Mapping NIST AI RMF Functions to U.S. State AI Laws

The NIST AI Risk Management Framework is voluntary at the federal level, but adopting it materially supports compliance with most U.S. state AI laws. This post walks through how each of the four core functions — GOVERN, MAP, MEASURE, MANAGE — aligns with specific state-law obligations.

GOVERN

GOVERN establishes a culture of risk management with policies, oversight, and accountability. It maps to:

• Colorado AI Act § 6-1-1703(1): deployer's duty to use reasonable care to protect consumers from algorithmic discrimination — establishing GOVERN structures evidences reasonable care
• California SB 53 frontier AI safety framework requirement: explicit alignment, the Act's safety framework concept overlaps with GOVERN expectations
• Texas TRAIGA: the Act's prohibitions imply governance structures to prevent AI from being deployed for unlawful discrimination

Practical implementation: AI governance committee, written AI use policies, board-level reporting, incident response plan.

MAP

MAP characterizes the context, intended uses, stakeholders, and risks of each AI system. This is the closest direct map to impact-assessment requirements:

• Colorado AI Act § 6-1-1703(3): impact-assessment contents (purpose, intended outputs, performance, transparency, monitoring, discrimination risk) closely parallel MAP outputs
• NYC LL 144 bias audit: the audit's scope and methodology overlap with MAP categorization activities
• Illinois HB 3773: the disparate-impact analysis required to assess compliance with the IHRA amendment uses MAP-style categorization

Practical implementation: impact-assessment workflow, system datasheet, stakeholder analysis, intended-use documentation. Use the Impact Assessment Generator.

MEASURE

MEASURE assesses, analyzes, and tracks AI risks using qualitative and quantitative methods. Maps to:

• NYC LL 144 § 20-871: the bias audit explicitly requires selection-rate and impact-ratio measurement — quantitative MEASURE 2.11 territory
• Colorado AI Act: the impact assessment's bias-testing component is MEASURE-aligned
• California SB 942 latent disclosure / detection tool: technical-performance measurement of the detection mechanism
• California SB 53 transparency report: pre-deployment performance + safety measurement

Practical implementation: bias-testing methodology, drift monitoring, performance metrics dashboards, red-team testing.

MANAGE

MANAGE prioritizes and treats identified risks. Maps to:

• Colorado AI Act AG notification on identified discrimination: explicit MANAGE step — when discrimination is identified, response is required
• California SB 53 critical-incident reporting: MANAGE 4 incident-response control
• Most state-law cure periods (Texas 30 days, etc.): structured remediation under time pressure is MANAGE territory

Practical implementation: risk register with treatment plans, incident-response runbooks, remediation tracking, lessons-learned process.

Putting it together

A defensible position for a multi-state deployer: adopt NIST AI RMF as your control baseline, document each system's obligations under each applicable state law, and maintain evidence of GOVERN-MAP-MEASURE-MANAGE artefacts proportional to system risk.

The framework × law mappings page shows the matrix as data — what RMF function aligns with what law section.

Cross-references

• NIST AI RMF detail
• ISO/IEC 42001 — provides parallel certifiable AIMS
• Federal vs state pillar
• Impact Assessment Generator