A practitioner's implementation guide for the NIST AI Risk Management Framework (AI RMF 1.0).
The official NIST AI RMF documentation is comprehensive but abstract. This guide translates the framework into concrete actions, checklists, code examples, and templates that engineering and governance teams can use directly.
This guide is maintained by an AI governance practitioner, not NIST. It reflects a practitioner's interpretation of the framework. Always refer to the official NIST AI RMF documentation for authoritative guidance.
The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) is a voluntary framework for managing risks across the AI system lifecycle. It is organized around four core functions:
┌─────────────┐ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ GOVERN │ ──► │ MAP │ ──► │ MEASURE │ ──► │ MANAGE │
│ │ │ │ │ │ │ │
│ Policies, │ │ Categorize │ │ Evaluate & │ │ Prioritize │
│ culture, │ │ & contextu- │ │ analyze │ │ & respond │
│ roles │ │ alize risks │ │ risks │ │ to risks │
└─────────────┘ └─────────────┘ └─────────────┘ └─────────────┘
| Section | What You Will Find |
|---|---|
| 01 - Govern | Policies, organizational culture, roles, accountability structures |
| 02 - Map | Risk categorization, context setting, stakeholder identification |
| 03 - Measure | Risk analysis methods, evaluation metrics, testing approaches |
| 04 - Manage | Risk response, prioritization, residual risk acceptance |
| Templates | Ready-to-use document templates for each function |
| Examples | Industry-specific implementation examples (healthcare, finance, insurance) |
| Tools | Scripts and utilities for automated governance checks |
| EU AI Act Mapping | Cross-reference between NIST AI RMF and EU AI Act requirements |
| ISO 42001 Mapping | Cross-reference with ISO/IEC 42001 AI management system standard |
- Read 01 - Govern — establish who owns AI governance
- Complete the Model Inventory Template
- Run through 02 - Map for your highest-risk AI system
- Use the Risk Assessment Template
- Start with 02 - Map to categorize your current systems
- Apply the Risk Taxonomy to identify gaps
- Use 03 - Measure to evaluate your current controls
- Prioritize gaps using the Risk Register Template
- Review the EU AI Act Mapping if EU-facing
- Check the ISO 42001 Mapping for certification readiness
- Use the Governance Checklist for a gap assessment
The NIST AI RMF is built around seven characteristics that trustworthy AI systems should exhibit. This guide provides practical implementation guidance for each:
| Characteristic | Description | Key Practices |
|---|---|---|
| Accountable | Clear responsibility for AI system outcomes | Roles & responsibilities, audit trails, model inventory |
| Explainable | AI decisions can be understood and communicated | Explainability reports, model cards, documentation |
| Interpretable | Meaning of outputs can be understood | Feature importance, decision logs, SHAP/LIME integration |
| Privacy-Enhanced | Privacy risks are managed and minimized | Data minimization, PII handling, consent management |
| Reliable | Consistent performance within expected conditions | Performance monitoring, regression testing, drift detection |
| Safe | Does not cause undue harm to people or systems | Red teaming, adversarial testing, failure mode analysis |
| Secure & Resilient | Resistant to attacks and recovers from failures | Security scanning, penetration testing, incident response |
| Fair | Equitable outcomes across affected populations | Bias evaluation, disparate impact analysis, subgroup testing |
The GOVERN function establishes the organizational context for AI risk management. Key implementation steps:
- Assign AI governance ownership — designate an AI governance lead or committee
- Document AI use policies — what AI is allowed and not allowed at your organization
- Create a model inventory — maintain a current list of all AI systems in operation
- Establish risk tolerance — define acceptable risk levels for different AI use cases
- Implement training — ensure all AI practitioners understand governance requirements
See docs/01-govern.md for full implementation guidance.
This guide is part of a broader AI governance framework:
| Repository | Purpose |
|---|---|
| enterprise-ai-governance-playbook | End-to-end governance playbook |
| ai-release-readiness-checklist | Release gate framework |
| ai-risk-taxonomy | Structured risk taxonomy |
| regulated-ai-starter-kit | Template repo for regulated AI teams |
| awesome-ai-governance | Curated resource list |
This guide improves through practitioner feedback. If you have implemented NIST AI RMF and have insights to share, see CONTRIBUTING.md.
Especially valuable:
- Industry-specific implementation examples
- Corrections to interpretations
- Additional tool integrations
- Case studies (anonymized)
MIT License — use and adapt freely with attribution.
This guide is not affiliated with or endorsed by NIST.