NIST AI RMF
The NIST AI Risk Management Framework, published by the U.S. National Institute of Standards and Technology in January 2023 as NIST AI 100-1 and updated through the Generative AI Profile (AI 600-1) in July 2024, is a voluntary framework that organizes AI risk management into four functions: Govern, Map, Measure, Manage. Each function decomposes into categories and subcategories that map to concrete practices. Federal agencies and federal contractors adopt it under OMB guidance, and private-sector deployers use it as the de facto reference for AI risk programs that need a common vocabulary across regulators, auditors, and internal stakeholders.
How the four functions hang together
Govern establishes the AI risk culture, accountability lines, and policy scaffolding before any system is built. Map identifies the AI system context: who uses it, what data feeds it, what the deployed environment looks like, what harms it could cause. Measure produces the metrics, tests, and evaluations the organization uses to track risk over time. Manage allocates resources, prioritizes risks, and responds to incidents. The functions are not sequential. They run continuously and feed each other, and the Generative AI Profile adds 12 GAI-specific risks (confabulation, harmful bias, dangerous content, etc.) that each function has to address.
Where the framework intersects DeepInspect's architecture
The Map function asks the deployer to inventory AI usage across the organization, including unsanctioned tools, which is the shadow AI problem framed in risk-management vocabulary. The Measure function asks for ongoing evidence that policies are working, which is per-decision audit data the application cannot produce on its own. The Manage function asks for the ability to respond inline when a high-risk pattern appears, which is enforcement at the request boundary rather than detection after the fact. NIST AI RMF reads as voluntary, but federal procurement language increasingly treats it as a precondition for awarding contracts to AI vendors.
Related reading
- NIST AI RMF Implementation: From Govern, Map, Measure, Manage to Production Controls
NIST AI RMF 1.0 defines four functions: Govern, Map, Measure, Manage. The framework is voluntary, but federal procurement and state AI laws increasingly cite it as the baseline. Implementation runs to dozens of decisions across identity, classification, policy enforcement, and audit. Most deployments stop at Govern.
- NIST AI RMF vs EU AI Act: Where the Frameworks Overlap and Diverge
NIST AI RMF is a voluntary US framework. The EU AI Act is binding law with penalties reaching 35M EUR or 7% of global turnover. The two frameworks converge on the same operational evidence: per-request records that capture identity, classification, policy state, and decision outcome.
- EU AI Act Compliance Checklist: The 23 Items Your Deployment Must Pass
A 23-item operational checklist for EU AI Act high-risk compliance, organized across scope, documentation, evidence, monitoring, and incident reporting. The mandate takes effect August 2, 2026. Items 12 to 18 are where most deployments fail.