The NIST AI Risk Management Framework, usually shortened to the NIST AI RMF, is a voluntary framework published by the US National Institute of Standards and Technology to help organizations manage the risks of artificial intelligence. Released in its first version in January 2023, it has become the most widely referenced framework for AI governance and risk, used by organizations far beyond the United States because it is practical, technology-neutral, and maps cleanly onto other regimes such as the EU AI Act and ISO 42001. If you build or deploy AI and need a structured way to manage its risk, the AI RMF is the natural starting point.
Unlike a regulation, the AI RMF is not mandatory and does not certify anyone. It is a framework: a structured way to think about, measure, and reduce AI risk that an organization adopts voluntarily. That makes it flexible, but it also means the value comes from how seriously you apply it. This article explains what the framework contains, its four core functions, and how it fits with the regulatory obligations many organizations also face. We help organizations apply it through our security program and risk service.
The AI RMF is guidance for identifying, measuring, and managing the risks that AI systems pose to people, organizations, and society. It is built around the idea of trustworthy AI: systems that are valid and reliable, safe, secure and resilient, accountable and transparent, explainable, privacy-enhanced, and fair. The framework helps an organization reason about those properties across the AI lifecycle, from design through deployment and monitoring, rather than treating AI risk as a one-time check.
It comes in two parts. The first frames AI risk and the characteristics of trustworthy AI. The second, the core, organizes the practical work into four functions that run continuously. NIST also publishes a companion playbook and profiles that help tailor the framework to specific contexts, including a profile for generative AI.
The heart of the AI RMF is four functions that together form a continuous cycle rather than a linear checklist.
Govern sits at the center and informs the other three. The cycle repeats, because AI systems and their risks change over time, and a framework applied once quickly goes stale.
The AI RMF does not tell you AI is low risk or high risk. It gives you a disciplined way to find out, measure it, and do something about it, before regulators or attackers do it for you.
A voluntary framework can seem easy to ignore, but the AI RMF has become a de facto standard for several reasons.
These three are complementary, not competing. The EU AI Act is binding law that sets obligations by risk tier for AI used in the EU. ISO/IEC 42001 is a certifiable standard for an AI management system, the AI equivalent of ISO 27001. The NIST AI RMF is a voluntary framework that helps you do the underlying work. In practice, many organizations use the AI RMF as the operating framework, pursue ISO 42001 for a certifiable management system, and treat the EU AI Act as the binding obligation they must meet. We explain the regulation on our EU AI Act page, and the relationship between frameworks matters because aligning them avoids duplicated effort.
The common thread is measurement. All three expect you to test and evaluate AI systems, not just document policies. That is where security testing connects to governance: AI red teaming and AI penetration testing produce the evidence the Measure function and the regulation both require.
Applying the framework well follows a clear sequence, scaled to your organization.
No. The AI RMF is a voluntary framework, not a regulation, and it does not certify organizations. However, it has become a de facto standard for AI risk management and is widely used to work toward binding obligations such as the EU AI Act.
Govern, Map, Measure, and Manage. Govern establishes the culture and accountability and sits at the center; Map establishes context and risk; Measure analyzes and tracks risk through testing; Manage prioritizes and acts. Together they form a continuous cycle.
They are complementary. The EU AI Act is binding law setting obligations by risk tier, while the AI RMF is a voluntary framework that helps you do the work to meet them. Many organizations use the AI RMF as their operating framework for EU AI Act readiness.
ISO 42001 is a certifiable standard for an AI management system, while the AI RMF is a voluntary framework for managing AI risk. They align well: the AI RMF helps structure the work, and ISO 42001 provides a certifiable management system around it.
The NIST AI RMF gives organizations a disciplined, recognized way to manage AI risk, and it connects governance to the testing that actually reduces it. If you need to stand up AI governance or align it with the EU AI Act and ISO 42001, see our security program and risk service and book a scoping call.