurately and dependably under expected conditions. This is the foundation the others build on.
Safe	The system does not endanger human life, health, property, or the environment.
Secure and Resilient	The system withstands attacks and keeps functioning under adverse or unexpected conditions.
Accountable and Transparent	Roles and responsibilities are clear, and information about the system is available to the people it affects.
Explainable and Interpretable	The mechanisms behind an output, and the meaning of that output, can be understood by the people who need to.
Privacy-Enhanced	The system protects autonomy, identity, and dignity, and safeguards the data it uses.
Fair, with Harmful Bias Managed	The system promotes equity and actively manages harmful bias across human, technical, and societal dimensions.

These characteristics often pull against each other. A more explainable model may be less accurate. A more private system may be harder to audit. The framework does not pretend those tensions away. It asks you to make the tradeoffs deliberately and document them, which is exactly what the MAP and MEASURE functions are for.

AI RMF Profiles: Current versus Target

A profile is how the framework gets specific. Instead of treating every AI system the same, profiles let you describe how the functions, categories, and subcategories apply to a particular use case, sector, or technology.

Two profile types matter most in practice:

• Current Profile describes how your organization manages AI risk today, mapped against the AI RMF subcategories. It is an honest snapshot of where you are.
• Target Profile describes the outcomes you need to reach given your risk tolerance and obligations. It is where you want to be.

The gap between your Current and Target Profiles is your roadmap. This gap analysis is one of the most useful things a team can do early, because it turns an abstract framework into a prioritized list of work. Profiles can also be use-case specific (an AI hiring tool, for example) or sector specific, and NIST and the wider community publish profiles others can adapt.

The Generative AI Profile (NIST-AI-600-1)

The original AI RMF predates the generative AI boom. To close that gap, NIST released the Generative AI Profile, publication NIST-AI-600-1, on July 26, 2024, pursuant to Executive Order 14110 on safe, secure, and trustworthy AI. It is a cross-sectoral companion profile that helps organizations apply the AI RMF specifically to generative AI.

The Generative AI Profile identifies twelve risk categories that generative systems either create or significantly amplify:

Risk category	In plain terms
CBRN Information or Capabilities	Lowering the barrier to chemical, biological, radiological, or nuclear harm
Confabulation	Confidently stated but false output ("hallucination")
Dangerous, Violent, or Hateful Content	Generating content that incites or enables harm
Data Privacy	Leaking or inferring personal or sensitive data
Environmental Impacts	The energy and resource cost of training and inference
Harmful Bias and Homogenization	Amplifying bias or flattening the diversity of outputs
Human-AI Configuration	Over-reliance, misuse, or poor handoff between people and the system
Information Integrity	Generating or spreading misinformation at scale
Information Security	New attack surfaces such as prompt injection and data exfiltration
Intellectual Property	Reproducing or infringing protected work
Obscene or Degrading Content	Producing non-consensual or abusive material
Value Chain and Component Integration	Risk inherited from third-party models, data, and components you did not build

Why the Generative AI Profile matters for autonomous agents

Several of these categories get sharper the moment generative models are wired into autonomous AI agents that plan and act on their own. Human-AI Configuration risk grows when an agent operates with limited oversight. Information Security risk grows when an agent can call tools, browse, and move data. Value Chain risk compounds when agents chain together third-party models and components. Managing generative AI risk and managing agentic AI risk are increasingly the same problem, which is why MAP, MEASURE, and MANAGE have to extend to non-human actors, not just models in isolation.

The AI RMF Playbook

If the Core tells you what outcomes to pursue, the AI RMF Playbook helps you work out how. The Playbook is a companion resource that offers suggested actions, references, and documentation guidance for the subcategories in the Core. It is not mandatory, and it is not meant to be followed top to bottom. Teams pick the subcategories most relevant to their risk and use the Playbook's suggestions as a starting point, then adapt them to their own context.

In practice, the Playbook is where a Target Profile turns into concrete work. Once you know which outcomes you are aiming for, the Playbook gives you a vetted set of actions and evidence to consider for each one. That saves teams from inventing controls from scratch.

NIST AI RMF versus ISO 42001 versus the EU AI Act

These are the three frameworks people most often confuse, and they serve very different purposes. Understanding the difference prevents wasted effort. In short: the NIST AI RMF is a voluntary risk-management framework, ISO/IEC 42001 is a certifiable management-system standard, and the EU AI Act is binding law.

Dimension	NIST AI RMF 1.0	ISO/IEC 42001:2023	EU AI Act
Type	Voluntary risk-management framework	Certifiable management-system standard (AIMS)	Binding law
Legal force	None; referenced by regulators and procurement	None directly; driven by market and procurement	Mandatory for AI placed or used in the EU market
What it asks for	Outcomes; you decide how to achieve them	That the organization has the right structures and processes in place	Use-case-specific product requirements by risk tier
Assessment	No formal assessment	Two-stage third-party certification audit	Conformity assessment for high-risk systems
Penalties	None	Loss of certification can mean lost contracts	Up to EUR 35 million or 7% of global annual turnover
Best when	You want a flexible, outcome-based AI risk program	You need to prove governance maturity to buyers or auditors	You sell or deploy AI into the EU

These are complementary, not competing. Many enterprises use the NIST AI RMF as their operating model for managing risk, pursue ISO/IEC 42001 certification to prove that program to customers and auditors, and treat the EU AI Act as the legal floor for anything they ship into Europe. It is also worth knowing that ISO/IEC 23894 is the ISO guidance on AI risk management itself, the closest ISO counterpart to the RMF's risk approach, while 42001 certifies the management system around it. For the bigger picture of how these standards fit into a single program, see our guide to AI governance.

How to implement the NIST AI RMF: an adoption roadmap

Because the framework is outcome-based, there is no single prescribed sequence. But a phased rollout works well for most organizations and keeps the early effort focused.

Phase 1 (roughly months 1 to 3): govern and inventory. Stand up an AI governance committee with executive sponsorship and cross-functional representation. Build an AI inventory that includes the AI you never formally procured: shadow AI tools, embedded model features, and third-party services. Define your organization's AI risk tolerance. This is GOVERN, plus the start of MAP.

Phase 2 (roughly months 3 to 6): policy and profiles. Author AI lifecycle policies covering development standards, procurement requirements, deployment gates, monitoring, and decommissioning. Build your Current Profile by mapping existing risk activities to the AI RMF subcategories, then define your Target Profile. The gap between them becomes your prioritized backlog.

Phase 3 (ongoing): run the cycle. For each AI system, run the MAP, MEASURE, and MANAGE cycle continuously across the lifecycle, starting at plan and design and never really stopping. Re-measure in production, treat new risks as they surface, and feed what you learn back into GOVERN.

NIST AI RMF implementation checklist

• Establish an AI governance committee with a clear owner and executive sponsor.
• Build and maintain a living AI inventory, including shadow AI and third-party models.
• Define and document your AI risk tolerance.
• Author AI lifecycle policies (development, procurement, deployment, monitoring, decommissioning).
• Create a Current Profile mapped to the AI RMF subcategories.
• Define a Target Profile and run a gap analysis.
• Use the AI RMF Playbook to select concrete actions for priority subcategories.
• Apply the Generative AI Profile to any generative or agentic systems.
• Instrument MEASURE: testing, evaluation, and continuous production monitoring.
• Define MANAGE playbooks: risk treatment decisions and AI incident response.
• Review and update profiles on a set cadence as systems and risks change.

Operationalizing the framework for modern AI

This is where most AI risk programs either succeed or stall. Authoring policy under GOVERN is straightforward. The frontier is MAP, MEASURE, and MANAGE for AI you do not fully control: shadow AI adopted without approval, third-party and embedded models, and autonomous agents that act under their own identities. A framework outcome like "monitor AI risk in production" only becomes real if you can actually see every model and agent operating in your environment.

It helps to translate the functions into concrete operational capabilities:

• MAP becomes discovery. You cannot frame the risk of AI you do not know exists. Continuous discovery of models, AI features, and agents is what makes the inventory honest.
• MEASURE becomes monitoring and audit. Telemetry on what agents do, what data they touch, and how models behave in production turns periodic testing into continuous assurance.
• MANAGE becomes controls and response. Guardrails, access controls scoped to each agent's identity, and an incident path for AI-specific events are how you treat risk rather than just describe it.

This is sharpest for autonomous agents. An agent that authenticates, calls tools, and accesses data is a non-human actor. It needs its own identity, its own least-privilege access, and its own audit trail. To see how fast this risk is growing in practice, our analysis of the agentic AI security gap shows what happens when agent adoption outruns governance. Securing and governing those agents is the operational layer that makes MAP, MEASURE, and MANAGE achievable for agentic AI. For a foundation on the actors involved, see our guide to AI agents and how they work.

Common mistakes to avoid

• Treating it as a one-time checklist. The framework is a continuous cycle. A single assessment at launch misses the risks that emerge in production.
• Stopping at GOVERN. A policy and a committee are necessary but not sufficient. The value is in MAP, MEASURE, and MANAGE.
• Ignoring shadow AI in MAP. An inventory that only contains officially procured AI is not an inventory. It is a blind spot.
• Skipping continuous MEASURE. Testing once and assuming the model stays the same ignores drift, new attacks, and changing usage.
• Forgetting non-human identities. Autonomous agents act on their own. A program that governs only people and models, not agents and their access, leaves the fastest-growing risk uncovered.
• Confusing voluntary guidance with binding law. The AI RMF is voluntary. The EU AI Act is not. Conflating them leads to either over-spending or non-compliance.

Frequently asked questions

Is the NIST AI Risk Management Framework mandatory?

No. The AI RMF is voluntary guidance, and no U.S. law requires you to adopt it. That said, federal agencies increasingly reference it in procurement and regulatory guidance, so in practice it has become a common baseline that customers and regulators expect organizations to be aware of.

What are the four functions of the NIST AI RMF?

GOVERN, MAP, MEASURE, and MANAGE. GOVERN establishes culture, accountability, and policy across the lifecycle. MAP frames the context and risk of a system. MEASURE analyzes and monitors that risk. MANAGE treats the risk and handles incident response. GOVERN is continuous, while MAP, MEASURE, and MANAGE form an ongoing operating cycle.

What are the seven characteristics of trustworthy AI in the AI RMF?

Valid and reliable (the foundation), safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. They are the outcomes the four functions work toward.

What is the NIST AI RMF Generative AI Profile (NIST-AI-600-1)?

It is a companion profile NIST released on July 26, 2024, that applies the AI RMF specifically to generative AI. It identifies twelve risk categories, such as confabulation, data privacy, information security, and value chain risk, that generative systems create or amplify.

What is the difference between the NIST AI RMF and ISO 42001?

The NIST AI RMF is a voluntary, outcome-based risk-management framework with no formal assessment. ISO/IEC 42001 is a certifiable management-system standard: an accredited body audits your AI management system and can issue a certificate. Many organizations use the RMF as their operating model and pursue ISO 42001 to prove that program to customers.

Is the NIST AI RMF the same as the EU AI Act?

No. The EU AI Act is binding law that imposes use-case-specific requirements on AI placed or used in the EU, with significant penalties. The NIST AI RMF is voluntary U.S. guidance with no legal force. They are complementary: the RMF can help you operationalize the kind of risk management the EU AI Act expects.

What is the AI RMF Playbook?

The Playbook is a companion resource that suggests concrete actions, references, and documentation for the subcategories in the AI RMF Core. It is voluntary and meant to be used selectively, helping teams turn target outcomes into specific work.

How do I start implementing the NIST AI RMF?

Start by standing up an AI governance committee and building an AI inventory that includes shadow AI and third-party models. Define your risk tolerance, then build a Current Profile of how you manage AI risk today and a Target Profile of where you need to be. The gap becomes your roadmap, which you execute through the MAP, MEASURE, and MANAGE cycle.

What is a Current Profile versus a Target Profile?

A Current Profile describes how your organization manages AI risk today, mapped to the AI RMF subcategories. A Target Profile describes the outcomes you need to achieve. The difference between them is your prioritized improvement plan.

Related resources

• AI governance: the complete guide to governing AI and autonomous agents
• Autonomous AI agents
• What is agentic AI
• What are AI agents

Govern your AI with confidence

The NIST AI RMF gives you the outcomes. Making them real comes down to one question: can you see, measure, and control the AI actually running in your environment, including the autonomous agents acting on their own? That is where an operational layer for AI agents comes in. Talk to Agen about governing and securing AI agents with identity, access, and observability built for non-human actors, so the framework's MAP, MEASURE, and MANAGE outcomes become something you can operate every day.