Skip to Content
Governance and Compliance

What is the NIST AI RMF (the AI risk framework)?

The NIST AI RMF (AI Risk Management Framework) is a voluntary framework created by NIST, the United States standards institute, to help any organization identify, measure and manage the risks of artificial intelligence across its entire lifecycle. Published in 2023, it is not a checklist to tick but a shared language and a repeatable process to make AI trustworthy. Voluntary and free, it has become a reference adopted worldwide and cited by new AI laws as an accepted basis for governance.

Zamak TechnologiesUpdated on July 10, 2026

How the NIST AI RMF works in practice

The framework organizes AI risk management into four functions (Govern, Map, Measure and Manage) that work together. The first, Govern, runs across all the others; the following three form a cycle that repeats over the life of each AI system.

1

Govern, the base that holds everything up

Builds the AI risk culture and rules across the company: policies, roles, responsibilities and accountability. It is the function that runs across and enables all the others.

2

Map, understand the context

Identifies what each AI system is for, what data it uses, who could be affected and where the risks are. It is the map that informs the next two functions.

3

Measure, analyze and track

Uses quantitative and qualitative methods to test, assess and monitor the risk and the trustworthiness characteristics, before and during the system's use.

4

Manage, prioritize and act

Allocates resources to treat the mapped and measured risks: prioritizes responses, tracks third-party risk and documents the incident response plan.

Source: NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1), published by NIST in 2023.

The seven characteristics of trustworthy AI, according to NIST

  • Valid and reliable The AI does what it promises, with consistent, proven results, not only in a test but in real use.
  • Safe The system does not put people or the business at risk, even when it fails or is used in unexpected ways.
  • Secure and resilient It withstands attack and manipulation, and recovers when something goes wrong.
  • Accountable and transparent There is a clear owner for each system, and it is possible to know when and how the AI was used.
  • Explainable and interpretable It is possible to understand why the AI reached a result, instead of trusting a black box.
  • Privacy-enhanced The system respects and protects the personal data it handles.
  • Fair, with harmful bias managed The AI does not reproduce or amplify discrimination; bias is identified and controlled.

Why AI governance stopped being optional

90%
of organizations say their employees already use AI tools (ISACA, AI Pulse Poll 2026)
38%
have a formal, comprehensive AI policy (ISACA, 2026)
25%
have no active AI policy at all (ISACA, 2026)

AI use has surged; governance has lagged. Most companies already have employees pasting sensitive data into AI tools with no written rule, and that gap between adoption and control is exactly the risk. The NIST AI RMF gained traction because it solves the first problem every company faces here: giving a shared language and a process to talk about AI risk, from the intern to the board. It is the base that regulators across several markets have come to recognize, from the Americas to Europe and Asia, where new AI laws accept recognized frameworks like the NIST AI RMF or ISO/IEC 42001 as proof of risk management. Worth remembering: AI trustworthiness is only as strong as its weakest characteristic; being safe means little if the system is unfair or opaque.

How a company starts using the NIST AI RMF

The strength of the framework is that it is practical and proportional to risk. You do not have to implement everything at once; the most direct path:

  1. Start with GovernBefore the tools, set the AI use policy, who approves and who is accountable. It is the function that holds all the others up.
  2. Map the AI that already existsFind out which AI each department uses, with what data, including the shadow AI no one approved. What you do not map, you cannot govern.
  3. Measure what mattersAssess the risk and the trustworthiness characteristics of the highest-impact uses, not all of them at once.
  4. Manage and prioritizeTreat the biggest risks first, with a response plan and periodic review, instead of trying to solve everything together.
  5. Use the supporting resourcesThe framework comes with a practical guide (the Playbook) and a profile dedicated to generative AI, to adapt the functions to your context without starting from scratch.

In practice

The question that reveals the gap: if the board asked today which AI tools the company uses and what risk each one brings, would anyone have the answer in writing, or would it be an awkward silence?

How Zamak handles governance with the NIST AI RMF

Zamak Technologies supports AI governance using the NIST AI RMF as one of the paths within the Governance and Compliance of the Zamak Method: AI use policy, data classification, risk register, tool approval and auditable evidence on a compliance platform. One honest distinction: the framework documents and proves AI use, it does not technically block data from leaving, which is a separate technical defense layer, scoped on its own. A good starting point is the AI exposure self-check, which shows in minutes where the company is most exposed.

Frequently asked questions about the NIST AI RMF

Is the NIST AI RMF mandatory?
No. It is voluntary and free. But several laws and contract requirements already cite it as a recognized AI risk management framework, which makes it, in practice, a reference large clients expect to see.
What is the difference between the NIST AI RMF and ISO/IEC 42001?
The NIST AI RMF is a voluntary, free framework, created in the United States, that gives a shared language and a process to manage AI risk, with no certification. ISO/IEC 42001 is a certifiable international standard: an independent third party audits it and issues a certificate. Many companies use the NIST AI RMF to structure risk management and pursue ISO 42001 for external, certifiable proof. The two complement each other.
Does the NIST AI RMF cover generative AI, like ChatGPT?
Yes. Alongside the main framework, NIST published a profile dedicated to generative AI in 2024, which points out the specific risks of these tools and how the four functions apply to them.
Do I need to be a US company to use the framework?
No. Although it was created by the United States standards institute, the NIST AI RMF is used by organizations worldwide as a common reference, regardless of the country.
Does the framework technically stop data from leaking?
No. The NIST AI RMF is governance: it structures how to identify, measure and manage risk, and proves it. Actually stopping sensitive data from leaving is a separate technical defense layer that adds to governance.
What are the four functions of the NIST AI RMF?
Govern, Map, Measure and Manage. Govern is the base that runs across the other three; Map understands the context and the risks; Measure analyzes and tracks; Manage prioritizes and treats the risks.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake