The NIST AI Risk Management Framework Playbook is a voluntary, non-mandatory companion resource that translates the four functions of the NIST AI RMF — Govern, Map, Measure, Manage — into suggested actions research offices can adapt into a working AI-tool review checklist, without adopting the document as a rigid audit standard.
The AI RMF Playbook is a reference companion to NIST AI RMF 1.0, published by the U.S. National Institute of Standards and Technology on 26 January 2023, that maps suggested implementation actions to each subcategory in the framework’s Core (Tables 1–4). Research administration offices evaluating AI writing tools, manuscript-screening systems, grant-matching algorithms, or peer-review assistants are increasingly being asked — by faculty, ethics committees, or funders — to show some structured basis for that review. The Playbook is the most directly usable NIST artefact for building one, but most explainers stop at describing the four functions rather than showing how a research office turns them into an actual intake form. This walkthrough does that conversion.
- What is the NIST AI RMF Playbook?
- Turning the four functions into a research-office AI-tool checklist
- NIST AI RMF Playbook vs ISO 42001 vs the EU AI Act Code of Practice
- Answer-first questions about the AI RMF Playbook
- Implications for research offices
What is the NIST AI RMF Playbook?
The NIST AI Risk Management Framework Playbook is a living, voluntary implementation resource published alongside AI RMF 1.0. NIST’s AI Resource Center states plainly that the Playbook “is neither a checklist nor set of steps to be followed in its entirety” — organisations are meant to borrow “as many – or as few” suggestions as fit their use case.
Each suggestion in the Playbook is tied to a specific subcategory under one of the framework’s four functions:
- Govern — establishes the culture, policies, and accountability structures for managing AI risk across the organisation.
- Map — establishes context: what the AI system does, who it affects, and what could go wrong.
- Measure — analyses, benchmarks, and tracks identified risks using quantitative and qualitative methods.
- Manage — allocates resources to risks by priority and monitors the system after deployment.
NIST distributes the Playbook as a PDF, CSV, Excel workbook, and JSON file via the AI Resource Center, and it is updated approximately twice per year as AI technology and community feedback evolve. That release cadence matters operationally: a review checklist built from the Playbook should be version-dated and re-checked against each update rather than treated as a one-time policy document.
Turning the four functions into a research-office AI-tool checklist
The Playbook’s value for a research office is not the four function names — it is the subcategory-level actions underneath them, which read almost like intake-form questions once relabelled. Below is a working mapping from AI RMF 1.0 Core subcategories to the questions a research administration office can ask when a faculty member or department proposes adopting an AI tool (a manuscript screener, grant-matching assistant, or peer-review support system).
| AI RMF subcategory (paraphrased) | Research-office checklist question |
|---|---|
| GOVERN 1.1 — legal and regulatory requirements are understood and documented | Does this tool trigger institutional research-ethics, data-protection, or funder AI-disclosure obligations? |
| GOVERN 2.1 — roles and responsibilities for AI risk are assigned | Who in the office owns ongoing oversight of this tool once it is approved? |
| MAP 1.1 — intended purpose and deployment context are understood | What specific research-administration task is this tool being used for, and by whom? |
| MAP 5.1 — likelihood and magnitude of impacts are assessed | What happens to a manuscript, grant application, or reviewer assignment if the tool errs? |
| MEASURE 2.6 / 2.7 — safety, security, and resilience are evaluated | Has the vendor supplied evidence of testing for bias, data leakage, or hallucinated citations? |
| MANAGE 1.1 — determination of whether the system meets its objectives | Did a pilot period show the tool actually improves the workflow it was bought for? |
| MANAGE 4.1 — post-deployment monitoring plans are implemented | Who re-reviews this tool annually, and what triggers an early re-review? |
Built this way, the checklist stays traceable to a named NIST subcategory for every question an ethics committee or auditor might ask “why do you check this?” — which is the practical benefit of using the Playbook rather than writing a bespoke policy from scratch.
NIST AI RMF Playbook vs ISO 42001 vs the EU AI Act Code of Practice
Research offices operating internationally increasingly need to know how the voluntary US framework relates to certifiable and regulatory instruments used elsewhere. None of the three is a substitute for the others; they serve different purposes and audiences.
| Framework | Status | Best fit for a research office |
|---|---|---|
| NIST AI RMF 1.0 + Playbook | Voluntary US guidance, published January 2023 | Building an internal AI-tool review process and shared vocabulary |
| ISO/IEC 42001:2023 | Certifiable international AI management-system standard | Institutions seeking third-party certification of their AI governance programme |
| EU AI Act General-Purpose AI Code of Practice | Regulatory compliance mechanism under Regulation (EU) 2024/1689, applying to GPAI providers from August 2025 | Institutions in, or contracting with, the EU that procure general-purpose AI models |
A practical pattern for a research office with European partners: use the AI RMF Playbook’s subcategories to build the internal checklist, use ISO 42001’s clause structure if formal certification is the goal, and treat the EU AI Act Code of Practice as a due-diligence question to put to any GPAI vendor — “can you show your Code of Practice commitments?” — rather than as a framework the research office itself must implement.
Answer-first questions about the AI RMF Playbook
What is the NIST AI RMF Playbook?
The NIST AI RMF Playbook is a voluntary companion resource to NIST AI RMF 1.0 that provides suggested actions for each subcategory across the framework’s four functions — Govern, Map, Measure, and Manage. It is not a checklist to complete in full; organisations select the suggestions relevant to their own AI use case.
What are the two main parts of the NIST AI RMF?
NIST AI RMF 1.0 is structured in two parts: Part 1 sets out foundational context — the framing of AI risks and the characteristics of trustworthy AI — and Part 2 contains the Core, organised into the four functions, their categories, and subcategories that the Playbook then operationalises.
Is NIST AI RMF compliance mandatory?
No. The AI RMF and its Playbook are voluntary for private organisations and most research institutions; there is no certification body. Some US federal agencies reference it in AI-procurement guidance, and funders or partner institutions may ask an office to show alignment as a matter of due diligence rather than legal obligation.
What are the seven steps of the NIST Risk Management Framework?
The seven-step RMF — Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor — comes from NIST SP 800-37, a separate cybersecurity authorisation framework for federal information systems. It is distinct from the AI RMF’s four functions; research offices should not conflate the two when a vendor or auditor cites “the NIST framework.”
Implications for research offices
Research administration is adopting AI tools faster than most offices have built governance for: manuscript-screening assistants, grant-matching engines, and reviewer-recommendation systems are already in use across publishers and institutions. Building the intake checklist directly from AI RMF Playbook subcategories gives a research office a defensible answer when asked how a tool was vetted, without waiting for a mandatory US or UK regulatory framework to arrive.
Because NIST revises the Playbook roughly twice yearly, and because the EU AI Act’s GPAI obligations are still being phased in through 2025–2026, offices that adopt this checklist approach should treat it as a living document, re-checked at each Playbook release rather than filed away after a single review cycle.