NIST-AI-RMF
NIST AI Risk Management Framework 1.0 (AI 100-1)
- I. Foundational Information
- Art. FR-1. Understanding and Addressing Risks, Impacts, and Harms (3)
- Art. TR-1. Valid and Reliable (4)
- Art. TR-2. Safe (5)
- Art. TR-3. Secure and Resilient (3)
- Art. TR-4. Accountable and Transparent (3)
- Art. TR-5. Explainable and Interpretable (3)
- Art. TR-6. Privacy-Enhanced ref
- Art. TR-7. Fair — with Harmful Bias Managed ref
- II. AI RMF Core Framework
- Ch. 1 — GOVERN
- Art. GV-1. Policies, Processes, Procedures, and Practices (8)
- Art. GV-2. Accountability Structures (3)
- Art. GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility (2)
- Art. GV-4. Organizational Culture of AI Risk (6)
- Art. GV-5. Engagement with Relevant AI Actors (3)
- Art. GV-6. Third-Party AI Risks and Supply Chain (3)
- Ch. 2 — MAP
- Art. MP-1. Context is Established and Understood (8)
- Art. MP-2. Categorization of the AI System (6)
- Art. MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs (5)
- Art. MP-4. Third-Party Component Risks and Benefits (5)
- Art. MP-5. Impact Characterization (4)
- Ch. 3 — MEASURE
- Art. MS-1. Appropriate Methods and Metrics (11)
- Art. MS-2. Trustworthy Characteristics Evaluation (24)
- Art. MS-3. Risk Tracking Mechanisms (5)
- Art. MS-4. Measurement Efficacy Feedback (6)
- Ch. 4 — MANAGE
- Art. MG-1. Risk Prioritization and Response (4)
- Art. MG-2. Strategies for Benefits and Impact Management (6)
- Art. MG-3. Third-Party AI Risk Management (2)
- Art. MG-4. Risk Treatment and Communication Plans (5)
- Annex A. NIST AI RMF Subcategory Reference
Risk Management Obligations
29Title I — Foundational Information
Article FR-1. Understanding and Addressing Risks, Impacts, and Harms
3 obligations
NIST-RMF-FR-1-01
Risk Management
Understand and manage AI system risks
Organizations must understand and manage the risks of AI systems to enhance trustworthiness and cultivate public trust t
NIST-RMF-FR-1-02
Risk Management
Manage AI risks across system lifecycle
Organizations must manage AI risks that can emerge at design and development, deployment, or in ongoing use and maintena
NIST-RMF-FR-1-03
Risk Management
Address AI risks at multiple organizational levels
Organizations must address AI risks that can emerge at individual, organizational, or societal levels to prevent negativ
Title II — AI RMF Core Framework
Chapter 1 — GOVERN
Article GV-1. Policies, Processes, Procedures, and Practices
2 obligations
NIST-RMF-GV-1-03
Risk Management
Establish processes to determine risk management activity levels
Organizations must establish processes, procedures, and practices to determine the appropriate level of risk management
NIST-RMF-GV-1-08
Risk Management
Implement comprehensive AI risk governance framework
Organizations must establish and effectively implement transparent policies, processes, procedures, and practices across
Article GV-3. Workforce Diversity, Equity, Inclusion, and Accessibility
1 obligation
Article GV-4. Organizational Culture of AI Risk
1 obligation
Article GV-6. Third-Party AI Risks and Supply Chain
3 obligations
NIST-RMF-GV-6-01
Risk Management
Third-Party AI Risk Management Policies
Organizations must establish and maintain policies and procedures specifically designed to address AI risks and benefits
NIST-RMF-GV-6-02
Risk Management
Third-Party Intellectual Property Risk Policies
Organizations must implement policies and procedures that specifically address AI risks associated with third-party enti
NIST-RMF-GV-6-03
Risk Management
High-Risk Third-Party AI System Contingency Processes
Organizations must establish contingency processes specifically designed to handle failures or incidents that occur in t
Chapter 2 — MAP
Article MP-3. AI Capabilities, Usage, Goals, Benefits, and Costs
1 obligation
Article MP-4. Third-Party Component Risks and Benefits
4 obligations
NIST-RMF-MP-4-01
Risk Management
Map risks and benefits of all AI system components including third-party elements
Organizations must comprehensively map and document the risks and benefits associated with all components of their AI sy
NIST-RMF-MP-4-02
Risk Management
Implement approaches for mapping AI technology and legal risks of components
Organizations must establish, implement, follow, and document specific approaches and methodologies for mapping AI techn
NIST-RMF-MP-4-03
Risk Management
Map and document third-party intellectual property infringement risks
Organizations must identify, assess, and document risks of infringing third parties' intellectual property rights or oth
NIST-RMF-MP-4-04
Risk Management
Identify internal risk controls for AI system components
Organizations must identify and establish internal risk control mechanisms specifically designed to manage risks associa
Chapter 3 — MEASURE
Article MS-1. Appropriate Methods and Metrics
2 obligations
NIST-RMF-MS-1-01
Risk Management
Select and implement measurement approaches for AI risks starting with most significant
Organizations must identify and select appropriate approaches and metrics for measuring AI risks that were enumerated du
NIST-RMF-MS-1-05
Risk Management
Consider potential impacts on affected communities in assessments
Organizations must include consideration of potential impacts on affected communities when regularly assessing the appro
Article MS-2. Trustworthy Characteristics Evaluation
2 obligations
NIST-RMF-MS-2-08
Risk Management
Regularly Evaluate AI System for Safety Risks
Organizations must evaluate the AI system regularly for safety risks as identified in the MAP function.
NIST-RMF-MS-2-13
Risk Management
Examine Transparency and Accountability Risks
Organizations must examine risks associated with transparency and accountability as identified in the MAP function.
Article MS-3. Risk Tracking Mechanisms
3 obligations
NIST-RMF-MS-3-01
Risk Management
Establish AI Risk Tracking Mechanisms
Organizations must implement and maintain mechanisms for tracking identified AI risks over time, ensuring continuous mon
NIST-RMF-MS-3-02
Risk Management
Implement Regular AI Risk Identification and Tracking
Organizations must establish approaches, assign personnel, and maintain documentation to regularly identify and track ex
NIST-RMF-MS-3-03
Risk Management
Consider Risk Tracking for Difficult-to-Assess Settings
Organizations must consider and implement risk tracking approaches specifically for settings where AI risks are difficul
Article MS-4. Measurement Efficacy Feedback
1 obligation
Chapter 4 — MANAGE
Article MG-1. Risk Prioritization and Response
3 obligations
NIST-RMF-MG-1-01
Risk Management
Determination of AI System Purpose Achievement and Deployment Decision
Organizations must determine whether their AI system achieves its intended purposes and stated objectives, and decide wh
NIST-RMF-MG-1-02
Risk Management
AI Risk Treatment Prioritization
Organizations must prioritize the treatment of documented AI risks based on their impact, likelihood, and available reso
NIST-RMF-MG-1-03
Risk Management
High Priority Risk Response Development and Documentation
Organizations must develop, plan, and document responses to AI risks identified as high priority by the MAP function. Ri
Article MG-2. Strategies for Benefits and Impact Management
2 obligations
NIST-RMF-MG-2-02
Risk Management
Account for AI Risk Management Resources and Alternative Systems
Organizations must take into account the resources required to manage AI risks and consider viable non-AI alternative sy
NIST-RMF-MG-2-04
Risk Management
Establish Procedures for Unknown Risk Response and Recovery
Organizations must follow established procedures to respond to and recover from previously unknown risks when they are i
Article MG-3. Third-Party AI Risk Management
1 obligation