It is voluntary guidance from NIST, published in January 2023 as AI RMF 1.0, to help organizations manage AI risk and build trustworthy AI. It provides a shared vocabulary and a structure of four functions: Govern, Map, Measure, and Manage.
The NIST AI Risk Management Framework is quickly becoming the common language for trustworthy AI in the United States. It is voluntary, but regulators, auditors, and enterprise risk teams increasingly treat it as the baseline expectation.
If your organization is putting AI into production, this is the framework your examiners and your board will reference. This guide explains what it is, how it is structured, and the harder question most coverage skips: how you actually operationalize it once the AI is running.
The NIST AI Risk Management Framework (AI RMF 1.0) is guidance published by the U.S. National Institute of Standards and Technology in January 2023 to help organizations manage the risks of artificial intelligence. It is voluntary, sector-agnostic, and designed to be practical rather than prescriptive. Its goal is to help teams build and use AI that is trustworthy, and to give them a shared vocabulary for talking about AI risk across engineering, security, legal, and the business.
In July 2024, NIST added a Generative AI Profile that extends the framework to the specific risks of generative and, by extension, agentic systems. That profile matters, because it is where the framework meets the reality of models that write code, call tools, and take actions.
The framework organizes AI risk work into four core functions.
Govern. Establish the culture, policies, roles, and accountability for AI risk across the organization. Govern is the function that runs through all the others.
Map. Establish the context. Identify where AI is used, what it is intended to do, and what could go wrong, including impacts on people and the business.
Measure. Assess, analyze, and track AI risks using quantitative and qualitative methods. This is where trustworthiness is tested, not assumed.
Manage. Act on the risks. Prioritize them, respond to them, and allocate resources to the ones that matter most, on an ongoing basis.
The framework also defines the characteristics of trustworthy AI that these functions work toward: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed.
The NIST AI RMF tells you what good AI risk management looks like. It deliberately does not tell you how to implement it in your stack. That gap is where most programs stall. Govern, Map, Measure, and Manage all assume you can see what your AI is doing, capture evidence of it, and act on that evidence continuously. In practice, AI in production is a moving target: models change weekly, agents take actions across real systems, and the evidence needed to Measure and Manage is scattered or missing. A framework on paper does not close that gap. A system that produces the evidence as the work happens does.
Operationalizing the framework means turning its four functions into something that runs continuously, not a once-a-year documentation exercise. This is exactly what Reign, the iTmethods control and assurance layer, is built to do.
Govern, made enforceable. Policy is applied at the moment AI acts, through a control point you own, so governance is enforced rather than described.
Map, kept current. A live view of the models, agents, and tools in use, including the ones that appear without a ticket, so context stays accurate as the environment changes.
Measure, by construction. Every model call and agent action is captured as audit-grade evidence as it happens, so risk can be assessed against real behavior, not estimates.
Manage, continuously. Reign validates that AI behavior still aligns with the business objective, the policy intent, and the risk tolerance, and surfaces what needs attention, on an ongoing basis.
The result is that the evidence an auditor wants, and the proof the framework expects, is a byproduct of how your AI runs. See Reign regulatory alignment for how this maps to the frameworks your examiners reference, and the AI governance platform overview for the broader picture.
The NIST AI RMF is designed to be compatible with the other standards converging on trustworthy AI, including the EU AI Act and ISO/IEC 42001. Because it is outcome-oriented rather than rule-by-rule, evidence organized around its four functions tends to travel well to those other regimes. That is a practical reason to adopt it as your internal backbone even if your binding obligations come from elsewhere.
See how Reign turns the NIST AI RMF from a document into a running system, with audit-grade evidence by construction.
Request a briefing