NIST AI Risk Management Framework: A 2026 Implementation Guide

The NIST AI Risk Management Framework (AI RMF 1.0) is the de facto baseline US standard for managing AI risk. It is voluntary, non-prescriptive, and structured around four functions (Govern, Map, Measure, Manage) plus a Generative AI Profile that the FY2024 update added. This guide explains the framework, the post-1.0 additions, and a practical adoption path for mid-market organizations.

Published by BlueRadius Cyber | June 2026 | Citations to NIST primary publications

Executive Summary

The National Institute of Standards and Technology released AI Risk Management Framework 1.0 (NIST AI 100-1) on January 26, 2023.[1] The framework is voluntary, applies to any organization designing, developing, deploying, or using AI systems, and is structured around four core functions: Govern, Map, Measure, and Manage.[1] In July 2024, NIST published the Generative AI Profile (NIST AI 600-1), which extends the framework to cover the risks specific to generative AI systems including foundation models, retrieval-augmented generation, and AI agents.[2] In April 2026, NIST issued a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, signaling expansion into sector-specific guidance for operators of critical-infrastructure systems.[3]

For mid-market organizations facing customer security questionnaires, board AI risk inquiries, or compliance overlays from the EU AI Act, NIST AI RMF is the framework you map your program against. This guide walks through the four functions, the seven trustworthy-AI characteristics that ground the framework, the Generative AI Profile, the crosswalks to ISO/IEC 42001 and the EU AI Act, and the adoption path most mid-market security programs follow.

Key Findings

• AI RMF 1.0 (NIST AI 100-1) is the current version. It was released January 26, 2023 and remains the active framework as of mid-2026.[1]
• Four core functions structure the framework: Govern, Map, Measure, Manage. Govern is treated as cross-cutting and informs the other three.[1]
• Seven trustworthy-AI characteristics ground the framework: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, fair with harmful bias managed.[1]
• Generative AI Profile (NIST AI 600-1, July 2024) adds 12 risk categories specific to generative AI, including confabulation, dangerous or violent recommendations, data privacy degradation, environmental impacts, harmful bias, human-AI configuration, information integrity, information security, intellectual property, obscene degrading or abusive content, value-chain and component integration, and CBRN information or capabilities.[2]
• Critical Infrastructure profile (concept note, April 2026) targets operators of energy, water, transportation, communications, and other lifeline sectors. Final profile is expected to extend RMF guidance with sector-specific risk scenarios and control recommendations.[3]
• Voluntary, not regulatory. NIST AI RMF has no direct enforcement mechanism, but is referenced in federal procurement, the White House Executive Order on AI (October 2023), and state-level AI laws including Colorado's SB24-205 and several others.[1][4]

Bottom line: NIST AI RMF is the lowest-friction, most-cited US framework for AI risk management. Most mid-market organizations should adopt the four-function structure as the spine of their AI governance program and use the Generative AI Profile for any AI feature that involves a generative model.

What NIST AI RMF Is and Is Not

NIST AI RMF 1.0 is a voluntary framework for managing risks across the AI lifecycle. It is not a standard, not a certification, not a regulation, and not a control set. It is a structured way to think about and document AI risk that aligns with how organizations already structure cybersecurity risk management (the framework's design intentionally mirrors the NIST Cybersecurity Framework).[1]

The framework applies across the AI lifecycle from problem framing through retirement, and across roles from AI actor (the data scientists building the system) to AI user (the workforce deploying it) to AI affected (the customers, employees, or public exposed to it). NIST publishes the framework alongside three companion resources:

• AI RMF Playbook: implementation guidance keyed to each function with concrete action suggestions.[1]
• AI RMF Roadmap: NIST's published development trajectory, identifying gaps and planned future profiles.[1]
• AI RMF Crosswalk: explicit mappings between AI RMF and other frameworks, including ISO/IEC 23894, ISO/IEC 42001, the OECD AI Principles, and the EU AI Act risk classifications.[1]

The NIST Trustworthy and Responsible AI Resource Center launched March 30, 2023 and consolidates implementation tooling, case studies, and ongoing community input.[1] Translations of AI RMF 1.0 are available in Arabic and Japanese, indicating the framework's global reach.[1]

The Four Core Functions

AI RMF 1.0 organizes AI risk management around four functions. The first, Govern, is cross-cutting and informs the others. Map, Measure, and Manage operate in a continuous cycle.

1. Govern

The Govern function establishes the policies, processes, accountability structures, and culture that make AI risk management possible across the organization. Govern is treated as cross-cutting because the other three functions cannot operate effectively without governance scaffolding in place.[1]

Concrete outcomes of a mature Govern function include: documented AI risk management policies aligned to organizational risk tolerance, defined roles and decision rights for AI development and deployment, formal AI inventory and disclosure processes, supply-chain risk management practices for third-party AI components, incident response procedures specific to AI failures, and ongoing workforce training. Mid-market organizations typically scope these under an existing security or risk function rather than creating a separate AI governance team.

Govern aligns closely with the kinds of policies and accountability work covered in our AI governance checklist for mid-market companies.

2. Map

The Map function establishes context. Before you can measure or manage AI risk, you need to understand what AI systems exist in your environment, what they do, who is affected by them, and what could go wrong. Mapping is where most mid-market organizations start because most are surprised by how much AI is already running in their environment.

Outcomes include: AI system inventory with classification by risk level, documented use cases and intended behavior, identification of stakeholders and impacted populations, mapping of data flows into and out of AI systems, and explicit articulation of categories of harm the system could produce. The Map function is also where you decide which AI systems require formal RMF treatment and which are low-risk enough to handle under general IT governance.

The output of Map should be a living document, not a one-time exercise. AI systems change rapidly, especially generative AI systems whose underlying models, retrieval sources, and connected tools shift between deployments. For the workforce-driven layer of mapping (consumer AI tools entering the environment outside IT's view), see our shadow AI security risk guide.

3. Measure

The Measure function develops the metrics, methods, and evaluation processes that quantify AI risk. This is the hardest function for most organizations because AI risk often resists conventional measurement. A model's tendency to confabulate, or to behave differently on out-of-distribution inputs, or to degrade in production over time, does not map cleanly to traditional security metrics.

Practical outcomes include: documented evaluation criteria for each AI system before deployment, ongoing performance monitoring against those criteria, bias and fairness testing where applicable, robustness testing against adversarial inputs, red-team exercises for generative AI systems, and explicit measurement of the trustworthy-AI characteristics (validity, safety, security, accountability, explainability, privacy, fairness) most relevant to each use case.

For generative AI specifically, the Generative AI Profile expands the Measure function with risk-category-specific evaluation guidance. The most common operational measurements for mid-market organizations are output evaluation pipelines (sampling and reviewing model outputs for harmful patterns), evaluation against held-out test sets, and prompt-injection resistance testing for any AI feature exposed to user input.

4. Manage

The Manage function executes the risk responses chosen based on Map and Measure outputs. The framework explicitly recognizes the standard risk-response options: accept, mitigate, transfer, or avoid. Manage operationalizes those decisions and tracks their effectiveness over time.

Outcomes include: prioritized risk-treatment plans with assigned owners, deployed mitigations (technical controls, process changes, training, policy enforcement), incident response procedures when AI systems fail or are exploited, decommissioning processes for AI systems that no longer meet risk tolerance, and ongoing communication of AI risk posture to leadership, board, and external stakeholders. Many mid-market organizations integrate Manage with existing third-party risk management programs, treating AI vendor relationships under an enhanced vendor risk process. Our AI vendor risk assessment guide covers the CISO-level questions to ask AI vendors during procurement and ongoing review.

The Seven Trustworthy AI Characteristics

NIST AI RMF grounds the four functions in seven characteristics that together define trustworthy AI. The characteristics are not independent. An AI system can trade off among them, and the trade-offs are often value judgments rather than purely technical decisions.[1]

1. Valid and reliable. The system produces accurate outputs consistent with its stated purpose and continues to perform under expected operating conditions.
2. Safe. The system does not lead to harm to human life, health, property, or environment under reasonable operating conditions.
3. Secure and resilient. The system maintains confidentiality, integrity, and availability under adversarial conditions and recovers from disruptions.
4. Accountable and transparent. The organization can explain why the system was built, who is responsible for its behavior, and how decisions are made.
5. Explainable and interpretable. Stakeholders can understand the reasoning behind specific outputs at a level appropriate to their role.
6. Privacy-enhanced. The system respects individual privacy expectations and applicable privacy law.
7. Fair with harmful bias managed. The system does not produce discriminatory outcomes against protected groups or other inappropriate disparate impacts.

For each AI system in your inventory, the practical Map output is an explicit articulation of which characteristics are load-bearing for that system, what success looks like on each, and what measurement approach you will use to assess it. A healthcare diagnostic AI weights safety, fairness, and explainability heavily. A customer-service chatbot weights validity, reliability, and information security. The framework does not prescribe weights; it forces you to make them explicit.

The Generative AI Profile (NIST AI 600-1)

NIST released the AI RMF Generative AI Profile on July 26, 2024 as publication NIST AI 600-1.[2] The profile is the most operationally important AI RMF artifact for organizations deploying foundation models, RAG architectures, or AI agents. It identifies 12 generative-AI risk categories, each mapped to suggested actions across the four core functions.

The 12 GAI risk categories are:[2]

1. CBRN information or capabilities (chemical, biological, radiological, nuclear information accessibility lowered by generative AI)
2. Confabulation (the model generating plausible but factually incorrect output)
3. Dangerous, violent, or hateful content
4. Data privacy (training-data exposure, memorization, and inference attacks)
5. Environmental impacts (compute and energy demands)
6. Harmful bias and homogenization
7. Human-AI configuration (the way users interact with and rely on AI output)
8. Information integrity (synthetic media, disinformation, content authenticity)
9. Information security (the AI system's own attack surface, including prompt injection and model extraction)
10. Intellectual property (training data IP exposure, output IP risk)
11. Obscene, degrading, or abusive content
12. Value chain and component integration (third-party model and data risk)

For mid-market organizations, the Generative AI Profile is the answer to two specific questions: "what AI-specific risks should we be tracking" and "what actions does each risk imply across our governance program." The profile is also the framework most customer security questionnaires and audit assessments will reference when asking about your generative-AI security posture. Information security in particular maps closely to the operational threats covered in our AI Cybersecurity Incident Report 2026, including prompt injection, model extraction, and the EchoLeak vulnerability pattern.

The Critical Infrastructure Profile (April 2026)

On April 7, 2026, NIST issued a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure.[3] The profile is in development and is intended to guide operators of critical infrastructure sectors (energy, water, transportation, communications, financial services, healthcare, defense industrial base, and others) in adopting AI RMF practices appropriate to lifeline-system risk levels.

For organizations in critical-infrastructure sectors, the profile is worth tracking as it develops. It is expected to include sector-specific risk scenarios, recommended controls aligned to existing sector-specific frameworks (NIST SP 800-82 for OT, NERC CIP for power, TSA pipeline security directives, and others), and guidance on integrating AI risk management with operational technology and industrial control system security programs. Organizations in regulated critical-infrastructure sectors typically benefit from layering the AI RMF onto an existing regulatory compliance program rather than running parallel structures.

Crosswalks: ISO/IEC 42001 and the EU AI Act

The most important external frameworks to align with NIST AI RMF are ISO/IEC 42001 and the EU AI Act. NIST publishes formal crosswalks for both, which significantly reduces the burden of running multiple AI governance programs in parallel.[1]

ISO/IEC 42001:2023

ISO/IEC 42001 is the international management-system standard for AI, published in December 2023.[5] It uses the same management-system structure as ISO/IEC 27001 (information security) and ISO/IEC 9001 (quality), making it familiar to organizations with existing certified management systems. Where NIST AI RMF is a framework (a structured way to think about risk), ISO/IEC 42001 is a certifiable management system (a documented set of policies and processes against which an organization can be audited).

Practically, mid-market organizations often adopt NIST AI RMF as their internal operating framework and pursue ISO/IEC 42001 certification only if customer or regulatory pressure requires the third-party assurance. The two are highly compatible: an organization mature in AI RMF will find ISO/IEC 42001 certification largely a matter of documentation and audit, not new program work.

EU AI Act

The EU AI Act entered into force August 1, 2024, with most obligations applying from August 2, 2026 and high-risk-system obligations phased through 2027.[6] The Act classifies AI systems into risk tiers (prohibited, high-risk, limited-risk, minimal-risk) and imposes specific obligations on providers and deployers of systems in the higher-risk tiers.

NIST AI RMF maps to EU AI Act obligations primarily through the Govern, Map, and Measure functions. An organization with a mature RMF program will have most of the documentation, risk assessment, and ongoing monitoring practices the EU AI Act requires for high-risk systems. The two frameworks are not redundant (the EU AI Act has specific obligations RMF does not cover, including post-market monitoring registration and CE marking for high-risk systems), but RMF is the operational spine that makes EU AI Act compliance tractable. For deeper coverage of the EU AI Act's extraterritorial reach into US-based companies, see our guide to EU AI Act compliance for US companies.

A Practical Adoption Path for Mid-Market

Most mid-market organizations approach NIST AI RMF for the first time when a customer security questionnaire, a board inquiry, or a regulatory overlay forces the question. The practical adoption path that works in the 90-to-180-day window is structured around four phases.

Phase 1: AI Inventory (Weeks 1-4)

Execute the Map function for known and unknown AI systems. Known AI includes any AI feature your engineering team has shipped, any AI tool your security or analytics team has deployed, and any third-party SaaS feature that uses generative AI under the hood (most modern SaaS now does). Unknown AI is workforce-driven: ChatGPT, Claude, Copilot, and similar tools that employees adopt outside IT's view. The output of Phase 1 is a documented inventory with risk classifications, intended use, data flows, and stakeholders.

Phase 2: Govern Scaffolding (Weeks 4-8)

Stand up the policy and accountability layer. This typically includes: an AI acceptable use policy that addresses workforce use of consumer tools, an AI development policy that addresses engineering teams shipping AI features, a third-party AI vendor risk process, defined roles for AI risk decisions (often anchored to the CISO with input from legal and product), and AI incident response procedures integrated with existing security incident response. Governance work in this phase is largely document-heavy and benefits from leveraging existing security policy structure rather than creating parallel artifacts.

Phase 3: Risk Treatment (Weeks 8-16)

Execute the Manage function on the highest-priority systems identified in Phase 1. For each system, decide a risk response (accept, mitigate, transfer, avoid), deploy the technical and process controls implied by mitigation decisions, and document residual risk for executive acceptance. Generative AI systems will typically need: prompt-injection mitigation, output evaluation pipelines, data classification rules for what can and cannot be processed by external models, and red-team exercises proportional to deployment risk.

Phase 4: Measure and Iterate (Ongoing)

Stand up the ongoing measurement program. The Measure function is where most programs underperform because it requires sustained engineering investment. Practical first measurements include: AI inventory drift (new AI systems added, decommissioned, or materially changed), generative-AI output evaluation samples reviewed per period, AI incident counts and severities, and policy compliance for workforce AI use. Measurement program maturity should grow with overall program maturity.

Organizations without internal AI governance capability typically engage a virtual CISO to drive Phases 1 through 3 and stay on as the AI governance lead during ongoing Phase 4 operation. The vCISO model fits NIST AI RMF adoption well because the framework is non-prescriptive: experienced security leadership is the primary input that turns the framework into a working program.

Frequently Asked Questions

What is the current version of NIST AI RMF?

The current version is AI RMF 1.0, published as NIST AI 100-1 on January 26, 2023. The Generative AI Profile (NIST AI 600-1) was added July 26, 2024 and extends the framework to generative AI systems. A Critical Infrastructure profile is in development as of April 2026.[1][2][3]

Is NIST AI RMF mandatory?

No. NIST AI RMF is voluntary. It is referenced in the October 2023 White House Executive Order on AI, in federal procurement, and in several state AI laws including Colorado SB24-205, but the framework itself has no enforcement mechanism. Most organizations adopt it for customer assurance, audit defensibility, or as the operational spine that makes EU AI Act compliance tractable.[1][4][6]

What are the four functions of NIST AI RMF?

Govern, Map, Measure, and Manage. Govern is cross-cutting and informs the other three. Map establishes context (AI inventory, stakeholders, harms). Measure develops metrics and evaluation. Manage executes risk responses (accept, mitigate, transfer, avoid). The four functions operate in a continuous cycle rather than a linear sequence.[1]

What is the Generative AI Profile?

NIST AI 600-1, released July 26, 2024, is the AI RMF Generative AI Profile. It identifies 12 generative-AI-specific risk categories (confabulation, prompt injection, data privacy degradation, intellectual property, value-chain risk, and others) and maps each to suggested actions across the four AI RMF functions. It is the most operationally important AI RMF artifact for organizations deploying foundation models, RAG, or AI agents.[2]

How does NIST AI RMF relate to ISO/IEC 42001?

NIST AI RMF is a voluntary framework. ISO/IEC 42001 is a certifiable management-system standard. The two are compatible: an organization mature in AI RMF will find ISO/IEC 42001 certification largely a documentation and audit exercise rather than new program work. NIST publishes a formal crosswalk between the two.[1][5]

How does NIST AI RMF relate to the EU AI Act?

NIST AI RMF is the operational spine that makes EU AI Act compliance tractable for US-based companies subject to the Act's extraterritorial reach. RMF covers most of the documentation, risk assessment, and ongoing monitoring practices the EU AI Act requires for high-risk systems. NIST publishes a formal crosswalk between RMF and EU AI Act risk classifications. See our EU AI Act compliance guide for US companies for the regulatory side.[1][6]

How long does NIST AI RMF adoption take?

Most mid-market organizations work to a 90-to-180-day adoption window. Phase 1 (AI inventory) takes 2-4 weeks. Phase 2 (Govern scaffolding) takes 4 weeks. Phase 3 (risk treatment on highest-priority systems) takes 8-12 weeks. Phase 4 (ongoing measurement and iteration) is continuous. Organizations without internal AI governance capability typically engage a virtual CISO to drive the first three phases.

Where does AI security fit in NIST AI RMF?

Information security is one of the 12 risk categories in the Generative AI Profile and is addressed across the Govern, Map, Measure, and Manage functions. Practically, AI security work includes: prompt-injection mitigation, model-extraction defense, data-poisoning resistance, supply-chain security for third-party models, and AI-specific incident response. For the threat landscape that AI security programs should be designed against, see our AI Cybersecurity Incident Report 2026 and our shadow AI security guide.[2]

Sources

1. National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework (AI RMF 1.0)," NIST AI 100-1, January 26, 2023. nvlpubs.nist.gov. Resource Center: airc.nist.gov.
2. National Institute of Standards and Technology, "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile," NIST AI 600-1, July 26, 2024. nvlpubs.nist.gov.
3. National Institute of Standards and Technology, "Concept Note: AI RMF Profile on Trustworthy AI in Critical Infrastructure," April 7, 2026. nist.gov.
4. The White House, "Executive Order on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence," October 30, 2023. whitehouse.gov.
5. International Organization for Standardization, "ISO/IEC 42001:2023 Information technology, Artificial intelligence, Management system," published December 2023. iso.org.
6. European Union, "Regulation (EU) 2024/1689 (Artificial Intelligence Act)," Official Journal of the European Union, July 12, 2024. Entry into force August 1, 2024, phased application through 2027. eur-lex.europa.eu.

All framework descriptions, version numbers, and dates in this guide are drawn from NIST primary publications and the official journal entries of the EU AI Act and ISO/IEC 42001. This guide reflects the state of NIST AI RMF and its companion publications as of June 2026.