The NIST AI Risk Management Framework, published in January 2023, provides a flexible, voluntary framework for organizations to manage risks associated with AI systems throughout their lifecycle. Unlike the EU AI Act, the NIST AI RMF is not legally binding — but it is rapidly becoming the de facto standard for AI risk management in US federal procurement and is referenced in executive orders, regulatory guidance, and industry best practices.
The Four Core Functions
The AI RMF is organized around four core functions: Govern, Map, Measure, and Manage. These functions are not sequential steps but ongoing, interdependent activities that collectively constitute a mature AI risk management program.
GOVERN: Establishing the Foundation
The Govern function establishes the organizational policies, processes, and accountability structures for AI risk management. It includes defining AI risk appetite, establishing an AI governance committee, creating policies for AI development and deployment, and ensuring AI risk management is integrated into broader enterprise risk management. Govern is the foundation upon which the other functions depend — organizations that skip it find their Map, Measure, and Manage activities inconsistent and unsustainable.
MAP: Understanding Context and Risk
The Map function is concerned with identifying and classifying AI risks before they materialize. For each AI system, Map activities include characterizing the system's purpose and intended users, identifying potential harms and their likelihood, assessing the AI system's legal and regulatory context, and documenting the system's technical characteristics. The output of Map is a risk profile for each AI system that informs subsequent measurement and management activities.
MEASURE: Quantifying Risk
The Measure function translates identified risks into quantitative metrics that can be monitored over time. Fairness metrics, performance metrics, reliability metrics, and security metrics all fall within Measure. Critically, NIST AI RMF emphasizes that measurement must be ongoing — not a one-time pre-deployment exercise. Production monitoring is a core Measure activity.
MANAGE: Responding to Risk
The Manage function is the operational response layer: what happens when measured risk exceeds acceptable thresholds. Manage activities include prioritizing risk responses based on impact and likelihood, implementing risk treatments (model retraining, human oversight, decommissioning), documenting responses for accountability, and reviewing the effectiveness of risk treatments over time.
AIClarum and NIST AI RMF
AIClarum's compliance dashboard provides a real-time NIST AI RMF posture view that maps your organization's activities to the Govern, Map, Measure, and Manage functions. Evidence collected through normal model operations automatically populates the Measure function, and automated alerts drive Manage workflows when thresholds breach.