Reference framework · voluntary · United States

The NIST AI RMF, explained without jargon.

The American AI risk management framework comes down to four verbs. Here is what they require, and what they change in your day-to-day work.

The essentials

The NIST AI Risk Management Framework is published by the National Institute of Standards and Technology, the American standards agency. Version 1.0 dates from January 2023, and a profile dedicated to generative AI was added in 2024.

It is a voluntary framework: no law requires it of you. That is precisely what makes it a good starting point. It gives you the vocabulary and the method to manage AI risk before a client, insurer, or regulator asks you for them.

Its core comes down to four functions. Everything else, categories, subcategories, and profiles, serves to make them concrete for your context.

Who

NIST, the American standards agency. Adopted well beyond the United States as the common language of AI risk.

Status

Voluntary. No fines, no mandatory audit. A reference that clients and partners recognize.

For whom

Any organization that designs, buys, or uses AI, from a small business to a large enterprise.

Four functions, four questions

Each function answers a question your organization should be able to ask, and ask itself, without preparation.

Govern

Who decides, and by what rules?

The cross-cutting function. Usage policy, named roles, risk culture: without it, the other three remain isolated gestures.

Map

Where is AI being used, and what context surrounds it?

The inventory of systems, uses, data, and people affected. You cannot manage a risk you have not located.

Measure

Is the AI doing its job well, and how do you know?

Indicators, tests, and monitoring of the seven characteristics of trustworthy AI: reliable, safe, secure, accountable, explainable, privacy-respecting, and fair.

Manage

What do you do when something goes wrong?

Prioritize mapped and measured risks, act, document, and reassess. The loop that turns the framework into living practice.

In the AI id framework, the NIST AI RMF weighs on all six properties, particularly Governed, Supervised, and Accountable.

How identifiable gets you ready

The framework is free; applying it takes method. identifiable offers a complete program around the NIST AI RMF: training, advisory support, and attestation.

TrainingNIST AI RMF literacy for your teams and your leadership
AdvisoryConsulting support to close the gaps, practice by practice
AttestationEvaluation against the AI id framework and a trajectory toward the standard
See corporate training The AI id framework

Three questions that keep coming up

Is the NIST AI RMF mandatory in Canada?

No. It is a voluntary framework, even in the United States. But it is becoming the reference that major clients and insurers are asking for. Aligning early costs less than aligning under pressure.

Where do you start, practically?

With the Map function: an inventory of your AI uses. That is exactly what the Flash Diagnostic and the AI Index help you do in a few minutes.

How does it relate to ISO 42001?

The NIST AI RMF says what to watch; ISO/IEC 42001 structures the management system that keeps it alive. Both converge in the AI id framework.

Want to know where you stand against the NIST AI RMF?

The diagnostic measures your six properties against the four frameworks, including the NIST AI RMF. Twelve questions are enough for a first read.

Get your AI Index Talk to identifiable