NIST AI Risk Management Framework
The NIST AI Risk Management Framework provides a voluntary, flexible framework for managing risks associated with AI systems throughout their lifecycle. It is structured around four core functions: Govern, Map, Measure, and Manage.
Who Needs to Comply?
US federal agencies (mandated), and any organization worldwide that develops or deploys AI systems (voluntary adoption). Widely referenced by US state AI legislation and international standards bodies.
Key Dates & Timeline
Version 1.0 published January 2023. NIST AI RMF Playbook and Generative AI Profile released throughout 2023-2024. Crosswalk with EU AI Act published 2024.
Latest NIST AI RMF Updates
NIST updated guidelines for managing misuse risk for dual-use foundation models
NIST’s second public draft on dual-use foundation-model misuse risk closed for comments on March 15, 2025, making it an important adjacent reference for foundation-model governance even though it is not the AI RMF itself.
NIST AI RMF Generative AI Profile
NIST’s generative AI profile was updated on April 8, 2026, making it the current companion reference for organizations governing GenAI risk under the AI RMF.
NIST AI Risk Management Framework hub and critical infrastructure profile concept note
NIST’s AI RMF hub now highlights a new April 7, 2026 concept note for a trustworthy AI profile in critical infrastructure, indicating the framework’s next expansion area for high-consequence sectors.
FTC AI enforcement hub
The FTC’s AI hub consolidates current enforcement materials and investigations, signaling that deceptive AI claims, model substantiation, and AI-related process inquiries remain active priority areas.
Colorado SB 189 – Automated Decision-Making Technology
Colorado SB 189 was signed by the Governor on 2026-05-14, indicating the state has enacted a new automated decision-making framework that compliance teams need to map against existing AI controls.
FTC settles deceptive “active listening” AI marketing claims with Cox Media Group and two firms
On 2026-05-21, the FTC required Cox Media Group and two other firms to pay $930,000 to resolve allegations that they falsely claimed an AI-powered “active listening” service could target ads using consumers’ smart-device conversations and that consumers had opted in.
NIST ITL AI Program
NIST’s ITL AI Program page consolidates ongoing AI work and related resources, so compliance teams should treat it as an informational watchlist rather than a standalone requirement.
AI RMF development and lessons learned
NIST’s AI RMF development page confirms the framework’s release history and ongoing lessons-learned process, which is mainly relevant as background for monitoring future updates rather than as a new obligation.
Generative AI profile under the AI RMF
NIST’s generative AI profile, published on July 26, 2024, gives organizations a formal AI RMF extension for GenAI deployments, so teams using generative systems should map controls and residual risks to this profile now.
NIST AI RMF Playbook
NIST’s AI RMF Playbook remains an implementation companion to the AI RMF, so teams should use it to translate framework concepts into operational controls and governance workflows.
Jurisdiction Coverage
Related Frameworks
Key Topics
Frequently Asked Questions
What is the NIST AI RMF?
The NIST AI Risk Management Framework is a voluntary framework developed by the US National Institute of Standards and Technology for managing risks in AI systems. It provides a structured approach organized around four functions: Govern, Map, Measure, and Manage.
Is the NIST AI RMF mandatory?
For US federal agencies, adherence to NIST AI RMF is mandated by executive orders. For private sector organizations, it is voluntary but increasingly referenced in US state AI legislation and industry standards as a best-practice benchmark.
How does NIST AI RMF compare to ISO 42001?
NIST AI RMF is a risk management framework focused on AI-specific risks, while ISO 42001 is a management system standard. NIST AI RMF is more prescriptive about risk categories and measurement, while ISO 42001 is more focused on organizational processes. They are complementary — many organizations adopt both.
Weekly digest — coming soon
Leave your email to get the first issue when it ships. Free, no account required.
We use your email only for the digest. Privacy policy