Key facts
- The NIST AI RMF is voluntary, not a legal requirement.
- It is organised around four functions: Govern, Map, Measure, Manage.
- Widely used as a practical complement to EU AI Act compliance work.
- Focuses on risk management structure rather than prescribing specific technical controls.
- Compatible with, and often mapped against, other frameworks such as ISO/IEC 42001.
The four functions
Govern establishes the culture, policies and accountability structures for managing AI risk across the organisation. Map builds understanding of the context in which an AI system operates and the risks that context creates. Measure involves assessing, benchmarking and monitoring identified risks. Manage covers prioritising and acting on risk, including response and recovery.
Why organisations use it alongside the EU AI Act
The EU AI Act sets out legal obligations but does not prescribe a specific risk management methodology. The NIST AI RMF fills that gap with a structured, well-documented approach that many organisations already use for other technology risk domains, making it a natural extension for AI-specific risk.
How it relates to ISO/IEC 42001
The NIST AI RMF and ISO/IEC 42001 cover similar ground — both address AI risk and governance — but ISO/IEC 42001 is a certifiable management system standard, while the NIST AI RMF is a voluntary framework without formal certification. Organisations often use both together, with ISO/IEC 42001 providing the certifiable structure and the NIST AI RMF providing supplementary risk management detail.
Getting started
Most organisations begin with the Govern function — establishing basic accountability and policy — before moving to Map, Measure and Manage for specific high-priority AI systems, rather than attempting to apply the full framework across every system at once.
Frequently asked questions
What is the NIST AI Risk Management Framework?
A voluntary US framework for managing AI risk, organised around four functions: Govern, Map, Measure and Manage.
Is the NIST AI RMF a legal requirement?
No — it is voluntary, though widely adopted as good practice alongside legal obligations such as the EU AI Act.
What are the four functions of the NIST AI RMF?
Govern, Map, Measure and Manage.
How does the NIST AI RMF relate to ISO/IEC 42001?
They cover similar ground, but ISO/IEC 42001 is certifiable while the NIST AI RMF is a voluntary framework without formal certification — many organisations use both.
Where should an organisation start with the NIST AI RMF?
With the Govern function — establishing basic accountability and policy — before applying Map, Measure and Manage to specific AI systems.
Related pages
Sources
Last updated 19 June 2026.