NIST AI Risk Management Framework (AI RMF 1.0) Explained

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework, released in January 2023, that helps organizations manage the risks of artificial intelligence systems. It is built around four core functions — Govern, Map, Measure, and Manage — supported by a Playbook of practical actions and use-case Profiles.

Publication and status

AI RMF 1.0 was published in January 2023 as a voluntary, non-prescriptive framework. It was designed to be sector-agnostic and adaptable, so a hospital system, a bank, and a software vendor can all use the same four functions while tailoring the underlying practices to their context. A Generative AI Profile followed in July 2024, extending the framework to cover model release, content provenance, and misuse risks.

The four core functions

The AI RMF Playbook

The Playbook is a companion resource that turns each of the four functions into concrete suggested actions, references, and documentation practices. It is intentionally not a checklist — organizations pick the practices that fit their risk profile and maturity. The Playbook is the fastest way to move from framework text to real operational tasks in a risk register.

Profiles

Profiles apply the AI RMF to a specific use case, sector, or technology. The Generative AI Profile, published in July 2024, is the best-known example — it maps the four functions against risks that are specific to generative systems, such as confabulation, data leakage, content provenance, and downstream misuse. Organizations can also author internal Profiles for their own product lines.

When to use the AI RMF

How the AI RMF maps to ISO 42001

ISO 42001 is a certifiable management system standard. The NIST AI RMF is a voluntary risk-management framework. They line up cleanly — teams that already run an AI RMF program have most of the raw material an ISO 42001 audit needs.

NIST AI RMF functionISO 42001 clauses / Annex A
GovernClause 5 Leadership, Clause 6 Planning, Annex A policies and internal organization
MapClause 4 Context, Annex A impact assessment, AI system lifecycle, data for AI
MeasureClause 9 Performance evaluation, Annex A information for interested parties
ManageClause 8 Operation, Clause 10 Improvement, Annex A use of AI systems and third-party relationships

How Zilonex Govern covers the AI RMF

Zilonex Govern models each of the four functions as first-class objects. Every AI system in the inventory gets a Map record with stakeholders and impact context, a Measure record with metrics and monitoring hooks, and a Manage record with controls and treatments. The Govern function is expressed in policies, roles, and review cadences that sit above every system. When you also target ISO 42001 or the EU AI Act, the same underlying evidence rolls up to the corresponding clauses and obligations without duplicate work.

Frequently asked questions

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework that helps organizations identify, assess, and manage risks associated with artificial intelligence systems throughout their lifecycle. It centers on four core functions: Govern, Map, Measure, and Manage.

When was the NIST AI RMF released?

AI RMF 1.0 was released in January 2023, following an open, multi-stakeholder development process. A companion Generative AI Profile was later released in July 2024 to address risks specific to generative AI systems.

Is the NIST AI RMF mandatory?

No. The AI RMF is a voluntary, non-prescriptive framework designed to be flexible across sectors and use cases. However, procurement processes, insurers, and standards bodies increasingly reference it, and it is commonly used as an evidence baseline alongside ISO 42001.

What are the four core functions of the AI RMF?

Govern establishes the culture, policies, and accountability structures for AI risk management. Map builds context around the AI system, its purpose, stakeholders, and potential impacts. Measure applies quantitative and qualitative techniques to analyze and track risk. Manage prioritizes and treats identified risks with appropriate responses.

What is the AI RMF Playbook?

The AI RMF Playbook is a companion resource that suggests concrete actions, references, and documentation practices for each of the four core functions. It is not a checklist but a menu of practices organizations can adapt to their context.

What are AI RMF Profiles?

Profiles are use-case or sector-specific implementations of the framework. They tailor the four functions to a domain — for example, the Generative AI Profile addresses model release, content provenance, and misuse risks that are specific to generative systems.

How does the NIST AI RMF map to ISO 42001?

The NIST AI RMF and ISO 42001 are complementary. The AI RMF provides a risk-focused operating model with four functions, while ISO 42001 provides a certifiable management system with 10 clauses and Annex A controls. Govern maps to Leadership and Planning; Map maps to Context and Impact Assessment; Measure maps to Performance Evaluation; Manage maps to Operation and Improvement.

Should we adopt AI RMF or ISO 42001?

Most organizations adopt both. AI RMF gives you the risk vocabulary and operating rhythm to run the program day to day. ISO 42001 gives you the certifiable management system that procurement and regulators can verify. The frameworks reinforce each other rather than compete.

Run your AI RMF program in Zilonex Govern

Govern, Map, Measure, and Manage — modeled as objects, tied to evidence, and ready to roll up to ISO 42001 and the EU AI Act.

Start Zilonex Govern free for 14 days