NIST GenAI Profile (NIST AI 600-1): The Government's Baseline for Generative AI Risk
NIST published the Generative AI Profile (NIST AI 600-1) in July 2024 as a companion to the AI Risk Management Framework 1.0. The Profile catalogs 12 GenAI-specific risks and maps mitigation actions to the AI RMF's GOVERN, MAP, MEASURE, and MANAGE functions. Federal agencies operating under OMB M-24-10 use the Profile as the reference for their generative AI risk assessments. Enterprises subject to executive orders, government contract clauses, or sector-specific guidance also rely on the Profile. This piece walks through the 12 risk categories, the mapping to the four RMF functions, the specific mitigation actions the Profile lists at the deployment layer, and the audit records a deployer produces to demonstrate the mitigations.

NIST published the Generative AI Profile (NIST AI 600-1) in July 2024 as a companion to the AI Risk Management Framework 1.0 (NIST AI 100-1). The Profile catalogs 12 GenAI-specific risks and maps mitigation actions to the AI RMF's four core functions (GOVERN, MAP, MEASURE, MANAGE). Federal agencies operating under OMB Memorandum M-24-10 (Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence, March 2024) use the Profile as the reference for their generative AI risk assessments. Enterprises subject to executive orders, government contract clauses, or sector-specific guidance rely on the Profile in a similar way.
I want to walk through the 12 risk categories the Profile identifies, the mapping to the four RMF functions, the specific mitigation actions the Profile lists at the deployment layer, and the audit records the deployer produces to demonstrate the mitigations.
The 12 GenAI risk categories
The Profile identifies 12 risks in Section 2. Some risks are amplified by GenAI, and some are novel to GenAI.
CBRN Information or Capabilities. Risk that a GenAI model produces information or capabilities that enable chemical, biological, radiological, or nuclear misuse. Mitigation typically operates at the model provider (red-team testing, refusal behavior) and at the deployer (usage policies).
Confabulation. Risk that a GenAI model produces confidently false output. Mitigation at the deployer includes output validation and human review for high-stakes decisions.
Dangerous, Violent, or Hateful Content. Risk of generating content that promotes harm. Mitigation includes model provider guardrails and deployer content filters.
Data Privacy. Risk that a GenAI model leaks personal information, either from the training data or from context provided at inference. Mitigation includes input redaction, output classification, and audit logging.
Environmental Impacts. Risk of high energy consumption and carbon emissions from GenAI training and inference. Mitigation at the deployer includes model selection and usage optimization.
Harmful Bias and Homogenization. Risk of biased output or convergence of thinking around the model's default views. Mitigation includes bias testing, diverse evaluation sets, and diversity of models.
Human-AI Configuration. Risk of over-reliance, under-reliance, or misplaced trust in AI systems. Mitigation includes user interface design and human oversight requirements.
Information Integrity. Risk of AI-generated misinformation, disinformation, or deepfakes. Mitigation includes provenance tracking, watermarking, and disclosure.
Information Security. Risk to the security of the AI system itself and the systems it interacts with. Mitigation includes prompt injection defenses, output sanitization, and secure integration patterns.
Intellectual Property. Risk of copyright infringement in training data or model output. Mitigation includes training data sourcing, output filtering, and legal review.
Obscene, Degrading, and/or Abusive Content. Risk of generating harmful content targeting individuals. Mitigation includes content filters and usage policies.
Value Chain and Component Integration. Risk from third-party components in the GenAI supply chain. Mitigation includes supplier due diligence and component testing.
The mapping to the four RMF functions
The Profile organizes the mitigation actions by the four RMF functions.
GOVERN establishes the organizational structures, policies, and accountabilities. GenAI-specific GOVERN actions include: assign the AI Risk Owner and the AI Policy Owner roles, document the AI acceptable use policy that names the GenAI-specific risks, allocate resources for GenAI-specific testing and monitoring, and integrate GenAI risk into the enterprise risk management framework.
MAP produces the risk understanding for the specific context. GenAI-specific MAP actions include: inventory the GenAI systems in use, document the intended purpose and use case for each, identify the affected persons and stakeholders, and map the applicable risks from the 12 categories to each system.
MEASURE assesses the risks. GenAI-specific MEASURE actions include: test the AI system against the applicable risk categories, produce evaluation records with the results, document the residual risk after mitigation, and re-evaluate on a defined cadence.
MANAGE addresses the residual risk. GenAI-specific MANAGE actions include: apply the mitigation controls (usage policy, gateway enforcement, human oversight), monitor the AI system's operation, respond to incidents, and communicate risk status to accountable parties.
The specific mitigation actions at the deployment layer
The Profile lists specific actions at Section 3. Deployers of a GenAI system focus on the deployment-layer subset.
MG-1.1: Define acceptable and unacceptable uses. The AI Usage Policy artifact.
MG-2.2: Document known incidents and near-misses. The incident record from the runbook execution.
MG-4.3: Establish incident disclosure processes. The regulatory disclosure playbook for SEC 8-K, EU AI Act Article 26.4, HIPAA breach notification, and state-law breach notifications.
MS-2.7: Test for privacy-relevant risks. The data protection impact assessment records and the classifier test results.
MS-2.12: Test for information integrity risks. The content provenance and disclosure records.
MP-2.3: Define human oversight. The role assignment and competence records.
MP-4.1: Establish policies for GenAI vendor relationships. The supplier due diligence records.
MP-5.1: Determine the risk tolerance and disposition. The risk register with the disposition decisions.
GV-3.2: Ensure organizational roles and responsibilities for AI risk. The RACI matrix.
GV-6.2: Establish procedures for incident response. The runbook artifact.
The full Section 3 lists dozens more. The deployer's implementation program picks the applicable actions and produces the evidence for each.
The interaction with OMB M-24-10
OMB M-24-10 sets requirements for federal agency use of AI. The memorandum names the AI RMF as the reference framework. Agencies deploy the AI RMF Profile (the general AI Profile or the GenAI Profile) as their internal framework.
M-24-10 introduces the concepts of "safety-impacting" and "rights-impacting" AI, with specific minimum practices required for each. The minimum practices include impact assessments, testing, notice to affected persons, opt-out where practicable, and monitoring.
Enterprises that contract with federal agencies inherit similar obligations through the government contract clauses. The Federal Acquisition Regulation is updating to include AI-specific provisions. The interim guidance uses the M-24-10 minimum practices as the reference.
The deployer's audit records under the Profile
The audit records that support the Profile's actions come from the same inspection layer that supports the AI RMF, ISO 42001, and the EU AI Act.
The per-decision audit record supports MG-1.1 (acceptable use enforcement), MG-2.2 (incident documentation), MS-2.7 (privacy testing), and MS-2.12 (information integrity monitoring).
The policy configuration record supports GV-6.2 (incident response) and MG-1.1 (acceptable use definition).
The identity federation record supports GV-3.2 (roles and responsibilities) and MP-2.3 (human oversight).
The supplier evaluation record supports MP-4.1 (vendor relationships).
The risk register supports MP-5.1 (risk tolerance) and GV-3.2 (organizational structure).
The single record series that carries the per-decision audit information satisfies most of the Section 3 evidence requests. Additional artifacts (policy documents, RACI matrices, test results) sit alongside the audit records.
The relationship to sector-specific profiles
NIST is developing sector-specific profiles that extend the AI RMF. The Cybersecurity Profile for AI (draft, 2026) covers cybersecurity risks to AI systems. The Critical Infrastructure Profile (draft, 2026) covers AI use in critical infrastructure sectors. The COSAiS (Cybersecurity Overlay for Secure AI Systems) overlays for Single-Agent and Multi-Agent systems will apply to federal AI deployments in high-risk categories.
Enterprises subject to sector-specific guidance layer the sector profile on top of the base AI RMF and the GenAI Profile. The evidence set overlaps substantially, so the incremental effort is bounded.
DeepInspect
The DeepInspect gateway produces the per-decision audit records that support the deployer-layer mitigation actions the Profile lists. The gateway's policy enforcement satisfies the MG-1.1 acceptable-use enforcement. The gateway's audit records satisfy MG-2.2 incident documentation. The gateway's classifier verdicts satisfy MS-2.7 privacy risk testing and MS-2.12 integrity monitoring.
The gateway's evidence pack supports federal contractor readiness under OMB M-24-10. The pack aligns to the AI RMF's four functions and can be produced as a section within the enterprise's overall M-24-10 response.
If your team is preparing a NIST GenAI Profile implementation or an OMB M-24-10 response, let's talk today.
Frequently asked questions
- Is the NIST GenAI Profile mandatory for federal agencies?
The AI RMF is voluntary but is the NIST reference for federal AI risk management. OMB M-24-10 requires agencies to align to the RMF for their AI programs. The GenAI Profile is the operational form for generative AI.
- Does the Profile apply to enterprises that do not contract with the federal government?
The Profile is not mandatory for private-sector enterprises unless a sector-specific regulation or a contract requires it. Enterprises adopt the Profile voluntarily for the risk management structure it provides. Financial services, healthcare, and defense-sector enterprises often align to the RMF and the Profile as a matter of practice.
- How does the Profile compare to the EU AI Act?
The Profile is a voluntary risk management framework. The EU AI Act is a binding regulation with specific obligations for high-risk AI systems. The Profile's risk categories overlap substantially with the AI Act's Article 9 risk management requirements. Enterprises deploying in both jurisdictions typically map their controls to satisfy both frameworks.
- Do I need separate documentation for the Profile and the AI RMF?
The Profile is a companion document to the RMF. The evidence pack is largely shared: the same risk register, the same control mapping, the same audit records. The Profile-specific additions are the 12 GenAI risk categories and the Section 3 actions.
- How often does the Profile get updated?
NIST updates the Profile in cadence with the AI RMF. The RMF's next major version is expected in 2026-2027. The GenAI Profile will be updated in parallel to reflect the current risks. The interim updates come through the NIST AI Safety Institute's guidance.