NIST AI Risk Management Framework
GOVERN, MAP, MEASURE, MANAGE on one operating record

NIST AI Risk Management Framework explained

The NIST AI Risk Management Framework (AI RMF 1.0) is the voluntary, sector-agnostic framework the National Institute of Standards and Technology published in January 2023 as NIST AI 100-1. It was directed by the National Artificial Intelligence Initiative Act of 2020 and developed through an open consultation with AI researchers, deployers, regulated industry buyers, civil society, and federal agencies. The framework is rights-preserving and use-case-agnostic; it does not mandate specific controls, it organises how an organisation thinks about, identifies, measures, and manages risk in the design, development, deployment, and evaluation of AI systems. The companion Generative AI Profile (NIST AI 600-1, July 2024) extends the framework with the twelve risks unique to or exacerbated by generative AI and the actions an organisation can take across the four core functions to address each.

For internal AppSec teams, product security teams, vulnerability management functions, GRC owners, security engineering teams, and CISOs deploying AI in production or building AI features, AI RMF is the universal vocabulary that lets a single AI risk record be read against ISO/IEC 42001 certification, OWASP LLM Top 10, MITRE ATLAS adversarial tactics, the EU AI Act technical documentation, federal procurement requirements, and customer audit requests. Programmes that already operate ISO 27001 or SOC 2 do not need to migrate; AI RMF sits alongside the existing information-security stack and carries the AI-specific risk-management vocabulary the wider standards do not.

The four core functions of AI RMF 1.0

AI RMF organises AI risk management into four core functions. GOVERN is cross-cutting and feeds the other three; MAP, MEASURE, and MANAGE are operational and run as a cycle per AI system. The function names are the highest-level vocabulary the framework uses; the subcategories beneath each function (numbered as GOVERN 1 through GOVERN 6, MAP 1 through MAP 5, MEASURE 1 through MEASURE 4, and MANAGE 1 through MANAGE 4 in the version 1.0 numbering) are what the work is actually planned and reported against.

The seven characteristics of trustworthy AI

Trustworthy AI is the criterion the framework uses to evaluate the AI system. The seven characteristics are not independent: tradeoffs across them are explicit in the framework, and the documented disposition is part of the audit evidence. The MEASURE function evaluates the AI system against each characteristic; the MAP function uses them as the design principles risk identification reads against; and the MANAGE function carries the operating expectation that the characteristics are maintained.

The GOVERN function in operating practice

GOVERN is the function most programmes underestimate. The framework expects the operating record (policy, named roles, training, supplier oversight, stakeholder engagement, leadership review cadence) rather than the signed policy document. The list below is the practical content of the function in the vocabulary AI RMF 1.0 uses and what each subcategory looks like in a workspace-driven programme.

The Generative AI Profile (NIST AI 600-1)

Programmes deploying or building on generative AI read AI RMF 1.0 alongside the GenAI Profile rather than as a substitute. NIST AI 600-1, published July 2024, is the cross-sectoral Profile for managing the risks of generative AI. It identifies twelve risks unique to or exacerbated by generative AI and proposes actions an organisation can take across GOVERN, MAP, MEASURE, and MANAGE to address each. The twelve risks are CBRN information, confabulation, dangerous or violent recommendations, data privacy, environmental impacts, harmful bias and homogenisation, human-AI configuration, information integrity, information security, intellectual property, obscene degrading and abusive content, and value chain and component integration risks. The Profile is voluntary and non-prescriptive; programmes pick the actions that fit their context, their generative AI system, and their risk tolerance. The companion OWASP LLM Top 10 explainer covers the threat catalogue most LLM application security programmes use alongside the GenAI Profile.

How an AI RMF programme operates across the cycle

An AI RMF programme runs as a structured engagement rather than an annual report. The cycle below is the practical ordering most teams follow when AI RMF is treated as the operating framework rather than a reporting wrapper. The cycle compounds: each re-baseline starts from the prior Profile, the Profile reads against the next cycle, and the evidence pack accumulates rather than being rebuilt.

1. 1Establish the GOVERN baseline. Name the executive owner, document the AI risk management strategy, record the AI risk tolerance, publish the AI policy hierarchy, capture the supplier oversight model for AI components, and record the workforce competence and training expectations per role. The GOVERN baseline is the input every other function reads against.
2. 2Inventory the in-scope AI systems. Walk the deployed AI systems, the AI systems in build, and the AI systems under evaluation. Capture the intended purpose, the deployment context, the categorisation, the third-party data and model sources, the affected stakeholders, and the legal and regulatory expectations per system. The inventory is the input MAP works against; without it, MAP is generic.
3. 3Build a Use-Case Profile per AI system. Translate the AI RMF subcategories into the specific operating story for the system in question. The Profile names the in-scope subcategories, the implementation actions, the evidence references, and the metrics MEASURE will produce. Borrow from a published Profile (such as the GenAI Profile, NIST AI 600-1) where one applies.
4. 4Run the MEASURE cycle. Evaluate the trustworthy characteristics with measurable evidence: validity and reliability test results, safety failure-mode reviews, security testing (classical and AI-specific), accountability and transparency disclosures, explainability and interpretability evaluations, privacy reviews, fairness diagnostics. The MEASURE output updates the Profile and feeds MANAGE.
5. 5Operate MANAGE on a cadence. Treat each mapped and measured risk through accept, mitigate, transfer, or escalate, with named owner, deadline, and review cadence per disposition. Capture AI incidents and adverse events as they occur, with the post-event improvements feeding back into GOVERN. The MANAGE record is what the audit and the leadership review read against.
6. 6Re-baseline. Roll the per-subcategory progress into the leadership report, refresh the per-system Use-Case Profile to reflect the new state, and start the next cycle from the new baseline rather than from a blank page. The re-baseline is what makes the framework durable across model version changes, deployment expansion, and leadership turnover.

Failure modes the framework is designed to surface

AI RMF is forgiving on the choice of controls, the choice of measurement methods, and the choice of risk tolerance. It is unforgiving about a small number of patterns that make the framework cosmetic rather than operational. The patterns below are the ones that recur across adoptions and that erode the year-over-year continuity the framework relies on.

Evidence the framework expects to see, organised against the functions

The AI RMF evidence pack reads well when it is built as a side effect of the operating work rather than reconstructed at year-end. The minimum set below maps to the subcategories examiners and customer auditors most often ask against, and the same artefacts feed parallel reads under ISO/IEC 42001, OWASP LLM Top 10, MITRE ATLAS, ISO 27001, and SOC 2 when the underlying record is structured.

How AI RMF relates to ISO/IEC 42001, OWASP LLM Top 10, MITRE ATLAS, and the wider regime

AI RMF is an outcome and risk-management framework, not a control catalogue, certification scheme, or regulation. It composes with the AI-specific and information-security frameworks programmes already operate against. The relationships below are the ones programmes most often need to read together.

Where SecPortal fits in an AI RMF programme

SecPortal is the operating layer for the AI RMF cycle, not a replacement for the NIST framework, the GenAI Profile, the Playbook, or the underlying control catalogues the programme reads against. The platform handles the GOVERN baseline, the per-system MAP, the MEASURE evidence, the MANAGE disposition record, and the leadership reporting so the cycle runs as a structured workflow rather than a slide deck refreshed quarterly. The same workspace that hosts the Profile work hosts the SAST, SCA, authenticated DAST, external scanning, and pentest evidence the secure-and-resilient characteristic consumes, so the line from artefact to outcome stays traceable.

The MEASURE and MANAGE functions are where most of the day-to-day AI security and risk work lives. AI-specific findings raised under the secure-and-resilient characteristic (prompt injection, jailbreak, training data exposure, model extraction, RAG poisoning, agent privilege escalation, output handling regression, unbounded consumption) need owners, deadlines, and verification evidence that walks back to the AI RMF subcategory they affect. The SDLC vulnerability handoff workflow keeps the line from design-time threat enumeration to in-production AI finding auditable. The control-gap remediation workflow records the disposition per gap that MANAGE 1 expects across the AI RMF subcategories. The vulnerability acceptance and exception management workflow records the documented exceptions GOVERN 1 and MANAGE 1 require. The control-mapping cross-framework crosswalk workflow carries the AI RMF to ISO/IEC 42001 to OWASP LLM Top 10 to ISO 27001 reconciliation a single AI risk record needs to feed.

For internal teams running the programme, the internal security teams workspace bundles the platform with the engagement structure AI RMF expects across the cycle. For the application security function that owns the per-feature security review and the LLM-aware testing programme, the AppSec teams workspace covers the same mechanics from the engineering-adjacent angle. For the product security function that owns the per-release posture across LLM and non-LLM features, the product security teams workspace carries the integrated finding lifecycle. For the GRC function that carries the cross-framework evidence pack and the GOVERN 6 supplier risk record, the GRC and compliance teams workspace covers the audit-side discipline that turns the artefacts into a portable evidence pack.

For security leaders carrying the GOVERN 2 executive sponsorship and the GOVERN 4 organisational commitment the framework expects, the CISOs and security leaders workspace covers the program-level reporting model that sits on top of the AI RMF operating record. For the prompt-injection class of finding most LLM applications carry through MEASURE 2, the prompt injection vulnerability page covers the detection, validation, and remediation reference. For the underlying compliance engine that maps the AI RMF subcategories to the wider framework footprint, the compliance tracking capability produces the cross-framework view a single AI risk record feeds. For the leadership reporting cadence GOVERN 4 carries into the operational rhythm, the continuous control monitoring cadence research covers the operating discipline that pairs with AI RMF MEASURE on a cadence rather than at annual reset.