The NIST AI Risk Management Framework (AI RMF 1.0) is voluntary U.S. guidance published in January 2023, built around four functions: Govern, Map, Measure, and Manage. Unlike ISO 42001, it isn't a certifiable standard — there's no audit, no certificate, and no accrediting body checking your work. It's a structured way of thinking about AI risk that organizations choose to adopt.
This is the framework you've seen referenced across nearly every AI governance post on this site — in the EU AI Act comparisons, in the red teaming content, in the ISO 42001 explainer we just published. It's foundational enough to the field that it's worth understanding properly on its own terms, not just as a name dropped inside other articles.
What Problem Does It Actually Solve?
NIST — the National Institute of Standards and Technology — published AI RMF 1.0 on January 26, 2023, after roughly two years of public workshops and draft consultation with both private and public sector stakeholders. The goal was straightforward: give organizations building, buying, or operating AI systems a structured, repeatable way to identify and manage the risks specific to AI, rather than forcing every company to improvise its own approach from scratch.
It's deliberately flexible rather than prescriptive. NIST doesn't tell you exactly which controls to implement the way ISO 42001's Annex A does — it gives you four interconnected functions and trusts you to apply them to your own context, risk appetite, and AI use cases.
The Four Functions, Explained
These aren't sequential steps you complete once and move past. They're meant to run iteratively, feeding into each other throughout an AI system's entire lifecycle.
Govern
The foundation. Establishes accountability, assigns roles and responsibilities, sets policy, and builds the risk-aware culture everything else depends on. Without Govern in place, the other three functions don't have organizational teeth.
Map
Establishes context. Identifies what a given AI system actually does, who it affects, and what could go wrong — technically, socially, and ethically. Map is where you frame the risk before you try to quantify it.
Measure
Risk assessment in practice — both quantitative and qualitative. This is where Testing, Evaluation, Verification, and Validation (TEVV) work lives, turning the context Map established into actual metrics and evidence.
Manage
Risk treatment and response — allocating resources to address the highest-priority risks Measure identified, monitoring for drift over time, and responding when something goes wrong in production.
In practice, most organizations start with Govern and Map together — you can't meaningfully measure or manage a risk you haven't first framed — then cycle through Measure and Manage continuously as AI systems evolve and new risks emerge.
Beyond the Core: The Companion Resources
The four-function framework is just the foundation. NIST has built out a meaningful library of companion material since the original 2023 release:
- The AI RMF Playbook. Suggested actions and references for actually achieving each function's outcomes — the practical "how" layered on top of the conceptual "what."
- The AI RMF Roadmap. Identifies gaps and future research priorities NIST sees in the broader AI risk landscape.
- The Generative AI Profile (NIST-AI-600-1), released July 2024. A dedicated addendum addressing risks specific to generative AI — hallucination, synthetic content, prompt-based manipulation — that the original 2023 framework predates and doesn't fully cover on its own.
If your organization is working specifically with generative AI or large language models, the Generative AI Profile isn't optional reading — it's the part of NIST's guidance written for exactly that risk surface.
Voluntary on Paper, Increasingly Expected in Practice
"Voluntary" is the accurate legal description, but it undersells how much real-world weight this framework now carries. State-level AI laws frequently reference NIST's risk-based approach as a benchmark. Enterprise vendor contracts and cyber insurance underwriting increasingly ask whether an organization's AI risk program aligns with it. None of that requires a law forcing adoption — market and contractual pressure has done a lot of that work on its own.
In October 2023, Executive Order 14110 directed federal agencies to adopt NIST's AI risk guidance, effectively making it mandatory inside the federal government. That order was rescinded on January 20, 2025, replaced days later by Executive Order 14179, which took a different policy direction on AI. The NIST AI RMF itself wasn't withdrawn or changed by this — it's still published, still maintained, and still widely used. What changed was the federal mandate tied to it. If you're researching this for compliance purposes rather than general literacy, confirm the current federal posture directly with NIST or current guidance, since this is an area that has already shifted once and could again.
NIST AI RMF vs. ISO 42001: The Distinction That Actually Matters
We covered this from the ISO 42001 side in our explainer on that standard, but it's worth restating plainly from this side too: NIST AI RMF gives you a way of thinking about AI risk. ISO 42001 gives you a certifiable system you can be independently audited against. Many organizations use both — NIST AI RMF to shape the substance of their AI risk program, ISO 42001 to formalize and certify the management system that results from it. They're complementary, not competing.
Why This Matters If You're Studying for AIGP
NIST AI RMF sits inside the AIGP Body of Knowledge as one of the core frameworks candidates are expected to recognize, alongside ISO 42001 and the EU AI Act's risk-tiered approach. Exam questions tend to test whether you can correctly distinguish a voluntary framework from a binding regulation, and whether you understand what each of the four functions is actually responsible for — not just that they exist. If you can explain, in one sentence each, what Govern, Map, Measure, and Manage do differently, you're already ahead of where most candidates start.
NIST AI RMF is the most widely referenced voluntary AI risk framework in the U.S., built on four interconnected functions rather than a rigid checklist. It carries no certification and no formal audit — but increasingly, market pressure does the enforcement that regulation doesn't. Understanding it on its own terms, distinct from certifiable standards like ISO 42001 and binding law like the EU AI Act, is foundational knowledge for anyone working in AI governance.