NIST AI Risk Management Framework (AI RMF)
Note: this explainer is informational and framework references are never a compliance guarantee — align your program with your legal counsel.
The NIST AI Risk Management Framework (AI RMF 1.0) was released by the U.S. National Institute of Standards and Technology on 26 January 2023. It is a voluntary, rights-preserving, sector-agnostic framework to help organisations manage the risks of AI and promote trustworthy, responsible use. Official resource: NIST — AI Risk Management Framework; framework text (PDF): NIST AI 100-1.
Who it applies to
The AI RMF is designed for any organisation that designs, develops, deploys, or uses AI systems. It is voluntary — there is no certification — but it is widely used as the shared vocabulary for AI risk, and it crosswalks to other frameworks including the EU AI Act and ISO/IEC 42001.
The four functions
The framework organises AI risk work into four functions:
- Govern — establish organisational accountability, policies, and oversight for AI risk (a culture, not a one-off).
- Map — establish the context and identify the risks of a specific AI system or use.
- Measure — analyse and track those risks with qualitative and quantitative methods.
- Manage — allocate resources to treat risks, document residual risk, and respond to incidents.
Govern, Map, and Manage all assume you can see and control how AI is actually used — which is where an operating layer helps.
How Shield maps to it
Shield supplies operational inputs to several functions:
- Govern / Manage — enforceable policies and enforcement modes and role-based control turn oversight into applied rules.
- Map — Discovery establishes the real context: which AI tools are in use, by whom.
- Measure / Manage — the audit log tracks AI usage over time and gives an exportable record for incident response.
Applying the ISO 42001 / NIST bundle from the preset library turns these into framework-labelled policies in minutes.
Was this article helpful?
Related articles
Apply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleISO/IEC 42001 — AI management system
ISO/IEC 42001 is the world's first AI management system standard. What an AIMS requires, who it is for, and how Shield contributes operational controls toward it.
Read articleDIFC Regulation 10 — AI & autonomous systems
DIFC Regulation 10 governs personal data processed through autonomous and semi-autonomous systems. Who counts as Deployer and Operator, the core duties, and how Shield helps you meet them.
Read articleEU AI Act Article 26 — Deployer obligations
Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.
Read articleStill stuck?
Send us the details — we answer within one business day.