NIST AI RMF

NIST AI RMF: Govern, Map, Measure, Manage

The four core functions of the framework explained, with the questions worth asking at each stage of the AI lifecycle.

The four core functions

The NIST AI Risk Management Framework (AI RMF 1.0, NIST AI 100-1, published 26 January 2023) organises its core around four functions: Govern, Map, Measure and Manage. Govern is cross-cutting and informs the other three; Map, Measure and Manage describe how risk is identified, analysed and acted on across the AI lifecycle. They are not a strict sequence — in practice you revisit them continuously as a system changes.

Govern

Govern is the cross-cutting function. It establishes the culture, accountability, policies and processes that make risk management real rather than aspirational, and it shapes how the other three functions are carried out.

  • Who is accountable for AI risk, and how is that accountability documented?
  • What policies, roles and review processes govern how AI is built and used?
  • How are legal, ethical and organisational expectations reflected in day-to-day practice?

Map

Map establishes the context. It frames the setting in which an AI system operates so that risks can be identified before they are measured — including intended purpose, stakeholders, system boundaries and potential harms.

  • What is the system's intended purpose, and who is affected by it?
  • Where are the system boundaries, dependencies and assumptions?
  • What benefits and potential harms can be foreseen, and for whom?

Measure

Measure analyses, benchmarks and monitors AI risk using a mix of quantitative and qualitative methods. It turns the risks identified in Map into something that can be assessed, tracked and compared over time.

  • Which methods and metrics will you use to assess the mapped risks?
  • How will performance, robustness and fairness be benchmarked and monitored?
  • How are measurement results documented and kept current as the system changes?

Manage

Manage allocates resources to the risks that have been mapped and measured. It is where prioritisation, treatment and response happen, including the decisions about what to accept, mitigate or stop.

  • Which risks are prioritised, and on what basis?
  • How are resources allocated to treatment, monitoring and response?
  • What is the plan for incidents, recovery and continuous improvement?

How TrustedAIGov helps

Our Governance Platform is structured so that the activities under each RMF function — the policies, the mapped context, the measurements and the response actions — are captured as controls and evidence aligned to the framework, rather than living in disconnected documents.

Sources

NIST — AI Risk Management Framework (nist.gov) NIST AI 100-1 — Artificial Intelligence Risk Management Framework (AI RMF 1.0) (PDF) NIST AIRC — AI RMF Core: Govern, Map, Measure, Manage NIST — AI RMF Playbook

Put the four functions to work

Turn Govern, Map, Measure and Manage into controls and evidence you can run.

Talk to TAI → Run Exposure Scan