The NIST AI Risk Management Framework (AI RMF) is the US National Institute of Standards and Technology's voluntary framework for managing risks across the AI lifecycle. Released in version 1.0 in January 2023, with the Generative AI Profile added in 2024 and ongoing updates through 2026, it has become the most widely cited US AI governance reference and is increasingly written into federal and enterprise procurement contracts.
The framework organises around four core functions, each with sub-categories of practices:
- GOVERN — establishing organisational AI risk management policies, processes, accountability and culture.
- MAP — understanding the context, intended use, stakeholders and risks of an AI system.
- MEASURE — assessing and analysing identified risks with quantitative and qualitative methods.
- MANAGE — prioritising and acting on risks, including monitoring, incident response and decommissioning.
The 2024 Generative AI Profile adds specific guidance for LLMs, image models and other generative systems, covering categories like:
- Confabulation (hallucination) management
- Dangerous capability evaluation
- Data privacy and provenance
- Environmental impact
- Human-AI configuration
- Information integrity
- Intellectual property
- Toxicity, bias and harmful content
Why NIST AI RMF matters in 2026:
- Federal procurement — increasingly required or recommended in federal contracts; the de facto baseline for selling AI to the US government.
- State and enterprise alignment — California, Colorado, New York and many enterprise procurement contracts now reference the framework directly.
- Maps to international frameworks — designed to be compatible with ISO/IEC 42001, the EU AI Act, OECD AI Principles, and the Bletchley Declaration follow-on processes.
- Voluntary but practical — unlike the EU AI Act, no fines for non-compliance, but the documentation and process discipline it requires has become the practical standard for serious AI governance.
The NIST AI RMF complements but does not replace specific legal obligations. Where the EU AI Act says "you must do X for high-risk systems", NIST AI RMF says "here is how a serious organisation systematically manages AI risk across its lifecycle". The two are designed to work together — many US companies use NIST AI RMF as their internal framework and demonstrate EU AI Act compliance by mapping their NIST-aligned practices to the Act's specific requirements.
The companion documents that show up in 2026 governance work:
- NIST AI 600-1 — the Generative AI Profile.
- NIST SP 800-218A — secure software development practices for AI.
- NIST AI 100-2 — adversarial machine learning taxonomy.
- AISIC — the AI Safety Institute Consortium hosted by NIST; produces evaluation methodologies.
- OMB M-24-10 and successors — federal guidance on AI use in US government, leaning on NIST AI RMF.
For a US team building AI products in 2026, NIST AI RMF is the right starting point for internal AI governance even if you have no specific legal trigger. The discipline of documenting intended use, mapping risks, measuring against them and managing the lifecycle scales from a small team to a Fortune 500. Adopting it early is much cheaper than retrofitting it under regulatory pressure.
