NIST AI RMF

NIST AI RMF: crosswalk to the EU AI Act

How the four functions of the NIST AI Risk Management Framework line up with the obligations the EU AI Act places on high-risk AI systems.

Two different instruments, one shared goal

The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1) was published on 26 January 2023 as a voluntary framework for managing the risks of AI systems. The EU AI Act is a binding regulation that imposes obligations on providers and deployers of AI, with the heaviest requirements falling on systems classified as high-risk. They sit at different points on the spectrum — one voluntary and outcome-oriented, the other prescriptive and legally enforceable — but both push organisations toward the same underlying disciplines: understanding context, measuring risk, and holding someone accountable.

Because the AI RMF is structured around four functions — Govern, Map, Measure and Manage — it gives a natural backbone for tracing where your existing risk practices already satisfy what the Act expects, and where gaps remain.

Where the functions and obligations overlap

The Act's high-risk requirements include a risk management system, data and data governance, technical documentation, record-keeping, transparency to deployers, human oversight, and accuracy, robustness and cybersecurity. Each of these has a recognisable home in one or more RMF functions. The table below offers one uniform view of how the functions relate to broad obligation areas; it is illustrative, not a substitute for legal analysis.

AI RMF functionRelated EU AI Act obligation area
GovernRisk management system, accountability, quality management, policies and roles
MapIntended purpose, foreseeable misuse, affected persons, system boundaries
MeasureAccuracy, robustness and cybersecurity testing; data quality assessment
ManageHuman oversight, post-market monitoring, corrective action, documentation

Using the official NIST crosswalks

NIST publishes crosswalks that map the AI RMF to other frameworks and standards, alongside companion resources such as the Playbook, the Roadmap and use-case profiles. Where an official crosswalk exists, start from it rather than building your own mapping from scratch — it gives you a defensible reference point and keeps your interpretation aligned with how NIST intends the functions to be read. Treat any crosswalk as a starting structure that you then localise to your own systems, controls and evidence.

Practical cautions

  • A mapping shows correspondence, not equivalence — satisfying an RMF outcome does not automatically discharge a legal obligation under the Act.
  • The Act's obligations are tied to role (provider versus deployer) and to risk classification; the same RMF activity may carry different legal weight depending on where you sit.
  • Keep your crosswalk versioned, because both the framework's companion resources and the Act's implementing guidance continue to evolve.

How TrustedAIGov helps

Our Governance Platform is built to keep one set of controls and evidence mapped across multiple frameworks, so an RMF activity and the EU AI Act obligation it supports stay aligned in a single view rather than tracked in separate spreadsheets.

Sources

NIST — AI Risk Management Framework (nist.gov) NIST AI 100-1 — Artificial Intelligence Risk Management Framework (AI RMF 1.0) (PDF) NIST AIRC — AI RMF Core: Govern, Map, Measure, Manage EU AI Act — High-level summary (artificialintelligenceact.eu)

Map your controls across frameworks

See where your estate already meets the RMF and where the EU AI Act asks for more.

Talk to TAI → Run Exposure Scan