The NIST AI Risk Management Framework (AI RMF 1.0) was published by the U.S. National Institute of Standards and Technology in January 2023, with a Generative AI Profile (NIST-AI-600-1) added in July 2024. It is a voluntary, sector-agnostic framework that organises AI risk management around four functions: Govern, Map, Measure, and Manage. Although adoption is voluntary, the AI RMF is referenced by the U.S. Executive Order on AI, several federal agency directives, and is increasingly cited by procurement teams and insurance carriers as a baseline expectation. NIST also publishes a companion AI RMF Playbook with concrete implementation suggestions and a Crosswalk that maps AI RMF actions to ISO/IEC 42001, ISO/IEC 23894, OECD AI Principles, and EU AI Act provisions.
What does NIST AI RMF actually require?
Key obligations include: Govern: establish AI policies, accountabilities, and a risk-tolerance posture that flows from board level through engineering teams.; Map: characterise the AI system's context, intended use, stakeholders, data, and known limitations before deployment.; Measure: select and apply quantitative and qualitative tests for trustworthiness characteristics — validity, reliability, safety, fairness, security & resilience, accountability & transparency, privacy, explainability.; Manage: prioritise, treat, and monitor risks; allocate resources; respond to incidents; and decommission systems that no longer meet the risk threshold.; For generative AI (GenAI Profile): address content provenance, hallucination/confabulation, harmful bias, IP and data integrity, CBRN/cyber misuse, and value-chain integration risks.; Maintain a living risk register and update Map/Measure/Manage outputs at material change events (data drift, model retraining, new use cases)..
Who is in scope of NIST AI RMF?
NIST AI RMF is voluntary in US. Scope attaches based on jurisdiction and the role a company plays in the AI supply chain. See /frameworks/nist-ai-rmf for the full scope note and source links.
When does NIST AI RMF take effect?
The primary enforcement date is 2023-01-26. Some provisions may phase in earlier or later — see the framework brief for the full timeline.
What are the penalties?
Maximum penalties: Voluntary framework; no statutory penalties. Enforcement is carried out by the designated authorities in the jurisdiction.
Which vendors help with NIST AI RMF compliance?
In our directory, the following vendors reference NIST AI RMF in their compliance coverage: Credo AI, Holistic AI, Robust Intelligence, Monitaur, Trustible, FairNow, Fairly AI, Saidot, LatticeFlow AI, Lakera, Protect AI, HiddenLayer. Each profile links to the public source for the claim.