The NIST AI Risk Management Framework: A Reference for Boards and Compliance Teams

Overview

The NIST Artificial Intelligence Risk Management Framework, designated NIST AI 100-1 and commonly referenced as the "AI RMF" or "AI RMF 1.0," was published by the U.S. National Institute of Standards and Technology on January 26, 2023. It was developed pursuant to a Congressional mandate in the National Artificial Intelligence Initiative Act of 2020 (Division E of Public Law 116-283), through a multi-year, open process involving public workshops, requests for information, and three rounds of public comment on draft versions. The published framework is voluntary, rights-preserving, non-sector specific, and use-case agnostic by design.

On July 26, 2024, NIST released the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile (NIST AI 600-1), a companion document that adapts the AI RMF Core to twelve risk categories that are unique to, or amplified by, generative AI systems. The Generative AI Profile was developed under Executive Order 14110 and reflects the working consensus of the NIST AI Public Working Group on the risk surface specific to large language models, diffusion-based image and video generators, and multi-modal foundation models.

The AI RMF is voluntary at the federal level. There is no general statutory requirement that U.S. companies adopt it, no certification scheme operated by NIST, and no enforcement authority. None of that makes it optional in operational terms. The AI RMF has become the standards substrate that the major AI regulatory regimes effectively reference when they require AI governance, risk assessment, or audit documentation, even where they do not name NIST directly. A company that has implemented the AI RMF with discipline produces the documentation, control structures, and audit-readiness that map onto the EU AI Act, the New York RAISE Act, the Colorado AI Act, NYC Local Law 144, and the Caremark-derived board oversight expectations for AI as a mission-critical risk. A company that has not is building each regime's compliance posture from a standing start.

This reference is for U.S. boards, audit committees, GCs, and CCOs. It covers the four core functions and their categories in detail, the Generative AI Profile's twelve risk categories, crosswalks to the major regulatory regimes, the relationship between the AI RMF and the ISO/IEC 42001 and 23894 standards, implementation patterns for mid-market and large-enterprise programs, the framework's limitations, and practical implementation steps for 2026.

The four core functions

The AI RMF Core is organized around four functions — Govern, Map, Measure, and Manage — that together describe a continuous, iterative AI risk management cycle. Each function decomposes into numbered categories and subcategories. The framework prescribes outcomes rather than specific controls, which is why it pairs naturally with more prescriptive standards (ISO/IEC 42001) and regulatory regimes (the EU AI Act). The category counts and structure described below reflect the published v1.0 framework; NIST has signaled an AI RMF 1.1 update in the pipeline but has not yet published it as of the date of this article.

Govern

Govern is the organizational, policy, accountability, and culture function. It is the function that makes AI risk management an enterprise discipline rather than an ad-hoc response to specific projects. Govern decomposes into six categories and nineteen subcategories:

• GOVERN 1 — organization-wide policies, processes, procedures, and practices for mapping, measuring, and managing AI risks are in place, transparent, and implemented effectively.
• GOVERN 2 — accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks.
• GOVERN 3 — workforce diversity, equity, inclusion, and accessibility processes are prioritized in the mapping, measuring, and managing of AI risks across the AI lifecycle.
• GOVERN 4 — organizational teams are committed to a culture that considers and communicates AI risk.
• GOVERN 5 — processes are in place for robust engagement with relevant AI actors, including external stakeholders.
• GOVERN 6 — policies and procedures are in place to address AI risks and benefits arising from third-party software, data, and other supply-chain considerations.

The auditable evidence Govern produces is a written AI risk policy, an inventory of AI systems and their risk tiering, a delegation of authority document identifying accountable executives and committees, training records, supplier and vendor due-diligence files, and minutes documenting board or committee oversight. A Govern function that produces none of these has not been implemented; it has been described.

Map

Map is the context-establishment function. For each AI system or proposed AI system, Map identifies the purpose, the legal and regulatory environment, the stakeholders, the data and model dependencies, and the impact pathways. Map decomposes into five categories and eighteen subcategories:

• MAP 1 — context is established and understood; intended purpose, prospective settings, AI actors, and applicable legal and regulatory requirements are documented.
• MAP 2 — categorization of the AI system is performed; technical methods, knowledge limits, and test-evaluation-verification-validation considerations are identified.
• MAP 3 — AI capabilities, targeted usage, goals, and expected benefits and costs compared with appropriate benchmarks are understood.
• MAP 4 — risks and benefits are mapped for all components of the AI system, including third-party software, data, and other supply-chain elements.
• MAP 5 — impacts to individuals, groups, communities, organizations, and society are characterized, including likelihood and magnitude of harm, and feedback mechanisms are established.

The auditable evidence Map produces is a per-system intake document or model card that captures purpose, scope, training and evaluation data, performance characteristics, dependencies, identified risks and stakeholders, and the rationale for the risk-tier classification under whichever regulatory regime applies. This document is the single most important compliance artifact in any AI governance program; it is the artifact a regulator or auditor asks for first.

Measure

Measure is the testing, evaluation, and assessment function. For each mapped risk, Measure identifies appropriate quantitative and qualitative methods, applies them, and produces documented results. Measure decomposes into four categories and twenty-two subcategories — the largest subcategory count of any function, reflecting that this is where the substantive technical work resides:

• MEASURE 1 — appropriate methods and metrics for measuring AI risks are identified, selected, applied, and documented.
• MEASURE 2 — AI systems are evaluated for trustworthy characteristics: valid and reliable performance, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy, and fairness with harmful bias managed.
• MEASURE 3 — mechanisms for tracking identified AI risks over time are in place.
• MEASURE 4 — feedback about the efficacy of measurement is gathered and assessed.

The auditable evidence Measure produces is test plans, evaluation results, red-team and adversarial-testing reports, bias and fairness assessments, robustness and accuracy metrics, monitoring dashboards, and post-deployment performance logs. For generative AI systems, Measure-function evidence also includes red-team transcripts, prompt-injection test results, evaluation benchmarks (e.g., MMLU, HELM-style suites where relevant), and hallucination-rate assessments on representative inputs.

Manage

Manage is the response, treatment, and continuous-monitoring function. For each measured risk, Manage prioritizes the response, selects the treatment, documents the rationale, and monitors the outcome. Manage decomposes into four categories and thirteen subcategories:

• MANAGE 1 — AI risks are prioritized, responded to, and managed.
• MANAGE 2 — strategies to maximize AI benefits and minimize negative impacts are planned, prepared, implemented, and documented, and informed by input from relevant AI actors.
• MANAGE 3 — AI risks and benefits from third-party entities are managed.
• MANAGE 4 — risk treatments, including response and recovery, and communication plans for identified and measured AI risks are documented and monitored regularly.

The auditable evidence Manage produces is a risk register with prioritized treatments, incident-response playbooks, decommissioning procedures, monitoring cadence documentation, change-management records for model updates, and incident logs. The Manage function is what makes the rest of the framework durable; without it, Govern, Map, and Measure produce documents that age without consequence.

The Generative AI Profile

The Generative AI Profile (NIST AI 600-1) does not replace the AI RMF Core; it operates as a technology-specific overlay. It accepts the Govern/Map/Measure/Manage structure and uses the Profile format defined in section 5 of the AI RMF to articulate generative-AI-specific outcomes. The Profile's contribution is its enumeration of twelve risk categories that are unique to, or amplified by, generative AI:

1. CBRN information or capabilities — eased access to or synthesis of materially nefarious information related to chemical, biological, radiological, or nuclear weapons, including accelerants from specialized biological design tools.
2. Confabulation — the production of confidently stated but erroneous or false content, including the fabrication of citations, facts, and quotations. The Profile uses "confabulation" rather than the colloquial "hallucination" and rejects framing that anthropomorphizes the system.
3. Dangerous, violent, or hateful content — the generation of content that incites, threatens, glorifies, or enables violence; that promotes hatred, dehumanization, or harassment; or that provides instructions for harmful acts.
4. Data privacy — leakage of personal data through training-data memorization, prompt-leakage, or inference; risks associated with sensitive personal information in retrieval-augmented contexts; and downstream re-identification risks.
5. Environmental impacts — energy and water consumption of training and inference, carbon footprint, and upstream supply-chain effects.
6. Harmful bias or homogenization — disparate performance or outcomes across protected and other groups; model collapse from synthetic-data overreliance; reduction in content and aesthetic diversity; entrenchment of dominant viewpoints.
7. Human-AI configuration — failure modes in the human-system interface, including automation bias, algorithmic aversion, anthropomorphism, emotional entanglement, and unsafe delegation of decisions to systems whose limits the user does not understand.
8. Information integrity — generation and propagation of misleading, synthetic, or manipulated content; degradation of provenance and chain of custody; effects on elections, public health, and other public-interest discourse.
9. Information security — prompt injection, jailbreaks, model-weight exfiltration, indirect prompt injection through retrieved content, and adversarial attacks on tool-using or agentic configurations.
10. Intellectual property — training on copyrighted works without authorization, output that reproduces copyrighted expression, infringement of trademark and right-of-publicity, and trade-secret leakage through outputs.
11. Obscene, degrading, or abusive content — generation of child sexual abuse material, non-consensual intimate imagery, and other categories of unlawful or grossly offensive content.
12. Value chain and component integration — risks introduced when generative AI capabilities flow through a chain of model providers, fine-tuners, integrators, and deployers, with each layer obscuring information about the others and creating accountability gaps.

For each of these twelve categories, the Profile lists suggested actions distributed across the Govern, Map, Measure, and Manage functions. A board sponsoring an AI RMF program for a company that develops, fine-tunes, or substantially integrates generative AI is best served by treating the Generative AI Profile as the operative document and the AI RMF Core as the underlying architecture, rather than treating them as parallel resources.

AI RMF crosswalks to regulatory regimes

The practical reason boards and compliance teams invest in the AI RMF is that it produces evidence that maps onto each of the major AI regulatory regimes. The mappings are not one-to-one — each regime has formal artifacts the AI RMF does not require — but the substantive overlap is high enough that a credible AI RMF program materially reduces the marginal cost of each additional regime.

EU AI Act

The EU AI Act's high-risk system obligations (Articles 9 through 15) align closely with AI RMF functions. Article 9 (risk management system) maps to Govern and Manage; Article 10 (data and data governance) maps to MAP 4 and the Measure data-quality subcategories; Article 11 (technical documentation) maps to the Map function's per-system documentation requirement; Article 12 (record-keeping) maps to Manage's monitoring evidence; Article 13 (transparency for deployers) maps to MAP 1 and MEASURE 2's explainability subcategories; Article 14 (human oversight) maps to GOVERN 2 and MEASURE 2; Article 15 (accuracy, robustness, cybersecurity) maps to MEASURE 2. The conformity assessment, CE marking, EU database registration, and post-market monitoring artifacts are EU-specific and have no AI RMF counterpart; an AI RMF program does not produce them automatically. It does, however, produce the underlying substantive evidence that those artifacts require.

New York RAISE Act

The RAISE Act, effective January 1, 2027, requires that large developers of frontier models maintain a written safety and security protocol, publish a redacted version, submit the unredacted version to the New York Attorney General and the Division of Homeland Security and Emergency Services, retain test records, conduct annual protocol reviews, report critical safety incidents within 72 hours, and obtain an annual third-party audit. The Act does not prescribe a particular standards framework. In practice, a frontier developer's "safety and security protocol" under the RAISE Act will be a NIST AI RMF program with Generative AI Profile overlay, supplemented by frontier-specific elements (dangerous-capability evaluations, model-weight protection, deployment thresholds) drawn from internal responsible-scaling policies and emerging frontier-safety practice.

Colorado AI Act

Colorado's Artificial Intelligence Act, effective February 1, 2026, requires developers and deployers of high-risk AI systems used in consequential decisions to use reasonable care to avoid algorithmic discrimination and to provide impact assessments. The Act's impact assessment requirement maps directly to the Map function — purpose, data, stakeholders, identified risks, and mitigation measures — and the reasonable-care duty is operationalized through Measure (bias testing) and Manage (monitoring and remediation). A Colorado impact assessment can be derived from AI RMF Map and Measure documentation with comparatively modest restructuring.

NYC Local Law 144

Local Law 144's bias-audit obligation for automated employment decision tools is narrower than the AI RMF in scope but rigorous in what it requires: an independent bias audit, public posting of the summary results, and candidate notice. The bias audit itself maps to MEASURE 2's fairness subcategory; the notice and posting obligations map to GOVERN 5 (engagement with stakeholders) and MAP 1 (legal requirements documentation). The substantive testing is identical; what differs is the formal independent-auditor attestation and the public posting.

Illinois HB 3773

Illinois HB 3773, in force since January 1, 2026, amends the Human Rights Act to address AI in employment, requires employer notice when AI is used in covered employment decisions, and prohibits discriminatory use of AI in those decisions. The documentation requirements map to GOVERN 1 (policies), MAP 1 (purpose and legal requirements), and MANAGE 4 (communication plans). The non-discrimination duty is again operationalized through Measure and Manage.

The pattern across the regimes is consistent: the AI RMF produces the substantive evidence; each regime then requires a particular formal artifact built on top of that evidence. Companies that build their governance program around the AI RMF as the substrate, then generate regime-specific artifacts from the underlying documentation, typically achieve lower aggregate compliance cost and a more defensible posture than companies that build separate programs per regime.

AI RMF, ISO/IEC 42001, and ISO/IEC 23894

The AI RMF does not exist in isolation. Two international standards occupy adjacent territory and are increasingly treated, together with the AI RMF, as a standards-substrate trio for AI governance.

ISO/IEC 42001:2023, published December 2023, is the international AI management system standard. Like ISO/IEC 27001 for information security, it specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system, and it supports formal third-party certification. The substantive overlap with AI RMF Govern is substantial — accountability structures, policies, training, supplier management, internal audit — but ISO/IEC 42001 prescribes the management-system architecture with more specificity than the AI RMF does and provides the certification pathway that the AI RMF deliberately does not.

ISO/IEC 23894:2023, published February 2023, is the ISO guidance standard for AI risk management. It is structured around the general risk-management process in ISO 31000 and provides terminology and methodology alignment for AI-specific risks. The overlap with AI RMF Map, Measure, and Manage is substantial; the divergence is mostly one of terminology and emphasis.

Practitioners typically use the three documents together: the AI RMF as the conceptual and U.S.-recognized framework, ISO/IEC 42001 as the management-system standard supporting certification and EU AI Act-readiness, and ISO/IEC 23894 as the terminology and methodology bridge. A program built against the AI RMF can be prepared for ISO/IEC 42001 certification with substantially less marginal effort than a program built from scratch; conversely, an ISO/IEC 42001-certified program produces nearly all of the substantive evidence an AI RMF maturity assessment would request. The choice is rarely either-or; it is a question of which document is the primary architectural reference.

Implementation patterns

A credible AI RMF implementation looks different at a mid-market company than at a large enterprise. The framework itself is scale-agnostic; the implementation is not.

Mid-market

At a mid-market company — call it $200 million to $2 billion in revenue, with an in-house counsel function rather than a full legal department, and AI deployments concentrated in a handful of business functions — a credible AI RMF program is typically:

• A written AI policy approved by the board or audit committee, one to ten pages, covering scope, accountability, permitted and prohibited uses, vendor diligence, incident reporting, and training expectations.
• A single AI risk owner — usually a designated executive at the CCO, CIO, CTO, or General Counsel level — with quarterly reporting to the audit or risk committee.
• An AI inventory maintained in a spreadsheet or lightweight GRC tool, with per-system intake documents capturing the Map function outputs.
• Risk-tiered evaluation: high-risk systems get full Measure documentation; lower-risk systems get a streamlined process.
• Vendor diligence integrated into procurement, with standard AI questionnaires for software and SaaS purchases.
• Annual training for in-scope employees and an incident-reporting channel.

A mid-market program of this character can be built and operationalized in six to twelve months with disciplined sponsorship and modest external support.

Large enterprise

At a large enterprise — $10 billion or more in revenue, regulated in one or more sectors, with material EU and multi-state exposure, often with proprietary model development or substantial third-party AI integration — a credible AI RMF program includes:

• A dedicated AI governance function, typically with a Chief AI Officer or equivalent, an AI risk committee at the management level, and reporting into a board committee (audit, risk, or technology) with defined AI oversight.
• A formal AI management system, frequently aligned to ISO/IEC 42001 and pursued toward certification.
• A GRC platform that maintains the AI inventory, risk register, and control evidence and that links to broader enterprise risk management.
• A red-team or AI evaluations function, internal or contracted, that exercises generative AI systems against the Generative AI Profile risk categories.
• Integration with privacy, cybersecurity, and model-risk-management functions; for financial institutions, integration with SR 11-7 model risk practice.
• A per-jurisdiction compliance overlay (EU AI Act, RAISE Act, Colorado AI Act, NYC LL 144, Illinois HB 3773, California ADMT) that consumes the AI RMF substrate and generates regime-specific artifacts.

NIST has published two companion resources that practitioners use to operationalize either profile. The AI RMF Playbook provides suggested actions, references, and documentation expectations for each subcategory; NIST updates the Playbook approximately twice per year, most recently in March 2026. The AI RMF Roadmap identifies the topics NIST is prioritizing for future framework development, including technical-standards alignment, profile development for specific sectors (the April 2026 concept note for a critical-infrastructure profile is the latest example), and metric and measurement development. A program manager building an AI RMF implementation is well served to use the Playbook as the operational reference rather than working from AI 100-1 alone.

Limitations and critiques

The AI RMF has real limitations, and any board sponsoring an AI governance program should understand them.

First, the framework is voluntary and unenforced at the federal level. There is no NIST audit, no NIST certification, and no NIST enforcement authority. A company can claim to have implemented the AI RMF without any third party validating the claim. This matters for D&O underwriting, regulatory examinations, and litigation: an unverified claim of AI RMF alignment is weaker evidence than a third-party-audited ISO/IEC 42001 certification, a regulator-reviewed EU AI Act conformity assessment, or a RAISE Act third-party audit attestation.

Second, the framework prescribes outcomes rather than controls. This is intentional — NIST treats prescription as a tradeoff against the framework's broad applicability — but it leaves practitioners with substantial discretion about what "implementing GOVERN 2" actually means in their environment. Two companies can each claim AI RMF alignment with materially different underlying programs. The Playbook narrows this gap somewhat, but does not close it.

Third, the absence of a certification scheme means there is no agreed definition of "good." This is a real cost. In information security, ISO/IEC 27001 certification and SOC 2 attestation give procurement, regulators, and underwriters a stable signal. In AI governance, the equivalent signal is emerging — ISO/IEC 42001 certification, EU AI Act conformity assessment — but is not yet consistently available, and AI RMF alignment alone does not provide it.

Fourth, the framework is approaching its first significant update cycle. NIST has signaled an AI RMF 1.1 in the pipeline, with a formal review with community input expected no later than 2028. Companies building programs in 2026 should expect that some of the Playbook guidance and category specifics will evolve, and should design their documentation to absorb those changes without rebuilding.

Practical implementation steps for 2026

An audit committee chair sponsoring a new or rebuilt AI RMF program in 2026 should run the program through the following sequence. The sequence assumes that the company has at least some AI deployments already in production; greenfield programs can start at step 1 with a thinner inventory.

Step 1 — Frame the program at the board level

Determine which board committee owns AI oversight. In most companies this is the audit committee, occasionally the risk committee, occasionally a technology or innovation committee. Document the delegation in the committee charter. Establish a reporting cadence — quarterly is standard — and the artifacts the committee will review. The Caremark line of Delaware decisions, particularly Marchand, makes documented board oversight of mission-critical risk a fiduciary duty; AI now qualifies as mission-critical at most companies of any meaningful scale.

Step 2 — Scope the program

Decide whether the program covers all AI systems, all generative-AI systems, all systems making consequential decisions about people, or some other scoping. Document the scope and the rationale. Define "AI system" for purposes of the program; the EU AI Act and OECD definitions are common reference points, but any definition that is internally consistent and applied uniformly is defensible.

Step 3 — Build the AI inventory

Catalog every in-scope AI system. For each, capture: business owner, purpose, vendor or in-house build, data dependencies, AI RMF function-level documentation status, regulatory regimes applicable, and risk-tier classification. The inventory is the spine of the program; nothing else can be done well without it.

Step 4 — Implement Govern

Approve a written AI policy. Stand up the management-level AI risk committee. Define the delegation of authority. Establish training requirements and the incident-reporting channel. Document supplier-diligence procedures and integrate them with procurement.

Step 5 — Implement Map and Measure for high-risk systems first

For each system tiered as high-risk under any applicable regime — EU AI Act high-risk, Colorado consequential decision, NYC automated employment decision tool, frontier model under the RAISE Act — build the per-system Map documentation and the Measure-function evidence. Lower-risk systems can be addressed with a streamlined process in subsequent quarters.

Step 6 — Implement Manage

Stand up the risk register. Define the response and remediation workflows. Establish the monitoring cadence. Document the change-management process for model updates. Build the incident-response playbook.

Step 7 — Integrate the regulatory overlays

For each applicable regime, identify the formal artifacts the regime requires beyond the AI RMF substrate — EU conformity assessment and CE marking, RAISE Act protocol publication and third-party audit, Colorado impact assessment, NYC LL 144 bias audit, Illinois HB 3773 candidate notice — and build the regime-specific generation process so that the underlying documentation produces each artifact reliably.

Step 8 — Establish independent assurance

Decide whether to pursue ISO/IEC 42001 certification, engage a third-party AI audit, or — for frontier developers — prepare for the RAISE Act third-party audit requirement. A voluntary AI RMF alignment claim without external verification will not survive scrutiny from regulators, underwriters, or sophisticated counterparties indefinitely.

Step 9 — Iterate

The AI RMF is a continuous-improvement framework, not a one-time build. Operate the quarterly board reporting cycle, refresh the inventory continuously, update the per-system documentation as systems change, and review the policy annually. NIST will update the Playbook and likely the framework itself within the program's early years; design the documentation infrastructure to absorb those updates.

How to cite this article

Techné AI, The NIST AI Risk Management Framework: A Reference for Boards and Compliance Teams (May 13, 2026), https://techne.ai/insights/nist-ai-rmf-reference.

Related references

• ISO/IEC 42001 AI Management Systems Reference — the international management-systems standard most often paired with the NIST AI RMF to produce a certifiable AI governance posture.
• ISO/IEC 23894 AI Risk Management Guidance Reference — the ISO companion that provides AI-specific risk-management methodology alongside the AI RMF's outcome-oriented structure.
• The EU AI Act for US Boards — the regulatory regime most directly informed by AI RMF structure outside the United States.
• The New York RAISE Act Reference — the U.S. state law whose safety-and-security framework obligation is most often built on the AI RMF substrate with Generative AI Profile overlay.
• Multi-Jurisdictional AI Compliance: Building a Unified Framework — the unified-program approach that uses the AI RMF as the underlying substrate across multiple regulatory regimes.