Hael
Sign inRequest a demo
NIST AI RMF · Requirements

The four functions of NIST AI RMF explained

Updated 30 June 2026 · 6 min read
Key takeaway
The NIST AI RMF is built around four functions that together form a continuous risk-management cycle: Govern, Map, Measure, and Manage. Govern is the foundation that runs through the other three, while Map, Measure, and Manage move from understanding risk, to assessing it, to acting on it. Understanding these four functions is the key to understanding the framework as a whole.
  • The RMF has four functions: Govern (the foundation), Map, Measure, and Manage.
  • Govern sets culture and accountability and runs through the other three.
  • Map understands context and identifies risk; Measure assesses and tracks it; Manage acts on it.
  • They form a continuous cycle, broken into categories and subcategories for concrete action.
  • Current as of June 2026. This is general information, not legal advice.

Govern

Govern is about creating the culture, policies, structures, and accountability that make AI risk management possible. It establishes who is responsible, what the organisation's risk tolerance is, how policies are set and enforced, and how AI risk connects to broader organisational governance. Govern is not a one-time step; it underpins and is woven through Map, Measure, and Manage. Without it, the other functions lack authority and consistency.

Map

Map is about understanding context and identifying risk. Before you can manage an AI system's risk, you need to understand its purpose, the setting it operates in, who it affects, and what could go wrong. The Map function captures the system's intended use, its assumptions, the people and processes around it, and the risks that arise from all of this. Good mapping prevents the common failure of managing the wrong risks because the context was never properly understood.

Measure

Measure is about assessing and tracking the risks that mapping identified. It uses quantitative and qualitative methods to analyse risk, evaluate the AI system against the characteristics of trustworthy AI, and track how risk changes over time. Measurement turns identified risks from a list into something you can monitor and prioritise, and it provides the evidence that the system is performing as intended.

Manage

Manage is about acting on risk. It takes the prioritised risks from Measure and allocates resources to treat them: mitigating, transferring, accepting, or avoiding each as appropriate, and putting in place the monitoring and response needed over the system's life. Manage is where risk management becomes action rather than analysis.

How they work together

The four functions are not a strict linear sequence but a cycle. Govern sets the conditions; Map builds understanding; Measure assesses; Manage acts; and the results feed back into all of them as the system and its context change. Each function is broken down further into categories and subcategories that give organisations concrete actions to consider, which the NIST AI RMF Playbook elaborates.

Putting the functions to work

The functions describe what to do, not a fixed procedure, which is the source of both their flexibility and their challenge. Organisations get the most from them by tying each function to real artefacts: documented governance and ownership for Govern, a context and risk map per system for Map, defined metrics and assessments for Measure, and a tracked set of mitigations and monitoring for Manage. Connecting the functions to concrete records is what turns the framework from a concept into a working practice.

Key terms

Govern
The RMF function that establishes culture, policies, roles, and accountability for AI risk.
Map
The RMF function that captures context, intended use, and the risks an AI system creates.
Measure
The RMF function that assesses and tracks risks using quantitative and qualitative methods.
Manage
The RMF function that prioritises and acts on risks, with monitoring and response over time.
Categories and subcategories
The breakdown of each function into grouped outcomes and concrete actions.

References

Related guides

Keep reading on NIST AI RMF.

Free check

See where you stand on NIST AI RMF, free.

Answer a few questions and get an indicative view of what NIST AI RMF expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
NIST AI RMF · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to NIST AI RMF~ 5 MIN