What is the NIST AI RMF?

The NIST AI Risk Management Framework is a voluntary framework published by the US National Institute of Standards and Technology in January 2023 to help organizations manage the risks of AI systems. It organizes the work around four functions, Govern, Map, Measure, and Manage, and is designed to be flexible across sectors and system types. It is guidance rather than law, but it has become a common reference point for how US organizations talk about and document AI risk.

Is the NIST AI RMF mandatory?

No. The NIST AI RMF is voluntary and carries no penalties of its own. Its influence comes from adoption: buyers, partners, and increasingly regulators reference it, so designing against it has become a practical expectation even though no law compels it. Some federal AI requirements and procurement expectations point to it, which gives it weight beyond its voluntary status.

How do I implement the NIST AI framework?

Start with Govern by establishing who is accountable for AI risk and what your policies are, then Map the context and risks of each AI use case, Measure those risks with real metrics and testing, and Manage them by acting on what you find and monitoring over time. In practice this means naming an owner, inventorying your AI uses, defining how you will measure accuracy and harm, and building the documentation and audit trail to support it.

How does the NIST AI RMF relate to the EU AI Act?

They are complementary but different in nature. The NIST AI RMF is voluntary US guidance focused on managing risk through good practice, while the EU AI Act is binding law that classifies AI systems by risk and imposes obligations with penalties. An organization that has implemented the NIST framework well will find much of the groundwork for EU AI Act compliance already in place, but the framework does not by itself satisfy the Act's legal requirements.

All articles

Compliance March 17, 2026 Updated June 11, 2026

The NIST AI Risk Management Framework, Explained for Executives (2026)

The NIST AI Risk Management Framework is a voluntary US framework that organizes AI governance around four functions: Govern, Map, Measure, and Manage. It is becoming the common language for AI risk in the United States. Here is what each function means and what you actually do about it.

By The Soren Team Soren

The NIST AI Risk Management Framework is a voluntary framework from the US National Institute of Standards and Technology, released in January 2023, that organizes AI governance around four functions: Govern, Map, Measure, and Manage. It is not a law and it carries no penalties of its own. Its importance is that it has become the common language for AI risk in the United States, the reference buyers, partners, and regulators point to when they ask how you manage your AI. For an executive, knowing the four functions and what each one actually asks of you is enough to hold a credible conversation and to direct the work.

The four functions in plain terms

The framework’s structure is its most useful part. Each function answers a different question, and together they cover the lifecycle of an AI system.

Function	What it means	What you actually do
Govern	A culture and structure for managing AI risk	Name who is accountable, set policies, define risk tolerance
Map	Understand the context and risks of each use	Inventory AI uses, identify what could go wrong and for whom
Measure	Assess and track those risks with evidence	Define metrics, test for accuracy and harm, document results
Manage	Act on the risks and keep watching	Prioritize, mitigate, monitor, and respond over time

Govern is the foundation and sits across the other three: it is about who owns AI risk and what the rules are. Map is about knowing what you are actually deploying and what could go wrong with it. Measure is about replacing assumptions with evidence through real testing. Manage is about doing something with what you learn and continuing to watch, because an AI system’s behavior drifts as the world and the data around it change. The full framework is published by NIST, and in July 2024 NIST added a Generative AI Profile that applies the same structure specifically to generative systems.

Why a voluntary framework matters

Executives reasonably ask why they should care about guidance that is not law. The answer is that voluntary does not mean optional in practice. The framework has become the shared vocabulary for AI risk, which means your customers’ security questionnaires reference it, your partners expect you to speak it, and US federal AI requirements and procurement increasingly point toward it. Adopting it is less about compliance in the legal sense and more about being legible to everyone who needs to trust your AI. The four functions are also a disciplined way to avoid being surprised by your own systems.

An executive checklist

You do not need to run the implementation yourself, but you should be able to confirm these are happening:

Ownership. Someone is clearly accountable for AI risk, with the authority to act.
Inventory. You have a list of where AI is actually used in the business, not a guess.
Risk mapping. For each meaningful use, you know what could go wrong and who it would affect.
Measurement. Accuracy and harm are tested against real baselines, not assumed.
Documentation. There is an audit trail that records how AI-influenced decisions were made.
Monitoring. Someone is watching for drift and responding, not setting it and forgetting it.

If those six are true, you are substantially aligned with the framework. If any are missing, you have found the next piece of work, and you have found it before a regulator or a customer does.

How it connects to everything else

The NIST framework does not stand alone. Its Measure and Manage functions are exactly what a designed-in audit trail supports, and an organization that implements it well will have done much of the groundwork the EU AI Act demands in law, though the framework alone does not satisfy the Act. For government and public-sector teams it is becoming a baseline expectation, alongside the sovereignty and accountability requirements those institutions already carry.

When we build a custom AI workflow or a private deployment, we design it against the framework’s functions from the start, because building the governance and measurement into the system is far cheaper than retrofitting it onto a finished one, a point we make in our broader guide to deploying AI in regulated industries. As an AI-native firm, the engineers who map your use cases to the four functions are the same ones who build the system around them, so the governance is part of the design rather than a layer bolted on afterward. If you want help mapping your AI uses to the four functions, book a demo and we will walk through it with you.

Frequently asked questions

What is the NIST AI RMF?: The NIST AI Risk Management Framework is a voluntary framework published by the US National Institute of Standards and Technology in January 2023 to help organizations manage the risks of AI systems. It organizes the work around four functions, Govern, Map, Measure, and Manage, and is designed to be flexible across sectors and system types. It is guidance rather than law, but it has become a common reference point for how US organizations talk about and document AI risk.
Is the NIST AI RMF mandatory?: No. The NIST AI RMF is voluntary and carries no penalties of its own. Its influence comes from adoption: buyers, partners, and increasingly regulators reference it, so designing against it has become a practical expectation even though no law compels it. Some federal AI requirements and procurement expectations point to it, which gives it weight beyond its voluntary status.
How do I implement the NIST AI framework?: Start with Govern by establishing who is accountable for AI risk and what your policies are, then Map the context and risks of each AI use case, Measure those risks with real metrics and testing, and Manage them by acting on what you find and monitoring over time. In practice this means naming an owner, inventorying your AI uses, defining how you will measure accuracy and harm, and building the documentation and audit trail to support it.
How does the NIST AI RMF relate to the EU AI Act?: They are complementary but different in nature. The NIST AI RMF is voluntary US guidance focused on managing risk through good practice, while the EU AI Act is binding law that classifies AI systems by risk and imposes obligations with penalties. An organization that has implemented the NIST framework well will find much of the groundwork for EU AI Act compliance already in place, but the framework does not by itself satisfy the Act's legal requirements.

Curious where AI can bring the most value to your team? Let’s talk.

Book a demo