Home / Guides / The NIST AI RMF
NIST AI RMF

The NIST AI RMF, Explained

The NIST AI Risk Management Framework is one of the three references most teams map their AI governance to, alongside ISO 42001 and the EU AI Act. Unlike the other two, it is neither a certification nor a law. It is a practical, voluntary guide to thinking about AI risk. This is what it is and how to use it.

What the NIST AI RMF is

Released in January 2023 by the US National Institute of Standards and Technology, with a Generative AI profile added in July 2024, the framework gives organizations a common way to identify, assess, and manage the risks of AI systems. It is voluntary and not certifiable. Its value is as a shared vocabulary and a set of practices you can adopt at whatever depth suits you.

The four functions

Why teams use it

It is flexible and free, and it does not lock you into a certification path. It pairs cleanly with ISO 42001 and the EU AI Act, so many teams use its language to structure the risk work those two require. For a company just starting, it is an approachable way to think about what could go wrong and what to do about it.

Put it into practice

The templates that operationalize it

The Extrasphere Complete Toolkit turns the Map, Measure, and Manage work into documents: an inventory, a risk register, an impact assessment, and more, mapped across NIST, ISO 42001, and the EU AI Act. One-time $299, and it includes 12 months of update re-issues. Start free with a policy and checklist.

How it fits with ISO 42001 and the EU AI Act

Think of the three as layers. The NIST AI RMF is how you think about risk. ISO 42001 is the management system that makes governance repeatable and certifiable. The EU AI Act is the legal obligation for anyone with European exposure. They reinforce each other, and because they overlap heavily, work you do for one moves you forward on the others.

Frequently asked questions

What is the NIST AI RMF?

A voluntary framework for identifying and managing AI risks, organized around Govern, Map, Measure, and Manage.

Is it mandatory?

No, it is voluntary and not certifiable, though it is widely used as a reference.

When was it released?

January 2023, with a Generative AI profile added in July 2024.

How does it relate to ISO 42001?

The RMF is a risk practice; ISO 42001 is a certifiable management system. They complement each other.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.