UNITED STATESNIST AI 100-1IN FORCE

NIST AI RMF — the de facto US baseline for AI risk management.

How Hael runs the substantive controls behind NIST's AI Risk Management Framework 1.0 — and produces the GOVERN, MAP, MEASURE, MANAGE profile that US federal procurement and the Treasury FS AI RMF map onto.

Jan 2023

Published

Core functions

Voluntary

Status — for now

Federal

Procurement floor

What NIST AI RMF requires

NIST AI RMF is the US federal government's voluntary framework for managing risks across the AI lifecycle. Published by the National Institute of Standards and Technology in January 2023, it has rapidly become the de facto baseline that other US frameworks reference. The US Treasury's Financial Services AI Risk Management Framework — closing in February 2026 — explicitly maps onto NIST AI RMF. Federal procurement increasingly requires NIST AI RMF profiles. State legislation (Colorado SB 24-205, Texas HB 149) references its terminology.

The framework structures AI risk management around four functions. GOVERN establishes organisational AI risk management practice. MAP categorises AI systems and contexts to identify risks. MEASURE applies metrics, methodologies and benchmarks to those risks. MANAGE allocates resources and implements responses to risks. Each function decomposes into categories and subcategories — over 70 outcome statements organisations are expected to evidence.

NIST AI RMF is voluntary in name only. Federal contractors, financial services firms, healthcare organisations and critical infrastructure operators are increasingly required to demonstrate NIST AI RMF profile compliance as a procurement prerequisite. The framework's profile concept — a tailored statement of an organisation's AI risk management approach mapped against the four functions — has become the standard artefact procurement teams ask for.

NIST AI RMF is voluntary in name only. Federal procurement floors have made it mandatory in practice.

The artefact, not the policy

A NIST AI RMF profile is not a policy document. It is a substantive statement of how an organisation runs each of the four functions against its specific AI portfolio. The profile must reference the AI systems in scope, the risk categorisations applied, the metrics measured, the management actions taken and the evidence demonstrating each. Procurement teams asking for NIST AI RMF compliance want this profile — not a Word document attesting that the organisation 'considers' NIST AI RMF.

Hael generates the profile from operational state. The agent registry populates the MAP function with the AI systems in scope and their risk categorisations. The lifecycle state machine drives the MEASURE function with continuous metrics. The control execution engine drives the MANAGE function with documented risk responses. The audit chain captures the GOVERN function with the organisational decisions, oversight assignments and policy bindings the profile must reference.

How Hael runs it

Hael ships a complete NIST AI RMF profile generator. Each function's outcome statements are mapped against substantive evidence collectors. GOVERN pulls from policy approvals, oversight assignments and incident records. MAP pulls from the agent registry and risk classification engine. MEASURE pulls from continuous monitoring telemetry and bias evaluation runs. MANAGE pulls from control execution records and incident response chains.

The generated profile arrives as a portable, hash-chained PDF sealed with cryptographic provenance. Updates regenerate from current state — your NIST AI RMF profile reflects today's operational reality, not last quarter's snapshot. The same artefact-production engine that generates your EU AI Act Annex IV file generates your NIST AI RMF profile, with no duplicate evidence collection.

Procurement asks for the profile. Hael ships the profile from live operational state.

FunctionOutcomeCoverageHow Hael runs it

GOVERN-1.1Legal and regulatory requirements understoodFullPolicy library mapped to applicable frameworks per AI system

GOVERN-1.2Trustworthy AI characteristics integratedFullRisk classification engine references NIST trustworthy AI properties

GOVERN-1.3Processes inclusive of AI actorsFullStakeholder registry and consultation records sealed in audit chain

GOVERN-2.1Roles and responsibilities documentedFullPer-agent ownership and oversight assignments in agent registry

GOVERN-3.1Decision-making processes for AI establishedFullLifecycle state machine enforces governance gates

GOVERN-4.1Cultivating organisational practicePartialTraining and awareness records via integration partners

MAP-1.1Intended purpose articulatedFullRequired field in agent registration

MAP-1.2Inter-disciplinary AI actor inputFullMulti-role approval workflow on agent registration

MAP-1.5Risks and benefits to contextFullFundamental rights and risk assessment workflows

MAP-2.1Categorisation of AI systemFullAutomated risk-tier classification with human override

MAP-2.3AI capabilities, targeted usage, goalsFullCapability surface and use-case binding in registry

MAP-3.1Potential benefits assessedFullBenefits assessment artefact generated and sealed

MAP-3.4Mission-relevant risks documentedFullRisk register per agent with categorisation

MAP-4.1Approaches for mapping AI risksFullRisk taxonomy mapped to four NIST functions

MEASURE-1.1Methods for measuring AI risksFullContinuous monitoring with configurable metrics

MEASURE-2.1Test sets, metrics, benchmarksFullEvaluation pipeline with benchmark integration

MEASURE-2.3System performance evaluationFullPerformance telemetry continuous capture

MEASURE-2.5Validity and reliability documentedFullModel card generation with validity statements

MEASURE-2.7Trustworthy AI characteristics measuredFullPer-characteristic evidence collectors

MEASURE-2.11Fairness and bias measuredFullBias evaluation pipeline with documented methodology

MANAGE-1.1Approach for prioritising AI risksFullRisk prioritisation workflow with documented criteria

MANAGE-1.2Treatment of identified risksFullRisk treatment register with decision audit

MANAGE-2.1Resource allocation for risk managementFullResource attribution in management records

MANAGE-3.1Responses to AI risksFullIncident chain with response documentation

MANAGE-4.1Post-deployment monitoringFullContinuous post-market monitoring per agent

Questions

Is NIST AI RMF mandatory?

NIST AI RMF is voluntary. In practice, federal procurement increasingly requires NIST AI RMF profile evidence. US Treasury's Financial Services AI RMF — closing February 2026 — explicitly maps onto NIST AI RMF, making it effectively mandatory for regulated financial services firms. State legislation in Colorado, Texas and New York references NIST AI RMF terminology.

What is a NIST AI RMF profile?

A profile is a tailored statement of how an organisation manages AI risks against the four core functions (GOVERN, MAP, MEASURE, MANAGE). It must reference the AI systems in scope, the risk categorisations applied, the metrics measured and the management actions taken. Procurement teams asking for NIST AI RMF compliance want this profile, not a generic policy attestation.

How does NIST AI RMF relate to ISO/IEC 42001?

ISO/IEC 42001 is a certifiable management system standard with Annex A controls and audit requirements. NIST AI RMF is a voluntary US framework with outcome statements organised by function. The two overlap substantially — Hael produces both artefacts from the same evidence base, generating profile-style artefacts for NIST and AIMS records for ISO with no duplicate collection.

How does NIST AI RMF relate to the US Treasury FS AI RMF?

Treasury FS AI RMF is the financial-services-specific tailoring of NIST AI RMF. It inherits the four-function structure and outcome statements, adds financial-services-specific risk categories and supervisory expectations, and is expected to extend to GenAI applications via SR 26-02. Compliance with Treasury FS AI RMF requires NIST AI RMF profile evidence as a baseline.

Can Hael generate a NIST AI RMF profile from existing GRC data?

Yes, with caveats. Hael imports policy documentation, risk registers and existing compliance artefacts as inputs, but generates the profile from substantive operational state — model performance metrics, bias evaluations, incident records, governance decisions. Existing documentation seeds the profile; live state validates it.

See Hael generate your NIST AI RMF profile.

A scoped four-week proof-of-value: register your agents, classify against the four functions, generate your first sealed profile.

Book a demo See the platform