What is the NIST AI RMF (the AI risk framework)?
The NIST AI RMF (AI Risk Management Framework) is a voluntary framework created by NIST, the United States standards institute, to help any organization identify, measure and manage the risks of artificial intelligence across its entire lifecycle. Published in 2023, it is not a checklist to tick but a shared language and a repeatable process to make AI trustworthy. Voluntary and free, it has become a reference adopted worldwide and cited by new AI laws as an accepted basis for governance.
How the NIST AI RMF works in practice
The framework organizes AI risk management into four functions (Govern, Map, Measure and Manage) that work together. The first, Govern, runs across all the others; the following three form a cycle that repeats over the life of each AI system.
Govern, the base that holds everything up
Builds the AI risk culture and rules across the company: policies, roles, responsibilities and accountability. It is the function that runs across and enables all the others.
Map, understand the context
Identifies what each AI system is for, what data it uses, who could be affected and where the risks are. It is the map that informs the next two functions.
Measure, analyze and track
Uses quantitative and qualitative methods to test, assess and monitor the risk and the trustworthiness characteristics, before and during the system's use.
Manage, prioritize and act
Allocates resources to treat the mapped and measured risks: prioritizes responses, tracks third-party risk and documents the incident response plan.
Source: NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1), published by NIST in 2023.
The seven characteristics of trustworthy AI, according to NIST
- Valid and reliable The AI does what it promises, with consistent, proven results, not only in a test but in real use.
- Safe The system does not put people or the business at risk, even when it fails or is used in unexpected ways.
- Secure and resilient It withstands attack and manipulation, and recovers when something goes wrong.
- Accountable and transparent There is a clear owner for each system, and it is possible to know when and how the AI was used.
- Explainable and interpretable It is possible to understand why the AI reached a result, instead of trusting a black box.
- Privacy-enhanced The system respects and protects the personal data it handles.
- Fair, with harmful bias managed The AI does not reproduce or amplify discrimination; bias is identified and controlled.
Why AI governance stopped being optional
AI use has surged; governance has lagged. Most companies already have employees pasting sensitive data into AI tools with no written rule, and that gap between adoption and control is exactly the risk. The NIST AI RMF gained traction because it solves the first problem every company faces here: giving a shared language and a process to talk about AI risk, from the intern to the board. It is the base that regulators across several markets have come to recognize, from the Americas to Europe and Asia, where new AI laws accept recognized frameworks like the NIST AI RMF or ISO/IEC 42001 as proof of risk management. Worth remembering: AI trustworthiness is only as strong as its weakest characteristic; being safe means little if the system is unfair or opaque.
How a company starts using the NIST AI RMF
The strength of the framework is that it is practical and proportional to risk. You do not have to implement everything at once; the most direct path:
- Start with GovernBefore the tools, set the AI use policy, who approves and who is accountable. It is the function that holds all the others up.
- Map the AI that already existsFind out which AI each department uses, with what data, including the shadow AI no one approved. What you do not map, you cannot govern.
- Measure what mattersAssess the risk and the trustworthiness characteristics of the highest-impact uses, not all of them at once.
- Manage and prioritizeTreat the biggest risks first, with a response plan and periodic review, instead of trying to solve everything together.
- Use the supporting resourcesThe framework comes with a practical guide (the Playbook) and a profile dedicated to generative AI, to adapt the functions to your context without starting from scratch.
In practice
The question that reveals the gap: if the board asked today which AI tools the company uses and what risk each one brings, would anyone have the answer in writing, or would it be an awkward silence?
How Zamak handles governance with the NIST AI RMF
Zamak Technologies supports AI governance using the NIST AI RMF as one of the paths within the Governance and Compliance of the Zamak Method: AI use policy, data classification, risk register, tool approval and auditable evidence on a compliance platform. One honest distinction: the framework documents and proves AI use, it does not technically block data from leaving, which is a separate technical defense layer, scoped on its own. A good starting point is the AI exposure self-check, which shows in minutes where the company is most exposed.