What is the NIST AI Risk Management Framework?
- The NIST AI RMF is a voluntary US framework for managing AI risk, with no penalties.
- It is built around four functions: Govern, Map, Measure, and Manage.
- It frames good practice around characteristics of trustworthy AI.
- It pairs well with binding laws like the EU AI Act, serving as the method that helps you meet them.
- Current as of June 2026. This is general information, not legal advice.
Where it came from and why
NIST released version 1.0 of the AI RMF in January 2023, developed openly with industry, academia, and government. The goal was to give organisations a common, practical way to address AI risk and to promote trustworthy AI, without prescribing a rigid checklist. Because NIST frameworks are well regarded and vendor-neutral, the AI RMF has become a reference point for AI risk management well beyond the United States.
The four functions
The framework is built around four functions that work together:
- Govern: Establish the culture, policies, roles, and accountability for managing AI risk across the organisation. Govern runs through the other three functions.
- Map: Understand the context, identify the AI system's purpose and the risks it could create, given how and where it is used.
- Measure: Assess, analyse, and track the identified risks using appropriate methods and metrics.
- Manage: Prioritise and act on the risks, allocating resources to treat, monitor, and respond to them over time.
What "trustworthy AI" means here
The AI RMF frames good AI risk management around characteristics of trustworthy AI, including that systems should be valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. These characteristics give organisations a vocabulary for what they are trying to achieve.
Who uses it and why
The framework is used by organisations that build or deploy AI and want a credible, structured way to manage the associated risk. Because it is voluntary and flexible, it suits organisations of different sizes and sectors. It is also increasingly referenced in procurement: US enterprise buyers ask vendors whether they align with the NIST AI RMF, which makes familiarity with it useful even for organisations that adopt it mainly to answer customers.
How it relates to laws like the EU AI Act
The AI RMF is a method, not a mandate. It pairs naturally with binding regulations such as the EU AI Act: an organisation can use the NIST functions as the operating engine that produces the risk management and documentation a law requires. Adopting NIST does not, on its own, make you compliant with any law, but it gives you a strong foundation for meeting one.
Key terms
- NIST AI RMF
- The US National Institute of Standards and Technology AI Risk Management Framework, a voluntary guide to managing AI risk.
- Govern, Map, Measure, Manage
- The four functions of the NIST AI RMF that structure how organisations manage AI risk.
- Voluntary framework
- Guidance an organisation chooses to adopt; not legally binding and not enforced by penalties.
- Trustworthy AI
- AI that is valid, reliable, safe, secure, accountable, transparent, explainable, privacy-enhanced, and fair.