Agency

NIST (National Institute of Standards and Technology)

NIST is a U.S. federal agency inside the Department of Commerce. Its job is to develop measurement standards, reference data, and technology guidance for industry and government. It is non-regulatory: it writes documents, it does not write law. In AI, that distinction is the whole point. Most U.S.-anchored AI governance work in 2026 ends up referencing a NIST publication, even when no one in the room works for the U.S. government.

Updated today Reviewed by 7wData

Mentioned NIST AI Risk Management Framework (AI RMF)

Why it matters

NIST publications are non-regulatory, but they become the de facto baseline that regulators, auditors, and procurement teams reference. The AI-relevant outputs you will run into most often are: the AI RMF (the AI risk management framework), the CSF (Cybersecurity Framework, the security-program baseline most U.S. enterprises adopt), 800-53 (the catalogue of security and privacy controls federal systems map to), and 800-37 (the risk management framework that predates and shapes the AI RMF). Each is a separate document with its own audience and its own glossary entry.

Where you’ll encounter it

Three concrete places. A customer RFP asks whether you align with the NIST AI RMF. A vendor security questionnaire asks which NIST 800-53 controls you implement. An external auditor leans on a NIST CSF mapping to score your security posture. The practical pitfall is that teams say “we follow NIST” without specifying which publication, which is roughly as useful as saying “we follow ISO”. Always pin the conversation to the specific document.

Part of the 7wData AI Glossary. Tracking how concepts like this move in the expert conversation: daily signals at ins7ghts.com.