Compliance brief / framework

NIST AI RMF. The voluntary baseline state laws point to.

The US government's free, voluntary playbook for managing AI risk. Govern, Map, Measure, Manage. The Colorado AI Act and several other state laws recognize it as a safe harbor that earns a rebuttable presumption of reasonable care. Here's what's inside it and how to actually run it.

By Northbeams editorial · Last updated 2026-05-10 · 8 min read

See the audit-ready evidence pack → Compare with ISO 42001

TLDR

On this page

  1. 01 What NIST AI RMF is
  2. 02 The four core functions
  3. 03 Profiles and the Gen AI Profile
  4. 04 Where it fits in 2026
  5. 05 How to actually use it
  6. 06 How Northbeams maps to this
  7. 07 FAQ

01 / What NIST AI RMF is

A free playbook from the US government.

The NIST AI Risk Management Framework, formally published as NIST AI 100-1, is the US government's voluntary guidance for managing AI risk. It came out of a Congressional mandate and was released in January 2023. The accompanying NIST AI RMF Playbook gives concrete implementation guidance keyed to each function and category in the framework.

NIST does not certify companies against the framework. There is no "NIST AI RMF certificate" to display on a sales deck. What you get is a structured, government-respected playbook that you adopt internally and self-attest to.

The framework is technology-neutral and risk-oriented. It does not prescribe specific controls or tools; it defines outcomes and asks you to choose the controls that achieve them in your context.

02 / The four core functions

Govern. Map. Measure. Manage.

The framework is built on four functions that run in parallel, not strictly in sequence. Each function has categories and subcategories that decompose into practical actions.

Govern.

Organizational policies, leadership accountability, roles, culture, and the resourcing that lets the rest of the framework run. Most of the "boring" management-system mechanics live here. Done well, Govern is what keeps the other three functions from going dormant.

Map.

The context, categorization, and stakeholder analysis for each AI use. What is the system supposed to do, what data does it use, who is affected, and what risks does it carry? Map is the function most companies under-invest in. Without a current map, Measure and Manage cannot be honest.

Measure.

Quantitative and qualitative analysis of AI risks. Performance metrics, fairness testing, security testing, robustness testing, monitoring telemetry. Measure is where the framework asks you to actually look, not just assert.

Manage.

Prioritized response, treatment, and ongoing oversight. Decide which risks to accept, mitigate, transfer, or avoid. Run the controls. Monitor for new risks. Iterate.

The four functions interlock. Govern enables the rest. Map informs Measure. Measure feeds Manage. Manage feeds back into Govern through management review. The flow is continuous, not a one-time gate.

03 / Profiles and the Gen AI Profile

Tailor the framework to your AI uses.

NIST AI RMF defines "profiles" as tailored applications of the framework to specific use cases, sectors, technologies, or risk surfaces. A profile names which categories and subcategories apply, the priorities for the operator, and the implementation guidance most relevant.

The most-cited profile is the Generative AI Profile (NIST-AI-600-1), published in July 2024. It extends the four core functions with 12 generative-AI-specific risks: confabulations, dangerous or harmful content, data privacy issues, environmental impact, harmful bias and homogenization, intellectual property issues, obscene or violent content, information integrity (deepfakes), information security, system value chain, and others.

If your company uses generative AI in any meaningful way (most companies do), the Gen AI Profile is the practical document to read alongside the core framework.

04 / Where it fits in 2026

Safe harbor for state law. Foundation for ISO 42001.

NIST AI RMF plays three roles in 2026.

  1. Safe harbor for state AI laws. The Colorado AI Act explicitly names "nationally or internationally recognized risk management frameworks" as the basis for the rebuttable presumption of reasonable care. NIST AI RMF qualifies. So does ISO/IEC 42001. So does an internal framework that is built on either.
  2. Operational layer beneath ISO 42001. Many companies operate the day-to-day work using the NIST AI RMF Playbook (free, US-government-published, easy to share internally) and wrap an ISO 42001 management system around it for procurement-grade certification.
  3. Federal procurement floor. US federal agencies and their contractors increasingly require NIST AI RMF alignment. The framework is the lingua franca of federal AI governance.

If you sell into the federal government, NIST AI RMF is non-optional. If you sell into Fortune 500 enterprise procurement, ISO 42001 is increasingly non-optional. Most companies eventually run both.

05 / How to actually use it

Five steps from "we should look at this" to "the auditor accepts it".

  1. Read the framework and the Playbook once, end to end. Both are short. Free. The Playbook is keyed to the framework section by section.
  2. Inventory the AI you actually use. Map cannot run without an inventory, and most companies' inventories are wrong. Get a real one.
  3. Pick the profile that fits. Generative AI Profile for almost everyone in 2026. Add sector-specific profiles where they exist.
  4. Write the policy and run the controls. Use the framework's categories and subcategories as the table of contents. Your policy does not need to be long; it needs to map cleanly to the framework.
  5. Self-attest and keep the evidence. NIST does not audit you. Your customers, regulators, and insurers will.

06 / How Northbeams maps to this

Inventory, classification, signed evidence.

NIST AI RMF assumes you can name your AI uses, track who uses what, and produce evidence that controls actually run. Most companies cannot. Northbeams answers all three across browser, desktop, and CLI.

Map

Continuous AI inventory across browser, desktop, and CLI.

Every AI tool your team uses appears in the dashboard, dated and categorized. The map function has a current source of truth, not a quarterly survey.

Measure

Per-prompt risk categorization on-device.

The classifier runs in the browser. Original prompt content never leaves the user's machine. You see categories (credentials, PII, source code, customer data) without ever capturing the underlying text.

Manage

Per-tool policy: sanctioned, sandboxed, or blocked.

State changes are timestamped and signed. The manage function has a control plane.

Govern

Quarterly executive risk-audit report.

Tool sprawl trend, incident count by severity, policy-change history. Board-ready PDF for the management review meeting.

If you're running NIST AI RMF and your auditor needs a defensible inventory and a signed log, Sentinel is the tier you'd buy. See the audit-ready evidence pack →

07 / FAQ

Common questions about NIST AI RMF.

What is the NIST AI Risk Management Framework?
The NIST AI Risk Management Framework (NIST AI 100-1) is a voluntary playbook published by the US National Institute of Standards and Technology in January 2023. It defines four core functions for managing AI risks (Govern, Map, Measure, Manage) and provides a companion Playbook with practical implementation guidance. A separate Generative AI Profile (NIST-AI-600-1) was added in July 2024.
Is the NIST AI RMF mandatory?
No. The framework is voluntary. The reason it shows up everywhere is that several state AI laws including the Colorado AI Act recognize it as a safe-harbor framework. Following NIST AI RMF earns a rebuttable presumption of reasonable care under those laws.
How does NIST AI RMF differ from ISO/IEC 42001?
NIST AI RMF is voluntary, free, US-government-published, and process-oriented. ISO/IEC 42001 is voluntary, paid, internationally published, and certifiable. Many companies operate under both: NIST AI RMF as the operational playbook and ISO 42001 as the certifiable management system that satisfies enterprise procurement.
What are the four functions in NIST AI RMF?
Govern: organizational policies, accountability, and culture for AI risk. Map: context and categorization of AI uses, risks, and stakeholders. Measure: quantitative and qualitative analysis of AI risks. Manage: prioritized response, treatment, and ongoing monitoring.
What is the Generative AI Profile?
NIST-AI-600-1, published July 2024, is a companion document to the AI RMF that adds 12 risks specific to generative AI (confabulations, harmful outputs, intellectual property issues, environmental impact, privacy, and others) and the actions an organization can take to manage each. It does not replace the four core functions; it extends them for generative use cases.
Can I use NIST AI RMF as a company under 50 people?
Yes. The framework is scale-neutral. Smaller companies adopt a subset of the practices appropriate to their risk and size. The NIST AI RMF Playbook explicitly supports tailored implementations.

Related laws and frameworks

StandardISO/IEC 42001The certifiable AI management system standard. Often paired with NIST AI RMF.Read brief → ComparisonISO 42001 vs NIST AI RMFSide-by-side. Which to pick by company profile.Compare → US state · ColoradoColorado AI ActNames NIST AI RMF as a recognized safe-harbor framework.Read brief → US state · TexasTexas TRAIGAProhibition-driven approach. Pairs cleanly with NIST AI RMF for ongoing risk discipline.Read brief → EUEU AI ActNIST AI RMF gives a working operational layer beneath EU obligations.Read brief → HubAI laws field guideEvery law and standard covered in one place.Open hub →

Defensible NIST AI RMF evidence. By Friday.

Free to discover. Pay to control. Sentinel ships the audit-ready evidence pack with one-click export. Pre-mapped to Govern, Map, Measure, and Manage.

Start the 14-day Sentinel trial → Talk to compliance