Back to course overview
Module 2Standards & regulation 13 min

NIST AI RMF

The voluntary framework that structures most AI governance programs: the four functions of the NIST AI Risk Management Framework and how to use it as your operating model.

You have a risk map; now you need a system for managing what's on it. The most widely-adopted structure is the NIST AI Risk Management Framework (AI RMF) — voluntary, non-regulatory, and influential precisely because it's practical and framework-agnostic. It won't tell you what's legal (that's Module 2's next lesson); it tells you how to organize the work of managing AI risk. Most mature programs use it as their backbone.

The four functions

The AI RMF organizes governance into four functions that operate continuously — think of them as the verbs of a governance program:

  • Govern — the cross-cutting culture and structure: policies, roles and accountability, risk tolerance, oversight. Govern is the center; it makes the other three actually happen. Without it, Map/Measure/Manage are one-off exercises that decay. This is where 'who owns AI risk?' gets answered.
  • Map — establish context and identify risks: what is this system, who does it affect, what could go wrong? Your Module 1 impact assessment and risk map are the Map function. You can't manage what you haven't mapped.
  • Measure — analyze, assess, and track the identified risks with metrics and testing: evals, bias testing, red-teaming, monitoring. This is where the technical courses' work becomes governance evidence — the eval suite and red-team results are Measure, made auditable.
  • Manage — act on the measured risks: prioritize, treat (mitigate, transfer, avoid, accept), respond to incidents, and allocate resources. Deciding a high-risk system needs human oversight, or that a use case is unacceptable, is Manage.

Using it as an operating model

The functions aren't a linear checklist; they're a continuous loop wrapped in Govern — you Map a system, Measure its risks, Manage them, and keep re-Mapping as it changes. Notice the resonance with the LLMOps loop (evaluate→deploy→observe→improve): the AI RMF is that same loop elevated from one feature to the whole organization. A governance leader's job is to make sure every AI system on the risk map is somewhere in this loop, with a named owner, rather than shipped and forgotten.

  • Proportionality is built in. The RMF explicitly expects more rigor for higher-risk systems — your Module 1 tiers decide how much Map/Measure/Manage each system gets. Low-tier tools get a light touch; critical ones get the full loop.
  • It pairs with a management system. Where the AI RMF is the practice, ISO/IEC 42001 is the certifiable management system standard (like ISO 27001 for security) that organizations adopt to formalize and audit their AI governance. Know it exists; larger organizations pursue it for assurance.
  • It's a common language. Adopting the RMF's vocabulary lets your program communicate with auditors, partners, and regulators who also speak it. Shared frameworks reduce friction.
Framework, not bureaucracy

The failure mode is treating the RMF as paperwork — binders that describe governance nobody practices. Used well, it's the opposite: a lightweight operating model that ensures nothing high-risk ships un-Mapped, un-Measured, or un-Managed. Judge your program by whether the loop actually turns on real systems, not by the thickness of the documentation.