Framework

NIST AI Risk Management Framework (AI RMF)

The NIST AI RMF is a voluntary framework from the US National Institute of Standards and Technology for managing AI risk across a system's lifecycle. Its spine is four functions that run in parallel rather than in sequence: Govern (policy, roles, accountability), Map (context, intended use, where harm could land), Measure (test, evaluate, monitor), and Manage (prioritise, treat, respond). The framework is technology-neutral and written as practices rather than as a checklist.
Reviewed by 7wData

Why it matters

The AI RMF is the de facto floor most US enterprise AI risk programs build against in 2026. It is voluntary in law, but it is the framework federal agencies are told to use, the one most vendor-risk questionnaires now reference, and the one auditors reach for when they need a common vocabulary across firms. The EU AI Act tells you what you must do; the AI RMF tells you how a risk function would actually do it. That is why the two get cited side by side in most serious AI policy docs, even outside the US.

Where you’ll encounter it

You will run into the AI RMF in three places. First, in vendor risk assessments: procurement teams ask suppliers to map controls to the Govern / Map / Measure / Manage functions, and the supplier that can do that on a one-pager wins time. Second, in internal AI policy documents: the four-function spine is the most common organising structure for an AI governance policy written in the last eighteen months. Third, in audit conversations: when an auditor asks “how do you know this model is fit for purpose,” the cleanest answer points at the Measure function with specific evidence. The common pitfall is adopting the AI RMF as a binder (print it, sign it, file it) instead of picking the specific practices that fit the actual risk surface; the framework is designed to be tailored, not transcribed.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.