NIST-AI-RMF
NIST AI Risk Management Framework 1.0 (AI 100-1)
- I. Foundational Information
- Art. FR-1. Understanding and Addressing Risks, Impacts, and Harms (3)
- Art. TR-1. Valid and Reliable (4)
- Art. TR-2. Safe (5)
- Art. TR-3. Secure and Resilient (3)
- Art. TR-4. Accountable and Transparent (3)
- Art. TR-5. Explainable and Interpretable (3)
- Art. TR-6. Privacy-Enhanced ref
- Art. TR-7. Fair — with Harmful Bias Managed ref
- II. AI RMF Core Framework
- Ch. 1 — GOVERN
- Art. GV-1. Policies, Processes, Procedures, and Practices (8)
- Art. GV-2. Accountability Structures (3)
- Art. GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility (2)
- Art. GV-4. Organizational Culture of AI Risk (6)
- Art. GV-5. Engagement with Relevant AI Actors (3)
- Art. GV-6. Third-Party AI Risks and Supply Chain (3)
- Ch. 2 — MAP
- Art. MP-1. Context is Established and Understood (8)
- Art. MP-2. Categorization of the AI System (6)
- Art. MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs (5)
- Art. MP-4. Third-Party Component Risks and Benefits (5)
- Art. MP-5. Impact Characterization (4)
- Ch. 3 — MEASURE
- Art. MS-1. Appropriate Methods and Metrics (11)
- Art. MS-2. Trustworthy Characteristics Evaluation (24)
- Art. MS-3. Risk Tracking Mechanisms (5)
- Art. MS-4. Measurement Efficacy Feedback (6)
- Ch. 4 — MANAGE
- Art. MG-1. Risk Prioritization and Response (4)
- Art. MG-2. Strategies for Benefits and Impact Management (6)
- Art. MG-3. Third-Party AI Risk Management (2)
- Art. MG-4. Risk Treatment and Communication Plans (5)
- Annex A. NIST AI RMF Subcategory Reference
Title I — Foundational Information
Article FR-1. Understanding and Addressing Risks, Impacts, and Harms
3 obligations
NIST-RMF-FR-1-01
Risk Management
Understand and manage AI system risks
Organizations must understand and manage the risks of AI systems to enhance trustworthiness and cultivate public trust t
NIST-RMF-FR-1-02
Risk Management
Manage AI risks across system lifecycle
Organizations must manage AI risks that can emerge at design and development, deployment, or in ongoing use and maintena
NIST-RMF-FR-1-03
Risk Management
Address AI risks at multiple organizational levels
Organizations must address AI risks that can emerge at individual, organizational, or societal levels to prevent negativ
Title II — AI RMF Core Framework
Chapter 1 — GOVERN
Article GV-1. Policies, Processes, Procedures, and Practices
8 obligations
NIST-RMF-GV-1-01
Documentation
Understand, manage, and document AI legal and regulatory requirements
Organizations must understand, actively manage, and maintain documentation of all legal and regulatory requirements that
NIST-RMF-GV-1-02
Requirement
Integrate trustworthy AI characteristics into organizational governance
Organizations must integrate the characteristics of trustworthy AI into their organizational policies, processes, proced
NIST-RMF-GV-1-03
Risk Management
Establish processes to determine risk management activity levels
Organizations must establish processes, procedures, and practices to determine the appropriate level of risk management
NIST-RMF-GV-1-04
Transparency
Establish transparent risk management process and controls
Organizations must establish their risk management process and its outcomes through transparent policies, procedures, an
NIST-RMF-GV-1-05
Monitoring
Plan ongoing monitoring and periodic review of risk management
Organizations must plan for ongoing monitoring and periodic review of the risk management process and its outcomes, with
NIST-RMF-GV-1-06
Documentation
Implement AI system inventory mechanisms
Organizations must establish mechanisms to inventory AI systems and ensure these mechanisms are adequately resourced acc
NIST-RMF-GV-1-07
Requirement
Establish safe AI system decommissioning processes
Organizations must establish processes and procedures for decommissioning and phasing out AI systems safely in a manner
NIST-RMF-GV-1-08
Risk Management
Implement comprehensive AI risk governance framework
Organizations must establish and effectively implement transparent policies, processes, procedures, and practices across
Article GV-2. Accountability Structures
3 obligations
NIST-RMF-GV-2-01
Documentation
Document roles, responsibilities and communication lines for AI risk management
Organizations must document and clearly communicate roles and responsibilities and lines of communication related to map
NIST-RMF-GV-2-02
Requirement
Provide AI risk management training to personnel and partners
Organizations must provide AI risk management training to their personnel and partners to enable them to perform their d
NIST-RMF-GV-2-03
Requirement
Executive leadership responsibility for AI system risk decisions
Executive leadership of organizations must take responsibility for decisions about risks associated with AI system devel
Article GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility
2 obligations
NIST-RMF-GV-3-01
Risk Management
Diverse Team Decision-Making for AI Risk Management
Organizations must ensure that decision-making processes related to mapping, measuring, and managing AI risks throughout
NIST-RMF-GV-3-02
Human Oversight
Human-AI Configuration Policies and Procedures
Organizations must establish and maintain policies and procedures that clearly define and differentiate roles and respon
Article GV-4. Organizational Culture of AI Risk
6 obligations
NIST-RMF-GV-4-01
Risk Management
Establish AI Risk-Aware Organizational Culture Policies
Organizations must establish and maintain policies and practices that foster a critical thinking and safety-first mindse
NIST-RMF-GV-4-02
Documentation
Document AI Technology Risks and Impacts
Organizational teams must document the risks and potential impacts of the AI technology they design, develop, deploy, ev
NIST-RMF-GV-4-03
Transparency
Communicate AI Impacts Broadly
Organizational teams must communicate about the impacts of AI technology more broadly beyond internal documentation, ens
NIST-RMF-GV-4-04
Requirement
Establish AI Testing Practices
Organizations must establish organizational practices that enable AI testing to ensure proper evaluation and validation
NIST-RMF-GV-4-05
Monitoring
Establish Incident Identification Practices
Organizations must establish organizational practices that enable identification of incidents related to AI systems, ens
NIST-RMF-GV-4-06
Transparency
Establish Information Sharing Practices
Organizations must establish organizational practices that enable information sharing related to AI systems, facilitatin
Article GV-5. Engagement with Relevant AI Actors
3 obligations
NIST-RMF-GV-5-01
Requirement
Establish policies for external feedback collection on AI risks
Organizations must establish and maintain organizational policies and practices to collect, consider, prioritize, and in
NIST-RMF-GV-5-02
Requirement
Establish mechanisms for regular feedback incorporation into AI systems
Organizations must establish mechanisms that enable development and deployment teams to regularly incorporate adjudicate
NIST-RMF-GV-5-03
Requirement
Maintain robust engagement processes with relevant AI actors
Organizations must establish and maintain processes that ensure robust engagement with relevant AI actors as part of the