The NIST AI Risk Management Framework (AI RMF): Building Trustworthy AI

A U.S. Standards-Based Approach to AI Governance

The National Institute of Standards and Technology (NIST), a U.S. federal agency under the Department of Commerce, plays a key role in setting technology standards that drive innovation and competitiveness. Known for frameworks like the Cybersecurity Framework (CSF), NIST has developed the AI Risk Management Framework (AI RMF) to guide organisations in creating safe, responsible, and trustworthy AI systems.

The AI RMF is a voluntary guideline designed to help organisations manage risks across the AI lifecycle. Developed through collaboration with public agencies, private firms, academics, and international bodies, the AI RMF provides a structured, flexible, and widely applicable approach to AI governance. Its goal is to strengthen public trust in AI while supporting innovation.

Purpose of the AI RMF

The AI RMF helps organisations address three key challenges:

1. Managing Risk – AI carries risks such as bias, security threats, and unintended consequences.

2. Building Trust – Public trust requires transparency, accountability, and ethical compliance.

3. Supporting Innovation – Responsible governance ensures that AI can develop without undermining rights or safety.

Public trust depends on justified assurance that AI respects privacy, civil rights, and civil liberties. The AI RMF promotes governance practices that prioritise fairness, safety, and accountability.

Core Functions of the AI RMF

The framework is built around four core functions: Map, Measure, Manage, and Govern. These functions are designed to be iterative and adaptable to diverse industries.

1. Map

The Map Function identifies risks across the AI lifecycle. It involves:

• Defining system context, intended purpose, and potential impacts.

• Categorising AI systems based on complexity, autonomy, and risk.

• Mapping risks and benefits for all system components, including third-party software and data.

• Assessing impacts on individuals, communities, and society.

2. Measure

The Measure Function establishes metrics to assess AI risks and vulnerabilities. It includes:

• Performance metrics (accuracy, precision, recall).

• Fairness indicators (bias detection).

• Security assessments (resilience to attacks).

• Monitoring external inputs and third-party tools.

3. Manage

The Manage Function develops mitigation strategies and continuous monitoring processes. It involves:

• Bias mitigation techniques.

• Ethical compliance and risk-balancing measures.

• Incident response and risk treatment plans.

• Integration of testing, evaluation, verification, and validation (TEVV).

4. Govern

The Govern Function embeds AI risk management into organisational governance structures. It focuses on:

• Policies, processes, and accountability.

• Transparency and stakeholder engagement.

• Workforce diversity, equity, and inclusion.

• Third-party and supply chain risk management.

Characteristics of Trustworthy AI

The AI RMF identifies seven characteristics of trustworthy AI:

1. Explainable and interpretable.

2. Accountable and transparent.

3. Fair, with harmful bias managed.

4. Safe.

5. Secure and resilient.

6. Privacy-enhanced.

7. Valid and reliable.

These principles ensure that AI systems not only perform well but also align with ethical and societal expectations.

Use Cases of the AI RMF

The AI RMF can be applied across industries:

• Autonomous Vehicles – traffic sign recognition and safety assurance.

• Healthcare – evaluating fairness and interpretability in clinical AI systems.

• Cybersecurity – fairness and privacy in biometric authentication.

• Financial Services – transparency in credit scoring and lending.

• Supply Chains – monitoring third-party dependencies for risk.

It has already been adopted by organisations such as the U.S. Department of State and Workday, demonstrating its broad applicability.

The AI RMF Playbook and Roadmap

NIST supports the framework with the AI RMF Playbook, offering:

• Templates and tools for integration.

• Guidance for aligning risk tolerance with organisational goals.

The AI RMF Roadmap outlines priorities for continuous improvement, including:

• Alignment with international standards.

• Expanding testing and evaluation.

• Developing sector-specific profiles.

• Enhancing trustworthiness guidance.

Why NIST AI RMF Matters

The NIST AI RMF provides a comprehensive, standards-based approach to managing AI risks. By combining Map, Measure, Manage, and Govern functions with principles of trustworthiness, it ensures that AI systems are safe, fair, accountable, and resilient.

Key Takeaways

• Trustworthy AI requires transparency, accountability, and fairness.

• Interpretable systems build confidence and usability.

• Safety and resilience come from proactive risk management.

With its global relevance and standards-based design, the AI RMF equips organisations to deploy AI responsibly, earning public trust while enabling innovation.