NIST AI RMF requirements and core guide
- The RMF is voluntary, so its "requirements" are recommended outcomes, not legal obligations.
- Its content is structured as functions, categories, and subcategories, moving from high-level to actionable.
- The Playbook offers suggested actions; profiles tailor the framework to a context or sector.
- Adopt a deliberate subset for your systems and connect the expectations to real records.
- Current as of June 2026. This is general information, not legal advice.
"Requirements" in a voluntary framework
It helps to be precise about language. The RMF does not require anything in the legal sense, and no authority enforces it. What it provides is a recommended structure. Organisations choose how fully to adopt it. So when people ask about NIST AI RMF "requirements," they usually mean the outcomes and actions the framework recommends, which you can adopt as your own internal standard.
The structure you work to
The framework's content is organised as follows:
- Functions: The four high-level functions, Govern, Map, Measure, and Manage.
- Categories: Each function breaks into categories, which group related outcomes (for example, within Govern, categories cover policies, accountability, and risk tolerance).
- Subcategories: Categories break into specific outcomes and actions, which are the concrete things an organisation can do.
This structure lets you move from the high-level idea of "managing AI risk" down to specific, actionable steps.
The Playbook
NIST publishes a companion Playbook that gives suggested actions, references, and guidance for the categories and subcategories. It is not mandatory and is meant to be used selectively, but it is the most practical resource for turning the framework into concrete activity. Organisations typically use the Playbook to decide which actions are relevant to them.
Profiles
The framework also supports profiles, which are tailored applications of the RMF to a particular use case, sector, or set of requirements. A profile lets an organisation adapt the framework to its specific context rather than applying everything generically. This is how the RMF flexes to different industries and risk levels.
What to actually adopt
Because the framework is flexible, the practical task is deciding which of its outcomes matter for your AI systems and adopting those as your internal standard. A small organisation with one AI product will adopt a focused subset; a large enterprise with many systems will adopt more, and may build profiles for different contexts. The discipline is in choosing deliberately rather than either ignoring the framework or trying to do everything at once.
Making the expectations real
The framework's expectations only deliver value when they connect to actual artefacts: documented governance, a risk map per system, defined measurements, and tracked mitigations. Organisations that treat the categories and subcategories as a source of concrete records, rather than as an abstract checklist, get a working risk-management practice that they can also show to buyers and regulators.
Key terms
- Categories
- Groupings of related outcomes within each RMF function.
- Subcategories
- Specific outcomes and actions within each category, the concrete units of work.
- Playbook
- NIST's companion guide with suggested actions and references for each subcategory.
- Profile
- A tailored application of the RMF to a particular use case, sector, or requirement set.