NIST-AI-RMF
NIST AI Risk Management Framework 1.0 (AI 100-1)
- I. Foundational Information
- Art. FR-1. Understanding and Addressing Risks, Impacts, and Harms (3)
- Art. TR-1. Valid and Reliable (4)
- Art. TR-2. Safe (5)
- Art. TR-3. Secure and Resilient (3)
- Art. TR-4. Accountable and Transparent (3)
- Art. TR-5. Explainable and Interpretable (3)
- Art. TR-6. Privacy-Enhanced ref
- Art. TR-7. Fair — with Harmful Bias Managed ref
- II. AI RMF Core Framework
- Ch. 1 — GOVERN
- Art. GV-1. Policies, Processes, Procedures, and Practices (8)
- Art. GV-2. Accountability Structures (3)
- Art. GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility (2)
- Art. GV-4. Organizational Culture of AI Risk (6)
- Art. GV-5. Engagement with Relevant AI Actors (3)
- Art. GV-6. Third-Party AI Risks and Supply Chain (3)
- Ch. 2 — MAP
- Art. MP-1. Context is Established and Understood (8)
- Art. MP-2. Categorization of the AI System (6)
- Art. MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs (5)
- Art. MP-4. Third-Party Component Risks and Benefits (5)
- Art. MP-5. Impact Characterization (4)
- Ch. 3 — MEASURE
- Art. MS-1. Appropriate Methods and Metrics (11)
- Art. MS-2. Trustworthy Characteristics Evaluation (24)
- Art. MS-3. Risk Tracking Mechanisms (5)
- Art. MS-4. Measurement Efficacy Feedback (6)
- Ch. 4 — MANAGE
- Art. MG-1. Risk Prioritization and Response (4)
- Art. MG-2. Strategies for Benefits and Impact Management (6)
- Art. MG-3. Third-Party AI Risk Management (2)
- Art. MG-4. Risk Treatment and Communication Plans (5)
- Annex A. NIST AI RMF Subcategory Reference
Title I — Foundational Information
Title II — AI RMF Core Framework
Chapter 1 — GOVERN
Article GV-6. Third-Party AI Risks and Supply Chain
3 obligations
NIST-RMF-GV-6-01
Risk Management
Third-Party AI Risk Management Policies
Organizations must establish and maintain policies and procedures specifically designed to address AI risks and benefits
NIST-RMF-GV-6-02
Risk Management
Third-Party Intellectual Property Risk Policies
Organizations must implement policies and procedures that specifically address AI risks associated with third-party enti
NIST-RMF-GV-6-03
Risk Management
High-Risk Third-Party AI System Contingency Processes
Organizations must establish contingency processes specifically designed to handle failures or incidents that occur in t
Chapter 2 — MAP
Article MP-1. Context is Established and Understood
5 obligations
NIST-RMF-MP-1-01
Documentation
Document intended purposes and deployment context
Organizations must understand and document the intended purposes, potentially beneficial uses, context-specific laws, no
NIST-RMF-MP-1-02
Requirement
Ensure interdisciplinary team diversity and document participation
Organizations must ensure that interdisciplinary AI actors with competencies, skills, and capacities for establishing co
NIST-RMF-MP-1-03
Requirement
Prioritize interdisciplinary collaboration opportunities
Organizations must prioritize opportunities for interdisciplinary collaboration in AI system development and deployment.
NIST-RMF-MP-1-04
Documentation
Document organizational mission and AI technology goals
Organizations must understand and document their mission and relevant goals for AI technology.
NIST-RMF-MP-1-05
Requirement
Define or re-evaluate business value context
Organizations must clearly define the business value or context of business use for new AI systems, or re-evaluate this
Chapter 3 — MEASURE
Chapter 4 — MANAGE
Article MG-1. Risk Prioritization and Response
4 obligations
NIST-RMF-MG-1-01
Risk Management
Determination of AI System Purpose Achievement and Deployment Decision
Organizations must determine whether their AI system achieves its intended purposes and stated objectives, and decide wh
NIST-RMF-MG-1-02
Risk Management
AI Risk Treatment Prioritization
Organizations must prioritize the treatment of documented AI risks based on their impact, likelihood, and available reso
NIST-RMF-MG-1-03
Risk Management
High Priority Risk Response Development and Documentation
Organizations must develop, plan, and document responses to AI risks identified as high priority by the MAP function. Ri
NIST-RMF-MG-1-04
Documentation
Negative Residual Risk Documentation for Downstream Parties
Organizations must document all negative residual risks (the sum of all unmitigated risks) that affect both downstream a
Article MG-2. Strategies for Benefits and Impact Management
6 obligations
NIST-RMF-MG-2-01
Documentation
Develop and Document AI Benefits and Impact Management Strategies
Organizations must plan, prepare, implement, and document comprehensive strategies to maximize AI benefits and minimize
NIST-RMF-MG-2-02
Risk Management
Account for AI Risk Management Resources and Alternative Systems
Organizations must take into account the resources required to manage AI risks and consider viable non-AI alternative sy
NIST-RMF-MG-2-03
Requirement
Implement Mechanisms to Sustain AI System Value
Organizations must establish and apply mechanisms to sustain the value of deployed AI systems throughout their operation
NIST-RMF-MG-2-04
Risk Management
Establish Procedures for Unknown Risk Response and Recovery
Organizations must follow established procedures to respond to and recover from previously unknown risks when they are i
NIST-RMF-MG-2-05
Human Oversight
Implement AI System Override and Deactivation Mechanisms
Organizations must establish and apply mechanisms to supersede, disengage, or deactivate AI systems that demonstrate per
NIST-RMF-MG-2-06
Requirement
Assign and Communicate Override Mechanism Responsibilities
Organizations must assign specific responsibilities for AI system override, disengagement, and deactivation functions an
Article MG-3. Third-Party AI Risk Management
2 obligations
NIST-RMF-MG-3-01
Risk Management
Monitor and control third-party AI risks and benefits
Organizations must regularly monitor AI risks and benefits from third-party resources, apply appropriate risk controls,
NIST-RMF-MG-3-02
Monitoring
Monitor pre-trained models in AI system operations
Pre-trained models used for AI system development must be monitored as an integral part of the AI system's regular monit
Article MG-4. Risk Treatment and Communication Plans
5 obligations
NIST-RMF-MG-4-01
Documentation
Document and monitor risk treatment and communication plans
Organizations must create written documentation of risk treatments (including response and recovery measures) and commun
NIST-RMF-MG-4-02
Monitoring
Implement post-deployment AI system monitoring plans
Organizations must implement comprehensive monitoring plans for AI systems after deployment that include mechanisms for
NIST-RMF-MG-4-03
Requirement
Integrate measurable continual improvement activities into AI system updates
Organizations must integrate measurable activities for continual improvements into AI system updates and ensure these in
NIST-RMF-MG-4-04
Transparency
Communicate incidents and errors to relevant AI actors
Organizations must communicate incidents and errors to relevant AI actors, including affected communities, when such inc
NIST-RMF-MG-4-05
Documentation
Follow and document incident and error tracking, response, and recovery processes
Organizations must establish, follow, and document processes for tracking, responding to, and recovering from incidents