AI Councils
Standards & Regulations

NIST AI RMF

The US AI Risk Management Framework, a voluntary, lifecycle-based approach to AI governance.

Overview

The NIST AI Risk Management Framework (AI RMF) is a voluntary framework published by the US National Institute of Standards and Technology. It is organized around four core functions and provides a Playbook with suggested actions aligned to outcomes.

NIST also hosts crosswalks between the AI RMF and other frameworks (AI Verify, ISO 42001), making it an excellent integration point.

Four Core Functions

Govern

Cultivate and implement a culture of risk management. This includes:

  • Policies, processes, and procedures for AI risk management
  • Roles and responsibilities
  • Organizational commitment and accountability

Toolkit mapping: Foundation Pack (charter, principles, roles, decision rights)

Map

Understand the context and risks of AI systems. This includes:

  • Identifying intended purpose and scope
  • Understanding stakeholders and impacts
  • Categorizing risk

Toolkit mapping: Intake & Triage Pack (registration, risk tiering, stakeholder analysis)

Measure

Assess, analyze, and track AI risks. This includes:

  • Testing and evaluation
  • Metrics for trustworthiness
  • Tracking risks over time

Toolkit mapping: Review & Assurance Pack (impact assessments, model cards, security review, red-teaming)

Manage

Prioritize and act on AI risks. This includes:

  • Risk treatment and mitigation
  • Monitoring and response
  • Continuous improvement

Toolkit mapping: Operations Pack (monitoring, incidents, policy refresh, reporting)

Generative AI Profile

NIST has published a Generative AI Profile that extends the AI RMF specifically for generative AI systems, covering additional risks such as:

  • Confabulation and hallucination
  • Data privacy in training and inference
  • Environmental costs
  • Intellectual property concerns
  • Harmful content generation
  • Homogenization of outputs

This profile is especially relevant for councils reviewing generative AI use cases.

Using NIST AI RMF with This Toolkit

The four NIST functions map naturally to the four packs in this toolkit. If your organization adopts NIST AI RMF as its primary framework, you can use this toolkit as the operational implementation of each function.

Standards & Regulations

The regulatory and standards context that underpins credible AI governance.

ISO/IEC 42001

The first international standard for AI management systems.

On this page

OverviewFour Core FunctionsGovernMapMeasureManageGenerative AI ProfileUsing NIST AI RMF with This Toolkit