NIST-AI-RMF
NIST AI Risk Management Framework 1.0 (AI 100-1)
- I. Foundational Information
- Art. FR-1. Understanding and Addressing Risks, Impacts, and Harms (3)
- Art. TR-1. Valid and Reliable (4)
- Art. TR-2. Safe (5)
- Art. TR-3. Secure and Resilient (3)
- Art. TR-4. Accountable and Transparent (3)
- Art. TR-5. Explainable and Interpretable (3)
- Art. TR-6. Privacy-Enhanced ref
- Art. TR-7. Fair — with Harmful Bias Managed ref
- II. AI RMF Core Framework
- Ch. 1 — GOVERN
- Art. GV-1. Policies, Processes, Procedures, and Practices (8)
- Art. GV-2. Accountability Structures (3)
- Art. GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility (2)
- Art. GV-4. Organizational Culture of AI Risk (6)
- Art. GV-5. Engagement with Relevant AI Actors (3)
- Art. GV-6. Third-Party AI Risks and Supply Chain (3)
- Ch. 2 — MAP
- Art. MP-1. Context is Established and Understood (8)
- Art. MP-2. Categorization of the AI System (6)
- Art. MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs (5)
- Art. MP-4. Third-Party Component Risks and Benefits (5)
- Art. MP-5. Impact Characterization (4)
- Ch. 3 — MEASURE
- Art. MS-1. Appropriate Methods and Metrics (11)
- Art. MS-2. Trustworthy Characteristics Evaluation (24)
- Art. MS-3. Risk Tracking Mechanisms (5)
- Art. MS-4. Measurement Efficacy Feedback (6)
- Ch. 4 — MANAGE
- Art. MG-1. Risk Prioritization and Response (4)
- Art. MG-2. Strategies for Benefits and Impact Management (6)
- Art. MG-3. Third-Party AI Risk Management (2)
- Art. MG-4. Risk Treatment and Communication Plans (5)
- Annex A. NIST AI RMF Subcategory Reference
Title I — Foundational Information
Title II — AI RMF Core Framework
Chapter 1 — GOVERN
Chapter 2 — MAP
Article MP-1. Context is Established and Understood
3 obligations
NIST-RMF-MP-1-06
Documentation
Determine and document organizational risk tolerances
Organizations must determine and document their risk tolerances related to AI systems.
NIST-RMF-MP-1-07
Requirement
Elicit and understand system requirements from relevant AI actors
Organizations must elicit system requirements from and ensure they are understood by relevant AI actors, including requi
NIST-RMF-MP-1-08
Requirement
Consider socio-technical implications in design decisions for AI risk mitigation
Organizations must ensure that design decisions take socio-technical implications into account to address AI risks.
Article MP-2. Categorization of the AI System
6 obligations
NIST-RMF-MP-2-01
Requirement
Perform AI System Categorization
Organizations must perform a categorization process for their AI system to classify and understand its nature and charac
NIST-RMF-MP-2-02
Documentation
Define AI System Tasks and Implementation Methods
Organizations must define and document the specific tasks that the AI system will support and the methods used to implem
NIST-RMF-MP-2-03
Documentation
Document AI System Knowledge Limits and Human Oversight Information
Organizations must document information about the AI system's knowledge limits and how system output may be utilized and
NIST-RMF-MP-2-04
Transparency
Provide Sufficient Documentation for AI Actor Decision-Making
Organizations must ensure that documentation provides sufficient information to assist relevant AI actors when making de
NIST-RMF-MP-2-05
Documentation
Identify and Document Scientific Integrity Considerations
Organizations must identify and document scientific integrity considerations, including those related to experimental de
NIST-RMF-MP-2-06
Documentation
Identify and Document TEVV Considerations
Organizations must identify and document Testing, Evaluation, Validation and Verification (TEVV) considerations, includi
Article MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs
5 obligations
NIST-RMF-MP-3-01
Documentation
Document potential benefits of AI system functionality and performance
Organizations must examine and document the potential benefits of their intended AI system functionality and performance
NIST-RMF-MP-3-02
Risk Management
Document potential costs including non-monetary costs from AI errors
Organizations must examine and document potential costs, including non-monetary costs, which result from expected or rea
NIST-RMF-MP-3-03
Documentation
Specify and document targeted application scope based on system capability
Organizations must specify and document the targeted application scope based on the AI system's capability, established
NIST-RMF-MP-3-04
Requirement
Define, assess, and document operator and practitioner proficiency processes
Organizations must define, assess, and document processes for ensuring operator and practitioner proficiency with AI sys
NIST-RMF-MP-3-05
Human Oversight
Define, assess, and document human oversight processes per GOVERN policies
Organizations must define, assess, and document processes for human oversight in accordance with organizational policies
Article MP-4. Third-Party Component Risks and Benefits
5 obligations
NIST-RMF-MP-4-01
Risk Management
Map risks and benefits of all AI system components including third-party elements
Organizations must comprehensively map and document the risks and benefits associated with all components of their AI sy
NIST-RMF-MP-4-02
Risk Management
Implement approaches for mapping AI technology and legal risks of components
Organizations must establish, implement, follow, and document specific approaches and methodologies for mapping AI techn
NIST-RMF-MP-4-03
Risk Management
Map and document third-party intellectual property infringement risks
Organizations must identify, assess, and document risks of infringing third parties' intellectual property rights or oth
NIST-RMF-MP-4-04
Risk Management
Identify internal risk controls for AI system components
Organizations must identify and establish internal risk control mechanisms specifically designed to manage risks associa
NIST-RMF-MP-4-05
Documentation
Document internal risk controls for AI system components
Organizations must create and maintain comprehensive documentation of all internal risk controls established for managin
Article MP-5. Impact Characterization
4 obligations
NIST-RMF-MP-5-01
Documentation
Document likelihood and magnitude of identified impacts
Organizations must identify and document the likelihood and magnitude of each identified impact (both potentially benefi
NIST-RMF-MP-5-02
Requirement
Establish practices for regular engagement with AI actors
Organizations must establish and maintain practices for supporting regular engagement with relevant AI actors to integra
NIST-RMF-MP-5-03
Requirement
Assign personnel for AI actor engagement and feedback integration
Organizations must designate personnel responsible for supporting regular engagement with relevant AI actors and integra
NIST-RMF-MP-5-04
Documentation
Document engagement practices and personnel assignments
Organizations must document both the practices and personnel arrangements for supporting regular engagement with relevan
Chapter 3 — MEASURE
Article MS-1. Appropriate Methods and Metrics
2 obligations
NIST-RMF-MS-1-01
Risk Management
Select and implement measurement approaches for AI risks starting with most significant
Organizations must identify and select appropriate approaches and metrics for measuring AI risks that were enumerated du
NIST-RMF-MS-1-02
Documentation
Document risks that cannot or will not be measured
Organizations must properly document any risks or trustworthiness characteristics that will not be measured or cannot be