NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, provides a voluntary framework for managing risks associated with AI systems throughout their lifecycle. It is organized around four core functions: Govern, Map, Measure, and Manage. It is applicable to all organizations that design, develop, deploy, use, or maintain AI systems.
Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.
Framework Domains (9)
AI RMF Functions
| Code | Title |
|---|---|
| AIRMF-GOV-01 | AI Risk Management Policies |
| AIRMF-GOV-02 | AI Risk Culture |
| AIRMF-GOV-03 | AI Compliance and Legal |
| AIRMF-GOV-04 | Third-Party AI Risk |
| AIRMF-MAN-01 | AI Risk Treatment |
| AIRMF-MAN-02 | AI Monitoring and Maintenance |
| AIRMF-MAN-03 | AI Incident Response |
| AIRMF-MAP-01 | AI System Context |
| AIRMF-MAP-02 | AI Risk Identification |
| AIRMF-MAP-03 | AI Impact Assessment |
| AIRMF-MEA-01 | AI Performance Metrics |
| AIRMF-MEA-02 | Bias and Fairness Assessment |
| AIRMF-MEA-03 | AI Transparency and Explainability |
| NIST-AI600-GOV-1 | Legal and Regulatory Compliance |
| NIST-AI600-GOV-2 | Safety-First Culture |
| NIST-AI600-GOV-3 | Content Provenance Governance |
| NIST-AI600-GOV-4 | Pre-Deployment Testing Governance |
| NIST-AI600-GOV-5 | Incident Disclosure Governance |
| NIST-AI600-MAP-1 | GAI Risk Identification |
| NIST-AI600-MAP-2 | Stakeholder Impact Assessment |
| NIST-AI600-MAP-3 | Third-Party Risk Mapping |
| NIST-AI600-MEA-1 | Confabulation Testing |
| NIST-AI600-MEA-2 | Bias and Fairness Evaluation |
| NIST-AI600-MEA-3 | Privacy Leak Assessment |
| NIST-AI600-MEA-4 | Environmental Impact Measurement |
| NIST-AI600-MEA-5 | Red-Teaming and Adversarial Testing |
| NIST-AI600-MGT-1 | Content Provenance Implementation |
| NIST-AI600-MGT-2 | Human Oversight Integration |
| NIST-AI600-MGT-3 | Third-Party Dependency Management |
| NIST-AI600-MGT-4 | Incident Response for GAI |
| NIST-AI600-MGT-5 | Decommissioning Procedures |
Govern
| Code | Title |
|---|---|
| AIRMF-GV-1.1 | Legal and regulatory requirements involving AI are understood, managed, and documented |
| AIRMF-GV-1.2 | Trustworthy AI characteristics are integrated into organisational policies, processes, and procedures |
| AIRMF-GV-2.1 | Roles and responsibilities related to AI risk management are documented and clear |
| AIRMF-GV-3.1 | Decision making related to mapping, measuring, and managing AI risks is informed by diverse perspectives |
| AIRMF-GV-4.1 | Organisational culture and incentives prioritise AI risk management |
Govern
AI risk management governance, policies, and culture
| Code | Title |
|---|---|
| AIRMF-GV-1.1 | Legal and regulatory requirements involving AI are understood, managed, and documented |
| AIRMF-GV-1.2 | Trustworthy AI characteristics are integrated into organisational policies, processes, and procedures |
| AIRMF-GV-2.1 | Roles and responsibilities related to AI risk management are documented and clear |
| AIRMF-GV-3.1 | Decision making related to mapping, measuring, and managing AI risks is informed by diverse perspectives |
| AIRMF-GV-4.1 | Organisational culture and incentives prioritise AI risk management |
Manage
| Code | Title |
|---|---|
| AIRMF-MN-1.1 | AI risks are prioritised and resources are allocated to manage them |
| AIRMF-MN-2.1 | Mechanisms for tracking identified risks over time are in place |
| AIRMF-MN-3.1 | AI risks and benefits from third party resources are managed |
| AIRMF-MN-4.1 | AI risk management documentation and processes are improved continuously |
| AIRMF-MN-4.3 | Incidents and errors are communicated to relevant AI actors |
Manage
Treatment, monitoring, and communication of AI risks
| Code | Title |
|---|---|
| AIRMF-MN-1.1 | AI risks are prioritised and resources are allocated to manage them |
| AIRMF-MN-2.1 | Mechanisms for tracking identified risks over time are in place |
| AIRMF-MN-3.1 | AI risks and benefits from third party resources are managed |
| AIRMF-MN-4.1 | AI risk management documentation and processes are improved continuously |
| AIRMF-MN-4.3 | Incidents and errors are communicated to relevant AI actors |
Map
| Code | Title |
|---|---|
| AIRMF-MP-1.1 | Context of AI system use is established and understood |
| AIRMF-MP-2.1 | Categorisation of AI systems is performed |
| AIRMF-MP-3.1 | AI capabilities, targeted usage, goals, and expected benefits and costs are understood |
| AIRMF-MP-4.1 | Approaches and metrics for risk identification are established |
| AIRMF-MP-5.1 | Risks and benefits are characterised for components, including third party components |
Map
Contextualization and identification of AI risks
| Code | Title |
|---|---|
| AIRMF-MP-1.1 | Context of AI system use is established and understood |
| AIRMF-MP-2.1 | Categorisation of AI systems is performed |
| AIRMF-MP-3.1 | AI capabilities, targeted usage, goals, and expected benefits and costs are understood |
| AIRMF-MP-4.1 | Approaches and metrics for risk identification are established |
| AIRMF-MP-5.1 | Risks and benefits are characterised for components, including third party components |
Measure
| Code | Title |
|---|---|
| AIRMF-MS-1.1 | Appropriate methods and metrics for measuring AI risk are identified and applied |
| AIRMF-MS-2.1 | Test sets, evaluation criteria, and ongoing tracking are documented |
| AIRMF-MS-2.11 | Fairness and bias are evaluated and results documented |
| AIRMF-MS-2.7 | AI system security and resilience are evaluated |
| AIRMF-MS-2.8 | AI system explainability and interpretability are evaluated |
| AIRMF-MS-3.1 | Approaches and metrics for risk measurement are validated by stakeholders |
Measure
Analysis and evaluation of AI risks
| Code | Title |
|---|---|
| AIRMF-MS-1.1 | Appropriate methods and metrics for measuring AI risk are identified and applied |
| AIRMF-MS-2.1 | Test sets, evaluation criteria, and ongoing tracking are documented |
| AIRMF-MS-2.11 | Fairness and bias are evaluated and results documented |
| AIRMF-MS-2.7 | AI system security and resilience are evaluated |
| AIRMF-MS-2.8 | AI system explainability and interpretability are evaluated |
| AIRMF-MS-3.1 | Approaches and metrics for risk measurement are validated by stakeholders |
Your Compliance Coverage
If you comply with NIST AI Risk Management Framework (AI RMF 1.0), you already cover:
Canada Artificial Intelligence and Data Act (AIDA)
38%
20 controls mapped
Compare →ASEAN Guide on AI Governance and Ethics
31%
16 controls mapped
Compare →ISO/IEC 23894:2023
27%
14 controls mapped
Compare →+ 320 more: Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) (25%), OECD AI Principles (23%)
See all 323 mapped frameworks ↓Maps to 323 other frameworks
Frequently Asked Questions
What is NIST AI Risk Management Framework (AI RMF 1.0)?
NIST AI Risk Management Framework (AI RMF 1.0) is a compliance framework from United States (NIST) with 9 domains and 52 controls. The NIST AI Risk Management Framework (AI RMF 1.0), published January 2023, provides a voluntary framework for managing risks associated with AI systems throughout their lifecycle. It is organized around four core functions: Govern, Map, Measure, and Manage. It is applicable to all organizations that design, develop, deploy, use, or maintain AI systems. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.
How many controls does NIST AI Risk Management Framework (AI RMF 1.0) have?
NIST AI Risk Management Framework (AI RMF 1.0) has 52 controls organised across 9 domains. The largest domains are AI RMF Functions (31 controls), Measure (6 controls), Govern (5 controls). Each control defines specific requirements that organisations must implement to achieve compliance.
What frameworks does NIST AI Risk Management Framework (AI RMF 1.0) map to?
NIST AI Risk Management Framework (AI RMF 1.0) maps to 323 other compliance frameworks. The top mapping partners are Canada Artificial Intelligence and Data Act (AIDA) (38% coverage), ASEAN Guide on AI Governance and Ethics (31% coverage), ISO/IEC 23894:2023 (27% coverage). Use our comparison tool to explore control-level mappings between frameworks.
How do I get started with NIST AI Risk Management Framework (AI RMF 1.0) compliance?
Start your NIST AI Risk Management Framework (AI RMF 1.0) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about NIST AI Risk Management Framework (AI RMF 1.0) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 52 controls and track your progress.
Start Your Compliance Journey
Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 723 frameworks.
Get Started Free →Free forever — no credit card required