Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

NIST AI RMF

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary US framework for managing AI risks, structured around four core functions.

CASRAI research-methods explainer — NIST AI RMF

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

The four core functions

The framework organises AI risk work into four functions. Govern establishes a culture of risk management — policies, roles, accountability and oversight — and cuts across the other three. Map builds the context: the system’s purpose, stakeholders, capabilities and the risks that arise from intended and foreseeable use. Measure analyses and tracks identified risks using quantitative and qualitative methods, including testing for trustworthiness characteristics. Manage allocates resources to act on risks — treating, monitoring and responding to them over time. Together they form a continuous, not one-off, cycle.

Trustworthiness characteristics

NIST frames trustworthy AI around a set of characteristics that the functions help an organisation pursue: validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy enhancement, and fairness with harmful bias managed. The framework does not prescribe fixed thresholds for these; instead it gives organisations a structured way to weigh trade-offs in their own context. This characteristic-based approach lets the RMF apply across very different AI systems and risk levels rather than mandating one-size-fits-all rules.

Status and the Generative AI Profile

The AI RMF is voluntary guidance developed through an open, consensus process; it is not a certifiable standard and confers no certificate. To address fast-moving generative AI, NIST published the Generative AI Profile (NIST AI 600-1) in 2024, which maps generative-AI-specific risks — such as confabulation, harmful content and data leakage — onto the same Govern, Map, Measure and Manage structure. Organisations frequently use the RMF to build the operational risk practice that a certifiable management system, such as ISO/IEC 42001, then formalises.

Key facts

At a glance

  • Definition: the US NIST AI Risk Management Framework 1.0
  • Released: January 2023; voluntary, non-certifiable
  • Publisher: US National Institute of Standards and Technology (NIST)
  • Four functions: Govern, Map, Measure, Manage
  • Companion: Generative AI Profile (NIST AI 600-1, 2024)
  • Focus: trustworthy AI characteristics across the lifecycle

Common misconceptions

What people often get wrong

Often heard: You can get certified against the NIST AI RMF.

Actually: The NIST AI RMF is voluntary guidance and is not a certifiable standard, so there is no NIST AI RMF certificate. Organisations use it to structure practice; certification needs a management-system standard such as ISO/IEC 42001.

Often heard: The NIST AI RMF is legally mandatory in the United States.

Actually: The framework is explicitly voluntary. It is widely referenced and may inform procurement or policy, but it is guidance rather than a statute imposing legal obligations.

Often heard: The four functions run once, in order, like a checklist.

Actually: Govern, Map, Measure and Manage form a continuous cycle, with Govern cutting across the others. They are revisited iteratively as a system changes, not completed once and set aside.

Going deeper

Related CASRAI guidance

ISO/IEC 42001NIST AI RMF vs ISO/IEC 42001AI risk managementAI governance frameworkStandards comparedStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →