AAI Compliance Atlas
FrameworksState lawsIndustriesToolsNews
GuidesMap my obligations →
AAI Compliance Atlas

Structured, continuously verified reference for US AI compliance — federal frameworks, state laws, and the obligations that connect them.

Atlas

  • Frameworks
  • State laws
  • Industries
  • By role
  • Comparisons

Tools

  • Compliance Checker
  • Penalty Calculator
  • Impact Assessment

Resources

  • Guides
  • News
  • Blog

Company

  • About
  • Contact
  • Privacy
  • Terms
© 2026 AI Compliance Atlas. Informational only — not legal advice. Consult qualified counsel before making compliance decisions.Verified Jun 9, 2026
  1. Home/
  2. Frameworks/
  3. NIST AI RMF
voluntaryU.S. National Institute of Standards and Technologyv1.0

NIST AI Risk Management Framework (AI RMF 1.0)

Framework reference — controls, obligations, and mapping to US state AI laws.

Last verified April 30, 2026

Type
voluntary
Version
v1.0
Released
January 26, 2023
Certifiable
No

Overview

The NIST Artificial Intelligence Risk Management Framework (AI RMF 1.0) is a voluntary framework released by the U.S. National Institute of Standards and Technology on January 26, 2023, intended to help organizations design, develop, deploy, and use AI systems in a manner that manages risks to individuals, organizations, and society.

The framework is built around four core functions:

  • GOVERN — establish a culture of risk management with policies, processes, accountability structures, and oversight
  • MAP — identify the context, intended uses, stakeholders, and risks of an AI system
  • MEASURE — assess, analyze, and track AI risks and impacts using qualitative and quantitative methods
  • MANAGE — allocate risk resources and treat identified risks based on assessed impact

NIST also released the Generative AI Profile (NIST AI 600-1) in July 2024, which provides specific guidance for the unique risks of generative AI systems, including confabulation, harmful biases, intellectual property issues, and value chain risks.

The framework PDF is paired with the NIST AI RMF Playbook, an interactive companion resource hosted on the NIST AI Resource Center (AIRC) that supplies *suggested actions*, transparency-and-documentation prompts, and references for each subcategory across all four functions. The Playbook is not distributed as a PDF — it is maintained as a living web resource and is updated independently of the framework PDF itself.

While the RMF itself is non-binding, it is widely referenced in U.S. state AI laws, federal procurement requirements, and emerging international AI policy. It is not directly certifiable — there is no "NIST AI RMF certification" issued by NIST itself. ISO/IEC 42001 provides a complementary certifiable management-system standard for organizations that need an accredited certificate.

Governance operating model

For teams turning the GOVERN function into decision rights, committees, lifecycle gates, and escalation paths, pair this framework reference with the AI governance guide.

Core controls & obligations

Specific controls and obligations from NIST AI RMF, with section references where available.

  • GovernanceRole: bothGOVERN 1-6

    GOVERN function: establish policies, processes, structures, and accountability for AI risk management across the organization, including senior leadership oversight and a risk-based culture.

  • Risk assessmentRole: bothMAP 1-5

    MAP function: identify the context, intended uses, stakeholders, and risks of each AI system, including categorization of impacts on individuals, communities, and the organization.

  • Risk assessmentRole: bothMEASURE 1-4

    MEASURE function: assess, analyze, and monitor AI risks using both quantitative and qualitative methods, including bias evaluation, robustness testing, and explainability assessments.

  • GovernanceRole: bothMANAGE 1-4

    MANAGE function: prioritize and treat identified risks, allocate resources, and implement risk response strategies including mitigation, transfer, acceptance, or avoidance.

Mapped to US state laws

Common controls in NIST AI RMF that satisfy or overlap with US state AI law obligations. Mapping strength indicates how closely the framework control corresponds to the statutory requirement.

  • Transparency in Frontier Artificial Intelligence Act (TFAIA)strong mapping
  • California AI Transparency Actweak mapping
  • Colorado Artificial Intelligence Actstrong mapping
  • Illinois HB 3773 (AI in Employment Decisions)partial mapping
  • NYC Local Law 144 (Automated Employment Decision Tools)partial mapping
  • Texas Responsible Artificial Intelligence Governance Act (TRAIGA)partial mapping

Automate AI governance with OneTrust

partner link

Manage AI inventory, risk assessments, and policy enforcement across your organization. Used by hundreds of regulated enterprises.

See OneTrust AI Governance →

Sources

  • Officialwww.nist.gov

Last verified April 30, 2026

Legal disclaimer

This content is informational only and does not constitute legal advice. Laws change frequently and vary by jurisdiction. Consult qualified legal counsel before making compliance decisions. Information accuracy not guaranteed as of any specific date.

We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.