NIST AI Risk Management Framework (AI RMF 1.0) Explained
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework, released in January 2023, that helps organizations manage the risks of artificial intelligence systems. It is built around four core functions — Govern, Map, Measure, and Manage — supported by a Playbook of practical actions and use-case Profiles.
Publication and status
AI RMF 1.0 was published in January 2023 as a voluntary, non-prescriptive framework. It was designed to be sector-agnostic and adaptable, so a hospital system, a bank, and a software vendor can all use the same four functions while tailoring the underlying practices to their context. A Generative AI Profile followed in July 2024, extending the framework to cover model release, content provenance, and misuse risks.
The four core functions
- Govern — establish the culture, policies, roles, accountability, and processes that make AI risk management a discipline the organization sustains over time.
- Map — build shared understanding of the AI system: purpose, stakeholders, data flows, potential benefits, and potential harms across the lifecycle.
- Measure — apply quantitative and qualitative techniques to analyze, benchmark, and monitor risks, including performance, bias, robustness, and security.
- Manage — prioritize identified risks and apply treatments such as controls, mitigations, transfer, acceptance, or avoidance, then verify effectiveness.
The AI RMF Playbook
The Playbook is a companion resource that turns each of the four functions into concrete suggested actions, references, and documentation practices. It is intentionally not a checklist — organizations pick the practices that fit their risk profile and maturity. The Playbook is the fastest way to move from framework text to real operational tasks in a risk register.
Profiles
Profiles apply the AI RMF to a specific use case, sector, or technology. The Generative AI Profile, published in July 2024, is the best-known example — it maps the four functions against risks that are specific to generative systems, such as confabulation, data leakage, content provenance, and downstream misuse. Organizations can also author internal Profiles for their own product lines.
When to use the AI RMF
- You are standing up an AI governance program and need a risk vocabulary to structure it around.
- You need a lifecycle model that engineering, product, legal, and risk teams can share.
- You are working toward ISO 42001 certification and want a risk-management engine that feeds the AIMS.
- You are responding to enterprise procurement questionnaires that reference the AI RMF by name.
- You are building or deploying generative AI and want to apply the Generative AI Profile.
How the AI RMF maps to ISO 42001
ISO 42001 is a certifiable management system standard. The NIST AI RMF is a voluntary risk-management framework. They line up cleanly — teams that already run an AI RMF program have most of the raw material an ISO 42001 audit needs.
| NIST AI RMF function | ISO 42001 clauses / Annex A |
|---|---|
| Govern | Clause 5 Leadership, Clause 6 Planning, Annex A policies and internal organization |
| Map | Clause 4 Context, Annex A impact assessment, AI system lifecycle, data for AI |
| Measure | Clause 9 Performance evaluation, Annex A information for interested parties |
| Manage | Clause 8 Operation, Clause 10 Improvement, Annex A use of AI systems and third-party relationships |
How Zilonex Govern covers the AI RMF
Zilonex Govern models each of the four functions as first-class objects. Every AI system in the inventory gets a Map record with stakeholders and impact context, a Measure record with metrics and monitoring hooks, and a Manage record with controls and treatments. The Govern function is expressed in policies, roles, and review cadences that sit above every system. When you also target ISO 42001 or the EU AI Act, the same underlying evidence rolls up to the corresponding clauses and obligations without duplicate work.
Frequently asked questions
What is the NIST AI Risk Management Framework?
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework that helps organizations identify, assess, and manage risks associated with artificial intelligence systems throughout their lifecycle. It centers on four core functions: Govern, Map, Measure, and Manage.
When was the NIST AI RMF released?
AI RMF 1.0 was released in January 2023, following an open, multi-stakeholder development process. A companion Generative AI Profile was later released in July 2024 to address risks specific to generative AI systems.
Is the NIST AI RMF mandatory?
No. The AI RMF is a voluntary, non-prescriptive framework designed to be flexible across sectors and use cases. However, procurement processes, insurers, and standards bodies increasingly reference it, and it is commonly used as an evidence baseline alongside ISO 42001.
What are the four core functions of the AI RMF?
Govern establishes the culture, policies, and accountability structures for AI risk management. Map builds context around the AI system, its purpose, stakeholders, and potential impacts. Measure applies quantitative and qualitative techniques to analyze and track risk. Manage prioritizes and treats identified risks with appropriate responses.
What is the AI RMF Playbook?
The AI RMF Playbook is a companion resource that suggests concrete actions, references, and documentation practices for each of the four core functions. It is not a checklist but a menu of practices organizations can adapt to their context.
What are AI RMF Profiles?
Profiles are use-case or sector-specific implementations of the framework. They tailor the four functions to a domain — for example, the Generative AI Profile addresses model release, content provenance, and misuse risks that are specific to generative systems.
How does the NIST AI RMF map to ISO 42001?
The NIST AI RMF and ISO 42001 are complementary. The AI RMF provides a risk-focused operating model with four functions, while ISO 42001 provides a certifiable management system with 10 clauses and Annex A controls. Govern maps to Leadership and Planning; Map maps to Context and Impact Assessment; Measure maps to Performance Evaluation; Manage maps to Operation and Improvement.
Should we adopt AI RMF or ISO 42001?
Most organizations adopt both. AI RMF gives you the risk vocabulary and operating rhythm to run the program day to day. ISO 42001 gives you the certifiable management system that procurement and regulators can verify. The frameworks reinforce each other rather than compete.
Run your AI RMF program in Zilonex Govern
Govern, Map, Measure, and Manage — modeled as objects, tied to evidence, and ready to roll up to ISO 42001 and the EU AI Act.
Start Zilonex Govern free for 14 days