The four functions of NIST AI RMF explained
- The RMF has four functions: Govern (the foundation), Map, Measure, and Manage.
- Govern sets culture and accountability and runs through the other three.
- Map understands context and identifies risk; Measure assesses and tracks it; Manage acts on it.
- They form a continuous cycle, broken into categories and subcategories for concrete action.
- Current as of June 2026. This is general information, not legal advice.
Govern
Govern is about creating the culture, policies, structures, and accountability that make AI risk management possible. It establishes who is responsible, what the organisation's risk tolerance is, how policies are set and enforced, and how AI risk connects to broader organisational governance. Govern is not a one-time step; it underpins and is woven through Map, Measure, and Manage. Without it, the other functions lack authority and consistency.
Map
Map is about understanding context and identifying risk. Before you can manage an AI system's risk, you need to understand its purpose, the setting it operates in, who it affects, and what could go wrong. The Map function captures the system's intended use, its assumptions, the people and processes around it, and the risks that arise from all of this. Good mapping prevents the common failure of managing the wrong risks because the context was never properly understood.
Measure
Measure is about assessing and tracking the risks that mapping identified. It uses quantitative and qualitative methods to analyse risk, evaluate the AI system against the characteristics of trustworthy AI, and track how risk changes over time. Measurement turns identified risks from a list into something you can monitor and prioritise, and it provides the evidence that the system is performing as intended.
Manage
Manage is about acting on risk. It takes the prioritised risks from Measure and allocates resources to treat them: mitigating, transferring, accepting, or avoiding each as appropriate, and putting in place the monitoring and response needed over the system's life. Manage is where risk management becomes action rather than analysis.
How they work together
The four functions are not a strict linear sequence but a cycle. Govern sets the conditions; Map builds understanding; Measure assesses; Manage acts; and the results feed back into all of them as the system and its context change. Each function is broken down further into categories and subcategories that give organisations concrete actions to consider, which the NIST AI RMF Playbook elaborates.
Putting the functions to work
The functions describe what to do, not a fixed procedure, which is the source of both their flexibility and their challenge. Organisations get the most from them by tying each function to real artefacts: documented governance and ownership for Govern, a context and risk map per system for Map, defined metrics and assessments for Measure, and a tracked set of mitigations and monitoring for Manage. Connecting the functions to concrete records is what turns the framework from a concept into a working practice.
Key terms
- Govern
- The RMF function that establishes culture, policies, roles, and accountability for AI risk.
- Map
- The RMF function that captures context, intended use, and the risks an AI system creates.
- Measure
- The RMF function that assesses and tracks risks using quantitative and qualitative methods.
- Manage
- The RMF function that prioritises and acts on risks, with monitoring and response over time.
- Categories and subcategories
- The breakdown of each function into grouped outcomes and concrete actions.