NIST AI RMF Explained: A Practical Implementation Guide

The NIST AI RMF, short for the National Institute of Standards and Technology AI Risk Management Framework, is a voluntary framework that helps organizations manage the risks of artificial intelligence across its full lifecycle. Released in 2023 and expanded since through companion profiles, it has become a common reference point for building trustworthy AI. This guide explains what the NIST AI RMF is, its four core functions, the characteristics of trustworthy AI it promotes, and how to put it into practice.

What the NIST AI RMF Is

NIST released version 1.0 of the AI Risk Management Framework in January 2023. It is voluntary, applies across industries and use cases, and is designed to help organizations capture the benefits of AI while managing its risks throughout the AI lifecycle.

NIST has not released a formal version 2.0. Instead, the framework has matured through profiles and companion resources that adapt it to specific technologies and sectors, which means organizations adopting it today work from the 1.0 core plus the profile most relevant to their use case.

The Four Core Functions of the NIST AI RMF

The framework is organized around four functions. The first runs through all the others, and the remaining three describe a continuous lifecycle.

• Govern. The cross-cutting foundation. Govern establishes the culture, accountability, policies, and risk management practices that shape every other activity. It is the function that makes the other three work.
• Map. Establish context. Map identifies the purpose of an AI system, its stakeholders, and the risks tied to how and where it will be used.
• Measure. Assess and track. Measure uses quantitative and qualitative methods to analyze the risks identified in Map and monitor them over time.
• Manage. Act on risk. Manage prioritizes risks, allocates resources, and puts response and recovery plans in place.

The Characteristics of Trustworthy AI

The framework defines what trustworthy AI looks like through a set of characteristics that the four functions work to achieve:

• Valid and reliable
• Safe
• Secure and resilient
• Accountable and transparent
• Explainable and interpretable
• Privacy-enhanced
• Fair, with harmful bias managed

These characteristics give organizations a shared vocabulary for judging whether an AI system is fit to deploy.

Putting the NIST AI RMF into practice is where most organizations get stuck. Elevate Consult helps translate the framework into a working program. Request a conversation.

NIST AI RMF Profiles and Recent Developments

Profiles adapt the framework to a specific technology, sector, or use case. In July 2024, NIST released the Generative AI Profile to address risks unique to generative AI. The framework has continued to expand since.

In December 2025, NIST published a preliminary draft of a Cybersecurity Framework Profile for AI. In April 2026, it released a concept note for a profile on trustworthy AI in critical infrastructure. NIST has also launched an initiative to develop voluntary guidelines for AI agents, with an agent-focused profile planned for late 2026. The direction is clear: the framework is becoming more operational and more sector-specific over time.

How to Implement the NIST AI RMF

The framework is descriptive rather than prescriptive, which gives organizations flexibility but can make starting difficult. A practical path follows the functions in order.

1. Start with Govern. Assign accountability for AI risk and set the policies that will guide every system.
2. Map your AI systems. Inventory the AI in use, including shadow AI, and identify each system’s context and risks.
3. Measure the risks. Define metrics and methods to evaluate and track the risks you have mapped.
4. Manage with proportional controls. Prioritize the highest risks and apply controls and response plans that match.
5. Apply a relevant profile. Use the Generative AI Profile or another applicable profile to tailor the framework to your technology.
6. Treat it as continuous. Revisit each function on a regular schedule as systems and guidance evolve.

NIST AI RMF and ISO 42001

The NIST AI RMF is often compared with ISO 42001. The NIST framework is voluntary guidance, while ISO 42001 is a certifiable AI management system standard an organization can be audited against. The two are complementary, and many organizations use the NIST framework to shape their approach while pursuing ISO 42001 certification to demonstrate it.

How Elevate Consult Helps Organizations Govern AI

Elevate Consult helps organizations operationalize the NIST AI Risk Management Framework, from the Govern function through mapping, measuring, and managing AI risk, and align it with ISO 42001 where certification is the goal. The aim is a program that is not only documented but demonstrably working.

Organizations adopting the NIST AI RMF can start with a scoping conversation. Talk with the Elevate team.

Key Takeaways

• The NIST AI RMF is a voluntary framework, released in 2023, for managing AI risk across the AI lifecycle.
• It is organized around four functions: Govern, Map, Measure, and Manage, with Govern running through all of them.
• It defines trustworthy AI through characteristics such as being valid, safe, secure, accountable, explainable, privacy-enhanced, and fair.
• NIST has not released a version 2.0, but the framework has expanded through profiles, including a Generative AI Profile and newer sector-specific work.
• Implementation starts with Govern and an inventory of AI systems, then moves through measuring and managing risk as a continuous process.

Frequently Asked Questions

What is the NIST AI RMF?

The NIST AI RMF is the National Institute of Standards and Technology AI Risk Management Framework, a voluntary framework released in 2023 that helps organizations manage the risks of artificial intelligence across its full lifecycle.

What are the four functions of the NIST AI RMF?

The four functions are Govern, Map, Measure, and Manage. Govern is the cross-cutting foundation that sets accountability and policy, while Map, Measure, and Manage describe a continuous cycle of identifying, assessing, and acting on AI risk.

Is the NIST AI RMF mandatory?

No. The NIST AI RMF is voluntary. However, it is increasingly referenced in contracts, procurement requirements, and regulatory guidance, which has made it a common expectation even though it is not legally required.

What is the difference between the NIST AI RMF and ISO 42001?

The NIST AI RMF is voluntary guidance for managing AI risk, while ISO 42001 is a certifiable AI management system standard an organization can be formally audited against. They are complementary, and many organizations use both.

Is there a NIST AI RMF 2.0?

NIST has not released a formal version 2.0. The framework remains based on the 2023 version 1.0 core, expanded through profiles and companion resources such as the Generative AI Profile and newer sector-specific guidance.