Table of Contents
Quick Answer
The NIST AI Risk Management Framework 1.0 (January 2023) and its Generative AI Profile (NIST AI 600-1, July 2024) are the US government's voluntary standard for managing AI risk. Four functions — GOVERN, MAP, MEASURE, MANAGE — structure the lifecycle.
- Voluntary but referenced by OMB M-24-10, Colorado AI Act, and many state laws
- GenAI Profile adds 12 risks specific to generative AI
- Free to download at nist.gov/itl/ai-risk-management-framework
What Is the NIST AI RMF?
NIST AI RMF 1.0 was published on 26 January 2023 after two years of multistakeholder development. Congress directed NIST to build the framework in the National AI Initiative Act of 2020. The framework is designed for organizational use across the AI lifecycle.
Its Generative AI Profile (NIST AI 600-1) was published on 26 July 2024, extending RMF 1.0 to cover 12 genAI-specific risks: CBRN information, confabulation, dangerous/violent/hateful content, data privacy, environmental impact, human-AI configuration, information integrity, information security, intellectual property, obscene/degrading content, toxicity/bias, and value chain/component integration.
Key Details / Requirements
The Four Functions
| Function | Purpose | Example Categories |
|---|---|---|
| GOVERN | Cultivate a culture of risk management | Policies, accountability, workforce |
| MAP | Establish context and identify risks | System framing, stakeholder engagement |
| MEASURE | Analyse risks and benefits | Metrics, testing, evaluation |
| MANAGE | Allocate resources and respond | Risk treatment, incident response |
GenAI Profile Risks (NIST AI 600-1)
| Risk | Description |
|---|---|
| CBRN | Chemical, biological, radiological, nuclear uplift |
| Confabulation | Generating false but plausible output |
| Dangerous content | Instructions for violence or self-harm |
| Data privacy | Leakage of training or prompt data |
| Environmental | Compute and energy footprint |
| Human-AI | Over-reliance, automation bias |
| Information integrity | Disinformation, deepfakes |
| Information security | Model theft, prompt injection |
| IP | Copyright, trademark, trade secret |
| Obscene/degrading | NCII, CSAM |
| Toxicity/bias | Hateful or stereotyped output |
| Value chain | Third-party component risk |
Real-World Examples / Case Studies
OMB Memo M-24-10 (March 2024) — Made NIST AI RMF the default federal methodology for AI risk management.
Colorado AI Act (SB 205) — References NIST AI RMF as a recognised compliance safe harbour.
Singapore AI Verify Foundation — Cross-references NIST AI RMF with Singapore's Model AI Governance Framework.
OECD AI Principles — The G7 Hiroshima Process Code of Conduct (October 2023) aligns with NIST RMF structure.
Financial services — The Treasury's 2024 RFI on AI in financial services explicitly endorsed NIST AI RMF as a baseline.
What This Means for Organisations
Implementing NIST AI RMF means:
- Establishing an AI governance team (GOVERN)
- Cataloguing AI systems and mapping context (MAP)
- Selecting metrics and running tests (MEASURE)
- Applying controls and tracking residual risk (MANAGE)
Compliance Checklist
- Adopt NIST AI RMF as the organisation's AI risk baseline
- Publish an AI policy citing AI RMF
- Conduct a GOVERN maturity assessment
- For each AI system: produce MAP, MEASURE, MANAGE artefacts
- For generative AI: apply the GenAI Profile's 12-risk taxonomy
- Train engineers on AI RMF Playbook tasks
- Refresh annually and after major changes
Conclusion
NIST AI RMF is the most widely referenced AI risk framework globally. Adoption is the fastest path to a defensible AI programme.
Operationalise NIST AI RMF with Misar AI's RMF-aligned governance toolkit.