NIST AI Risk Management Framework

National Institute of Standards and Technology · AI RMF 1.0 (January 2023) · Voluntary US framework widely adopted across regulated industries.

What it covers

The NIST AI Risk Management Framework defines four functions for managing AI system risk: Govern, Map, Measure, and Manage. Each function contains sub-functions with specific outcomes organizations are expected to achieve. The framework is voluntary but increasingly referenced in procurement requirements, regulatory filings, and contractual obligations.

Who it applies to

The framework is voluntary and broadly applicable. In practice, it is referenced by US federal agencies, many state-level AI regulations, sectoral regulators, insurance underwriters, and procurement teams at large enterprises. Demonstrating NIST AI RMF alignment is increasingly a baseline expectation rather than a differentiator.

The AI-relevant control objectives

• Govern: AI risk management policies, accountability structures, workforce capability, and supply chain risk
• Map: AI system context, impact assessment, third-party components, and intended use
• Measure: evaluation metrics, ongoing monitoring, and performance documentation
• Manage: risk prioritization, response planning, incident documentation, and continuous improvement

How sitkastack maps to it

• Govern: accountability structures → docs/phase-0/00-problem-definition.md
• Map: system context and intended use → docs/phase-0/00-problem-definition.md
• Map: out-of-scope boundaries → docs/phase-0/02-out-of-scope.md
• Measure: structured output and confidence → docs/phase-1/03-output-contract.md
• Manage: risk classification → docs/phase-0/01-risk-classification.md
• Manage: data handling controls → docs/phase-1/04-privacy-and-data-handling.md

What sitkastack delivers under this framework

sitkastack engagements produce artifacts mapped explicitly to NIST AI RMF functions and sub-functions. This includes risk classification documents, model documentation, evaluation artifacts, and incident response procedures. Typical engagements: NIST AI RMF Readiness Sprint, AI Policy & Risk Pack, or 90-Day AI Build.

Honest limitations

sitkastack produces NIST AI RMF-aligned artifacts. I do not issue NIST certifications (there is no certification body for NIST AI RMF; alignment is self-asserted). The organization remains accountable for its own NIST AI RMF program.

Talk to me

Questions about how this maps to your environment? Email me.