NIST AI Risk Management
Framework Guide
Published by NIST in January 2023, the AI RMF (NIST AI 100-1) provides a structured approach to identifying, assessing, and managing AI risks. It is voluntary but increasingly treated as the baseline for responsible AI governance in the US.
US regulators referencing
Federal agencies, financial institutions, healthcare organizations
Adoption trajectory among regulated US enterprises
Four functions of AI risk management
The framework organizes AI risk management into four interconnected functions. Govern is cross-cutting; Map, Measure, and Manage are sequential but iterative.
Govern wraps all functions as the cross-cutting layer
GOVERN
Policies, roles, and accountabilityThe cross-cutting function. Establish AI risk management policies, define roles and responsibilities, create accountability structures, and cultivate an organizational culture that prioritizes responsible AI use. Govern applies to and informs all other functions.
Subcategories
Generative AI Profile
NIST released a companion profile specifically addressing risks unique to generative AI systems.
The Generative AI Profile (NIST AI 600-1), published in July 2024, extends the AI RMF to address risks specific to large language models and generative AI. It identifies 12 risk categories unique to generative AI and maps them to the four core functions. If your organization uses tools like ChatGPT, Copilot, or any LLM-based system, this profile is directly relevant.
Key risk areas covered:
- Hallucination and confabulation
- Data privacy and training data exposure
- CBRN information generation risks
- Environmental and computational costs
- Intellectual property and copyright concerns
- Homogenization of outputs and reduced diversity
- Information integrity and manipulation
Operationalize each function
Clarier provides the tooling and analyst support to implement each NIST AI RMF function.
GOVERN
AI Policies & Approval Workflows
Define and enforce governance policies. Route AI adoption decisions through structured workflows with appropriate approvers.
Dedicated Analyst Support
Work with a Clarier analyst to establish governance structures, define risk thresholds, and build accountability into your AI program.
MAP
AI Inventory & Shadow AI Discovery
Build a complete map of AI systems in use, including tools adopted without formal approval. Discovery runs across identity providers, network gateways, endpoint agents, and DLP.
Vendor Research Reports
Automated assessments of AI vendors covering data handling, model transparency, security posture, and regulatory compliance. Context for every system in your inventory.
MEASURE
Risk Scoring & Usage Analytics
Quantified risk scores for every AI tool based on vendor practices, data sensitivity, deployment context, and compliance alignment. Usage data to track adoption and exposure.
Maturity Assessment
Measure your AI program maturity across visibility, oversight, and control. Track progress over time against a structured framework.
MANAGE
Remediation Workflows & Executive Reporting
Act on identified risks with structured remediation. Report risk posture and program status to leadership with board-ready materials.
Continuous Monitoring
Ongoing shadow AI detection, vendor change alerts, and usage trend tracking. Risk management is not a one-time exercise.
Common questions
Sources & further reading
Primary sources and official references cited on this page.
Structure your AI risk management program.
See how Clarier operationalizes each NIST AI RMF function with tooling and analyst support.