The NIST AI RMF, Explained
The NIST AI Risk Management Framework is one of the three references most teams map their AI governance to, alongside ISO 42001 and the EU AI Act. Unlike the other two, it is neither a certification nor a law. It is a practical, voluntary guide to thinking about AI risk. This is what it is and how to use it.
What the NIST AI RMF is
Released in January 2023 by the US National Institute of Standards and Technology, with a Generative AI profile added in July 2024, the framework gives organizations a common way to identify, assess, and manage the risks of AI systems. It is voluntary and not certifiable. Its value is as a shared vocabulary and a set of practices you can adopt at whatever depth suits you.
The four functions
- Govern. Build the culture, roles, and accountability for managing AI risk across the organization. This is the foundation the other three rest on.
- Map. Understand the context of each AI system, what it does, who it affects, and where the risks are.
- Measure. Assess and track those risks, using appropriate methods and metrics.
- Manage. Act on the risks, prioritizing, mitigating, and monitoring them over time.
Why teams use it
It is flexible and free, and it does not lock you into a certification path. It pairs cleanly with ISO 42001 and the EU AI Act, so many teams use its language to structure the risk work those two require. For a company just starting, it is an approachable way to think about what could go wrong and what to do about it.
The templates that operationalize it
The Extrasphere Complete Toolkit turns the Map, Measure, and Manage work into documents: an inventory, a risk register, an impact assessment, and more, mapped across NIST, ISO 42001, and the EU AI Act. One-time $299, and it includes 12 months of update re-issues. Start free with a policy and checklist.
How it fits with ISO 42001 and the EU AI Act
Think of the three as layers. The NIST AI RMF is how you think about risk. ISO 42001 is the management system that makes governance repeatable and certifiable. The EU AI Act is the legal obligation for anyone with European exposure. They reinforce each other, and because they overlap heavily, work you do for one moves you forward on the others.
Frequently asked questions
A voluntary framework for identifying and managing AI risks, organized around Govern, Map, Measure, and Manage.
No, it is voluntary and not certifiable, though it is widely used as a reference.
January 2023, with a Generative AI profile added in July 2024.
The RMF is a risk practice; ISO 42001 is a certifiable management system. They complement each other.