NIST-AI-RMF
Getting Started Guide

NIST Artificial Intelligence Risk Management Framework

Voluntary US framework to better manage risks to individuals, organizations, and society associated with AI.

Audit Effort2–4 months to implement
Key FactStructured around four functions: Govern, Map, Measure, Manage

What Is NIST AI RMF?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework developed by the US Department of Commerce to help organizations manage the many risks of designing, developing, and deploying AI systems. It provides a structured, flexible way to integrate trustworthiness into AI products.

The framework is built around four core functions: Govern (cultivating a culture of risk management), Map (understanding the context and risks of the AI system), Measure (assessing and tracking those risks), and Manage (prioritizing and mitigating the risks).

Unlike a compliance checklist, the AI RMF is outcome-driven. It recognizes that AI risks are unique—such as model drift, hallucination, bias, and adversarial attacks—and requires a continuous lifecycle approach rather than a point-in-time audit.

Does NIST AI RMF Apply to Your Organisation?

Understanding typical procurement requirements and compliance thresholds.

AI Developers & Foundation Model Builders

Companies training models or building complex AI architectures use it as the baseline for internal governance and safety red-teaming.

Highly Recommended

Enterprise AI Deployers

Banks, healthcare networks, and Fortune 500s use it to evaluate the risks of buying and deploying third-party AI tools (like LLMs).

Highly Recommended

Federal AI Contractors

US Federal agencies are heavily encouraged (via Executive Order) to adopt the AI RMF, meaning vendors selling AI to the government will inevitably be measured against it.

Mandatory
You probably don't need NIST AI RMF if:
  • Companies using basic, rules-based automation or traditional deterministic software that lacks machine learning or generative AI components.
  • Small startups using off-the-shelf APIs for low-risk, internal-only tasks (e.g., summarizing meeting notes internally) where a full RMF overhead isn't justified.

Why NIST AI RMF Matters in 2026

Understanding the current regulatory pressures and market adoption vectors.

US Executive Order on AI

The Biden administration's Executive Order on AI positions NIST frameworks as the foundational standard for federal AI safety, driving immediate downstream adoption in the private sector.

Enterprise Vendor Risk Management

Enterprise procurement teams have no idea how to audit AI vendors yet. If you can hand them a NIST AI RMF-aligned risk report, you win the deal instantly.

Preparing for the EU AI Act

Adopting the NIST AI RMF now builds the governance and risk-mapping muscles your team will desperately need when trying to comply with the legally binding EU AI Act later.

The Requirements

The core security controls and evidence parameters audited for NIST AI RMF.

How Long Does It Take?

A realistic phase-by-phase implementation roadmap for NIST AI RMF.

1
Weeks 1-3

Establish Governance (Govern)

Form an AI ethics/governance committee. Draft your organization's 'Responsible AI Policy' and define what 'trustworthy' means for your product.

Key Deliverable:AI Governance Charter, Responsible AI Policy
2
Weeks 4-6

Inventory & Impact (Map)

Inventory all AI systems in development or production. Create detailed Model Cards or System Cards that map inputs, outputs, and potential harms.

Key Deliverable:AI System Inventory, Completed Model Cards
3
Weeks 7-12

Red-Teaming & Mitigation (Measure/Manage)

Implement testing pipelines to measure bias and hallucination. Set up production monitoring (LLM observability) to catch model drift.

Key Deliverable:Evaluation pipelines, Production monitoring dashboards
With Existing Certifications

4-6 weeks: If you have a mature ISO 27001 or NIST CSF program, your 'Govern' and 'Manage' muscles are strong. You just need to add AI-specific 'Map' and 'Measure' activities (like red-teaming).

Starting from Scratch

3-4 months: Establishing AI evaluation metrics, building red-teaming capability, and formalizing governance structures is completely new territory for most software teams.

The Mistakes That Delay Most NIST AI RMF Programs

Sourced from real compliance audits. Avoid these pitfalls to keep your timeline on track.

Treating AI risk like standard IT risk

Why it happens:

Standard software either works or it throws an error. AI can confidently output racist, incorrect, or highly biased data without throwing an error. Standard IT risk assessments miss this.

How to avoid it:

You must evaluate outputs probabilistically. Implement LLM observability tools and human-in-the-loop (HITL) review processes.

Skipping the 'Map' function

Why it happens:

Engineers want to jump straight to testing (Measure) or fixing (Manage). But if you haven't documented the intended use case and potential harms (Map), your tests are measuring the wrong things.

How to avoid it:

Force teams to complete a lightweight Model Card or AI Impact Assessment before deploying any model to production.

Thinking governance is just for big tech

Why it happens:

Startups think AI governance slows them down. But when a startup's AI chatbot hallucinates a fake refund policy or insults a customer, the startup bears the reputational cost.

How to avoid it:

Implement 'right-sized' governance. A 3-person startup doesn't need a 10-person AI committee, but they do need a documented testing protocol before shipping prompts.

Loading Kickstart state...

Related Resources

Articles, guides, and tools to accelerate your compliance program.

Insights & Playbooks

NIST AI RMF Insights

Read practical security, engineering, and audit management playbooks from the GRC hub.

Visit the GRC Blog
Readiness Tools

NIST AI RMF Checklist

Assess your baseline control posture against NIST AI RMF criteria in 10 minutes.

Start Assessment
Decision Engine

Compare Frameworks

Not sure which framework is best for your current situation? Run our intake to see a prioritized recommendation roadmap.

Start Framework Finder

Frequently Asked Questions

Common queries about NIST AI RMF compliance and certification processes.