← Back to reports library

Source extracts — NIST AI Risk Management Framework 1.0 (January 2023)

The AI RMF’s Govern function instructs organizations to cultivate a culture of AI risk management, assign senior leadership accountability, and integrate AI-specific policies into enterprise risk programs so oversight, resourcing, and workforce training…

AI Program · Published January 26, 2023 · Coverage focus 2023 · Updated November 14, 2025

  • The AI RMF’s Govern function instructs organizations to cultivate a culture of AI risk management, assign senior leadership accountability, and integrate AI-specific policies into enterprise risk programs so oversight, resourcing, and workforce training stay aligned throughout the system lifecycle. Governance leads should document charters, escalation paths, and change-control checkpoints that tie AI risk posture to board and risk committee reporting cadences.
  • Govern also emphasizes documenting AI system inventories, risk ownership, and third-party dependencies while integrating impact assessments and human-centered design practices into procurement and acquisition controls. Risk officers need to ensure continuous monitoring signals, audit trails, and incident learning feed back into policy updates and workforce incentives to reinforce responsible behavior.
  • The Map function requires teams to document intended purposes, contexts of use, impacted stakeholders, and underlying assumptions before developing or deploying an AI system. Product and policy partners should maintain traceable records of allowed and prohibited uses, legal and domain constraints, and dependencies on data sources or third-party services so suitability decisions remain evidence-backed.
  • Map further directs practitioners to capture socio-technical risk factors, including potential harms, affected communities, and mitigation obligations in high-risk settings such as employment, credit, healthcare, and critical infrastructure. Documentation must cover data lineage, annotations, model cards, and system boundaries so downstream users can trace obligations and align with sectoral laws and standards.
  • The Measure function emphasizes using quantitative and qualitative methods to evaluate trustworthiness characteristics such as safety, security, resiliency, accuracy, explainability, privacy, and bias. Evaluation leads need recurring test plans that log datasets, tooling, uncertainty ranges, and validation limitations while mapping measurements to risk tolerance statements.
  • Measure guidance also calls for multi-stage evaluations that combine pre-deployment testing, ongoing monitoring, and red-teaming to verify resilience against adversarial attacks, distribution shifts, and misuse scenarios. Measurement owners should align statistical thresholds, human factors testing, and uncertainty quantification with clearly documented acceptance criteria, escalation triggers, and independent review checkpoints.
  • The Manage function directs organizations to implement continuous risk response, incident handling, and lifecycle management practices, including documenting residual risk, communicating status changes to stakeholders, and triggering rollback or retirement when controls cannot keep trust characteristics within tolerances. Operations teams should maintain integrated runbooks that synchronize AI incident response, change management, and model monitoring workflows.
  • Manage additionally instructs teams to execute coordinated incident response exercises, ensure post-incident analyses capture root causes and remediation plans, and update AI inventories when systems are retired or replaced. Leadership must confirm stakeholder communication protocols, regulatory notifications, and user recourse mechanisms are tested, localized, and accessible across jurisdictions.

Source extracts — NIST AI RMF Roadmap (January 2023)

  • The roadmap prioritizes advancing measurement science for AI trustworthiness, calling for standardized metrics, benchmarks, and testbeds that capture socio-technical harms in addition to model performance. Research and data science teams should participate in community evaluations and contribute domain datasets to close identified measurement gaps.
  • NIST highlights joint work with international partners and U.S. agencies to co-develop shared taxonomies, metrology labs, and conformity assessment approaches. Organizations should monitor emerging benchmark collaborations, such as safety incident repositories and human factors test suites, to maintain interoperability across jurisdictions.
  • It highlights the need for profile development across sectors so organizations can tailor the AI RMF to domain-specific risks while preserving a common vocabulary. Industry leads should coordinate with sector coordinating councils and standards bodies to draft profiles that align regulatory requirements, assurance evidence, and procurement criteria.
  • The roadmap tasks NIST with expanding guidance on AI system lifecycle management, including documentation templates, human factors integration, and supply chain assurance. Program managers should track forthcoming NIST publications and pilot projects to update internal playbooks for vendor risk reviews, secure software development practices, and post-deployment monitoring.
  • Roadmap actions also include developing companion resources such as playbooks, education modules, and evaluation corpora so AI practitioners, regulators, and procurement officials can operationalize the framework. Training and compliance leaders should pre-stage curriculum updates and assess alignment with internal control libraries once NIST releases these materials.