All articles
Guides12 min readJune 4, 2026

NIST AI Risk Management Framework: A Plain-English Guide

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary playbook, published in January 2023, that helps organizations identify, assess, and reduce the risks of AI systems. It is organized around four functions, Govern, Map, Measure, and Manage, and it comes with a 2024 Generative AI Profile that adds guidance for large language models and the agents built on them.

Quick answer

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary playbook, published in January 2023, that helps organizations identify, assess, and reduce the risks of AI systems. It is organized around four functions, Govern, Map, Measure, and Manage, and it comes with a 2024 Generative AI Profile that adds guidance for large language models and the agents built on them.

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary, sector-agnostic playbook published by the U.S. National Institute of Standards and Technology in January 2023 to help organizations build, deploy, and oversee AI systems they can actually trust. It does not certify you, audit you, or fine you. It gives you a shared vocabulary and a structured set of activities for spotting AI risks early and keeping them in check over the life of the system.

The whole framework hangs on four functions: Govern, Map, Measure, and Manage. Govern sets the culture and accountability. Map figures out the context and what could go wrong. Measure tests and tracks how the system behaves. Manage decides what to do about the risks you found, and keeps watching after launch. Read in that order, the four functions describe a loop you run continuously, not a one-time checklist you file away.

NIST also defines what "trustworthy" means in concrete terms. An AI system should be valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. Those seven characteristics are the yardstick you measure against. The framework is deliberately tech-neutral, so it applies to a fraud model, a recommendation engine, and a generative AI agent that books meetings and updates a CRM.

If you are responsible for an AI agent that takes real action inside your business, the AI RMF is the most useful free starting point available. The rest of this guide walks through each function in plain English, covers the 2024 Generative AI Profile, and shows how everyday governance controls, approvals, role-based access, and audit logs, map directly onto the framework.

Why a voluntary framework became the default standard

Nothing in the AI RMF is legally binding. There is no NIST police. So why has it become the reference point that security teams, procurement departments, and regulators keep pointing at? Because it filled a vacuum at the right moment, and because it was built by consensus rather than handed down.

NIST developed the framework through an open, multi-year process with hundreds of contributors from industry, academia, civil society, and government. The result reads like something practitioners would actually use, not a compliance document written by lawyers. That credibility is why it shows up everywhere now: in vendor security questionnaires, in board-level AI policies, and as the scaffolding for newer rules.

It also plays well with standards you may already follow. The four functions line up cleanly with risk-management muscle you have from frameworks like ISO/IEC 42001 and the controls behind SOC 2. If your team already runs a risk register and a change-management process, the AI RMF tells you what AI-specific entries to add rather than asking you to start over. That low switching cost is a big part of why adoption spread so fast.

The AI RMF is voluntary, but in practice it has become the common language buyers, auditors, and regulators use to talk about AI risk.

Govern: who owns AI risk and how decisions get made

Govern is the foundation, and NIST puts it first on purpose. It is about the people, policies, and accountability that make every other function actually happen. Without Govern, Map and Measure produce findings that nobody owns and nobody acts on.

In practice, the Govern function answers unglamorous but decisive questions. Who signs off before an AI agent gets access to production data? What is the policy when a model behaves unexpectedly? Who is accountable if an agent sends a wrong refund or deletes a record it should not have touched? These are organizational decisions, not model parameters, and they need names attached to them.

A healthy Govern practice usually includes a few concrete artifacts. The list below is what "good" tends to look like in a mid-sized company adopting AI agents.

  • A written AI policy that states acceptable use, prohibited use, and who can approve exceptions, so teams are not improvising case by case.
  • A named owner or committee for each AI system, because risk that belongs to everyone belongs to no one.
  • An inventory of every AI system in use, including shadow tools, since you cannot govern what you do not know exists.
  • A vendor and third-party process for AI you buy rather than build, so external models are held to the same bar as internal ones.
  • An incident and escalation path that says exactly what happens, and who is paged, when an AI system causes harm or behaves outside its limits.

Map: understanding context before you build

Map is where you slow down and ask what this system is actually for, who it affects, and how it could fail. It is the function teams most often skip, usually because the demo worked and everyone got excited. Skipping it is how you end up automating a process you never fully understood.

The Map function pushes you to document the intended purpose, the deployment setting, the people in the loop, and the foreseeable ways things go wrong. For an AI agent that touches customer data, mapping means writing down which systems it can reach, which actions it can take, and what a worst-case mistake looks like in each one. A read-only reporting agent and an agent that can issue refunds carry very different risk profiles, and Map is where that distinction gets made explicit.

Good mapping also surfaces the trade-offs you are implicitly accepting. Maybe the agent resolves tickets faster but occasionally closes one prematurely. Maybe it personalizes outreach well but could leak that one customer's data informed another's message. Naming these tensions early, while they are cheap to fix, is the entire point. By the end of Map you should be able to describe, in a paragraph a non-engineer can follow, what the system does and the top three ways it could hurt someone.

Map is the cheapest risk control you have: every problem you write down before launch costs a fraction of the same problem found in production.

Measure: testing and tracking how the system behaves

Measure turns vague worries into evidence. The Map function gives you a list of things that could go wrong; Measure is how you check whether they actually do, using methods you can repeat. This is the function that keeps AI governance honest, because opinions about whether a system is "safe enough" are cheap and measurements are not.

For a generative AI agent, measurement spans more than accuracy. You want to track how often the agent produces wrong or fabricated answers, how it performs across different user groups, whether it resists prompt injection and other adversarial inputs, and how its behavior drifts as the underlying model or your data changes. Some of this is automated evaluation against a test set; some of it is red-teaming, where people deliberately try to make the system misbehave.

The hard part is choosing metrics that map to real harm rather than ones that are easy to compute. A chatbot can score well on a benchmark and still confidently tell a customer the wrong return policy. So measurement should include the unglamorous stuff: sampling real transcripts, tracking the rate of human overrides, and watching how often the agent escalates versus when it should have. NIST is explicit that measurement is ongoing. You measure before launch to decide whether to ship, and you keep measuring after launch because models, prompts, and data all move.

Manage: acting on risk and keeping watch

Manage is where the framework stops describing and starts deciding. You have governed, mapped, and measured; now you choose what to do about each risk and you commit resources to it. NIST frames Manage as prioritizing risks, treating them, and monitoring continuously, with a clear path to respond and recover when something goes wrong.

Treating a risk does not always mean eliminating it. Sometimes you accept it because the impact is small and the cost of removing it is high. Sometimes you transfer it, for example through a contract or insurance. More often, for AI agents, you mitigate it with a control: you put a human approval in front of the risky action, you restrict what the agent can reach, or you log everything so you can investigate later. Manage is where those controls get assigned, funded, and given an owner.

The continuous-monitoring part is what separates Manage from a one-time launch review. An agent that was safe in March can become risky in June because a connected system changed, a new use case crept in, or the model was updated upstream. The Manage function expects you to watch live behavior, keep your incident response ready, and feed what you learn back into Map and Measure. That feedback loop is the framework working as designed.

The four functions side by side

It helps to see the functions next to each other, including the question each one answers and what it produces. The table below summarizes the loop and gives a concrete example of what each function looks like for an AI agent that updates a CRM and resolves support tickets.

FunctionCore questionOutputExample for an action-taking agent
GovernWho is accountable and what are the rules?Policies, owners, inventory, escalation pathA named owner approves the agent's access to billing data and signs off on go-live
MapWhat is the context and what could go wrong?Intended use, risk inventory, in-scope actionsDocument that the agent can refund up to $50 but anything higher needs a human
MeasureHow does it actually behave?Test results, metrics, red-team findingsTrack fabrication rate, override rate, and prompt-injection resistance each release
ManageWhat do we do and how do we keep watch?Mitigations, monitoring, incident responseRequire approval on refunds, restrict access by role, log every action for review
How the four AI RMF functions apply to an action-taking AI agent.

The Generative AI Profile (NIST-AI-600-1)

In July 2024, NIST published a companion document, the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, catalogued as NIST-AI-600-1. It does not replace the AI RMF. It is a profile, meaning it takes the same four functions and adds guidance specific to generative AI: the large language models behind chatbots and agents.

The profile identifies a set of risks that are unique to, or made worse by, generative AI, and it maps suggested actions back to Govern, Map, Measure, and Manage. The risk categories cover ground that anyone running an AI agent will recognize: confabulation (the polite term for confident hallucinations), data privacy and leakage, dangerous or harmful content, the easier production of misinformation, security weaknesses like prompt injection, intellectual-property exposure, and the risk of over-relying on a system that sounds authoritative even when it is wrong.

What makes the profile genuinely useful is that it is operational rather than abstract. For each risk, it lists candidate actions you can borrow into your own program. If you are governing an agent that drafts customer emails or queries your database in natural language, the GenAI Profile reads like a checklist someone already wrote for you. It is the bridge between the general framework and the messy specifics of running language models in production.

A worked example: a support agent that takes action

Walk through how this plays out with a real scenario. A support rep on a Tuesday afternoon asks an AI agent to look up a customer's recent orders, check the refund policy, and process a refund if the order qualifies. That single request touches three systems and one irreversible action, and the AI RMF gives you a way to make it safe instead of scary.

During Map, the team had already written down that refunds are the highest-risk action this agent can take, that the blast radius is real money leaving the company, and that the agent must never refund above a set threshold on its own. During Measure, they tested how often the agent misread a policy and how it behaved when a customer tried to talk it into a refund it should not give. None of this is hypothetical: it is the difference between an agent you trust and one you quietly turn off after the first bad week.

So when the rep makes the request, the agent looks up the orders and the policy, then proposes the refund and pauses for a human to approve it because the amount crosses the threshold mapped earlier. The rep approves with one click. Every step, the lookup, the policy it read, the proposed amount, the approval, and who clicked it, lands in an audit log. That single flow exercises Manage (the approval and the access limits), Measure (the behavior was tested), Govern (someone owns this policy), and Map (the threshold was set on purpose). Platforms like Onpilot are built around exactly this pattern, pairing an agent that can act across your tools with approvals, role-based access, and an audit trail so the governance is part of the workflow rather than bolted on after.

Mapping everyday controls to the framework

The most common question teams ask is which controls satisfy which function. The honest answer is that good controls usually serve more than one function at once, but three controls matter most for AI agents that take action: human approvals, role-based access control, and audit logs. The chart below shows, directionally, how much governance coverage each one tends to add for an action-taking agent.

Relative governance coverage of common agent controls
Human-in-the-loop approvals
90%
Audit logs of every action
85%
Role-based access (least privilege)
80%
Output and content filters
60%
Rate and spend limits
45%

Illustrative, directional estimates of how much risk coverage each control adds for an action-taking AI agent. Figures are for comparison only, not measured benchmarks.

Human-in-the-loop approvals sit squarely in Manage: they are a treatment that catches a risky action before it happens, and they are the single most effective control for irreversible operations like refunds, deletions, or external messages. Role-based access control, granting each agent the least privilege it needs, supports both Govern (it enforces who is allowed to do what) and Manage (it shrinks the blast radius of any single mistake or compromise).

Audit logs are the connective tissue across the whole framework. They feed Measure, because you cannot track override rates or investigate an incident without a record. They support Govern, because accountability is empty if you cannot reconstruct who did what. And they make Manage's incident response possible. If you adopt one habit from this guide, make it logging every action an agent takes in enough detail to answer the question "what exactly happened, and who approved it?"

How a team actually rolls this out, step by step

You do not need a consulting engagement to start applying the AI RMF to a single agent. Here is a sequence a small team can run in a few weeks, moving from light governance to a monitored production deployment.

Applying the AI RMF to one AI agent
  1. 1

    Assign an owner (Govern)

    Name who is accountable and write the basic acceptable-use policy for this agent.

  2. 2

    Map the agent (Map)

    List the systems it touches, the actions it can take, and the worst-case mistake for each.

  3. 3

    Set guardrails (Manage)

    Decide which actions need approval, set least-privilege access, and define spend or rate limits.

  4. 4

    Test before launch (Measure)

    Run evals and red-team for hallucination, bias, and prompt injection against your real use cases.

  5. 5

    Launch with logging (Manage)

    Ship behind approvals with full audit logging so every action is reviewable from day one.

  6. 6

    Monitor and loop (Measure + Manage)

    Watch live behavior, track override rates, and feed surprises back into Map and Measure.

A practical sequence for taking a single action-taking agent from idea to monitored production.

The order matters less than the loop. Some teams map before they assign an owner; some discover during testing that they need a guardrail they never mapped. What you want is for all four functions to be live and feeding each other, rather than treating launch as the finish line.

Common mistakes teams make with the AI RMF

Most failures with the framework are not about misreading NIST's document. They are about treating governance as paperwork instead of practice. A few patterns show up again and again.

  • Treating it as a one-time checklist. The framework is a continuous loop; an agent that passed review in spring can drift by summer when a connected system or the underlying model changes.
  • Doing Govern on paper but not in the product. A policy that says "refunds need approval" means nothing if the agent can still issue them without one, so the control has to live in the workflow, not a wiki.
  • Measuring what is easy instead of what matters. Benchmark scores feel reassuring, but override rates, fabrication rates, and red-team results tell you far more about real-world harm.
  • Skipping Map because the demo worked. Excitement after a good prototype is exactly when teams forget to write down the worst-case failure, which is the cheapest control they had.
  • Giving the agent broad access "to be safe." Over-provisioning is the opposite of safe; least privilege limits the damage when, not if, something goes wrong.
  • No audit trail. If you cannot reconstruct who approved an action and what the agent did, you have no Measure, weak Govern, and an impossible incident response.

When to use the AI RMF, and when to reach for something else

Use the AI RMF when you want a flexible, voluntary structure for managing AI risk across very different systems, especially if you are early in your governance journey and want a common vocabulary your whole organization can adopt. It is particularly strong for teams deploying generative AI agents, because the GenAI Profile fills in the specifics that the core framework leaves general.

Reach for, or add, other frameworks when your situation demands it. If you want a certifiable management system you can be audited against, ISO/IEC 42001 is the AI-specific complement and pairs naturally with the AI RMF's functions. If you operate in the EU or sell there, the EU AI Act imposes legal obligations the voluntary AI RMF cannot satisfy on its own, though the RMF's work products give you a head start on compliance. And if your concern is concrete attack vectors against language models, the OWASP LLM Top 10 is a sharper checklist for the security testing inside your Measure function.

The frameworks are not rivals. The AI RMF is the organizing structure; the others are the specialized tools you slot into it. A practical program often runs the AI RMF as the backbone, uses the GenAI Profile for generative-specific risks, pulls security tests from OWASP, and prepares for ISO 42001 or the EU AI Act where the business requires it.

Think of the AI RMF as the backbone and the other standards as tools you slot into its four functions, not competitors you have to choose between.

Frequently asked questions

What is the NIST AI Risk Management Framework?

+

It is a voluntary framework published by the U.S. National Institute of Standards and Technology in January 2023 to help organizations manage the risks of AI systems. It is organized around four functions, Govern, Map, Measure, and Manage, and it defines what a trustworthy AI system looks like across characteristics such as safety, security, fairness, privacy, and accountability.

What are the four functions of the NIST AI RMF?

+

The four functions are Govern, Map, Measure, and Manage. Govern sets accountability and policy, Map establishes context and identifies risks, Measure tests and tracks how the system behaves, and Manage decides which risks to treat and monitors the system over time. They form a continuous loop rather than a sequence you run once.

Is the NIST AI RMF mandatory or legally required?

+

No. The AI RMF is voluntary and NIST cannot enforce it or certify you against it. Despite that, it is widely adopted because it was built through open consensus and has become a common reference in security questionnaires, board policies, and the foundation for newer rules and standards.

What is the NIST Generative AI Profile (NIST-AI-600-1)?

+

It is a companion document NIST released in July 2024 that adapts the AI RMF specifically for generative AI. It identifies risks that are unique to or worsened by generative AI, such as confabulation, data leakage, and prompt injection, and maps suggested actions back to the four core functions so teams can act on them.

How is the NIST AI RMF different from ISO 42001?

+

The AI RMF is a voluntary framework that gives you flexible guidance and a shared vocabulary, while ISO/IEC 42001 is a certifiable management-system standard you can be formally audited against. They complement each other: many teams use the AI RMF's four functions as the structure and pursue ISO 42001 when they need a credential to show customers or regulators.

How do I apply the NIST AI RMF to an AI agent that takes action?

+

Start by naming an owner and writing a basic policy (Govern), then map the systems the agent touches and the worst-case outcome of each action (Map). Test for hallucination, bias, and prompt injection before launch (Measure), then ship behind human approvals, least-privilege access, and full audit logging while you monitor live behavior (Manage). Approvals, role-based access, and logs are the controls that do the most work for an action-taking agent.

Which governance controls map to the Manage function?

+

Human-in-the-loop approvals, role-based access control, rate and spend limits, and continuous monitoring all sit in the Manage function because they treat identified risks and keep watch over time. Audit logs support Manage too by making incident response and investigation possible, and they also feed the Measure function with the data you need to track behavior.

Does the NIST AI RMF help with EU AI Act compliance?

+

The AI RMF does not satisfy the EU AI Act on its own because the framework is voluntary and the EU AI Act is law. However, the work products you create by following the RMF, such as a risk inventory, testing evidence, and documented controls, give you a strong head start on the documentation and risk-management obligations the EU AI Act requires.

Govern your AI agents from day one

See how Onpilot runs AI agents that take action across your tools with built-in approvals, least-privilege access, and full audit logs, the controls the NIST AI RMF asks for.

Book a demo