On January 26, 2023, the U.S. National Institute of Standards and Technology released version 1.0 of the AI Risk Management Framework (AI RMF). NIST developed it through its Information Technology Laboratory in collaboration with the public and private sectors, following public comment periods and workshops. The framework is intended for voluntary use, designed to help organizations incorporate trustworthiness into the design, development, use, and evaluation of AI systems.
The framework is organized around four core functions. Govern establishes oversight, culture, and accountability for AI risk and cuts across the others. Map identifies the context and the risks and impacts of a given AI system. Measure assesses and tracks those risks using quantitative and qualitative methods. Manage prioritizes and acts on the risks, allocating resources to mitigation. NIST also published supporting materials, including a companion playbook and, in July 2024, a Generative AI Profile addressing risks specific to generative systems.
Because the AI RMF is voluntary rather than regulatory, its influence comes from adoption: it gives organizations, procurement teams, and auditors a common vocabulary and a structured process for talking about and documenting AI risk. It has been widely referenced in U.S. policy, including the 2023 executive order on AI, and by companies seeking a recognized baseline.
The framework marked a shift in how AI governance is approached in the United States, away from purely abstract principles and toward an operational, process-based standard that organizations can actually implement and be measured against.