Framework guide

The NIST AI RMF, explained without the fog.

The NIST AI Risk Management Framework (AI RMF 1.0) is voluntary guidance published in January 2023 for managing the risks of AI systems. It organizes the work into four functions: GOVERN, MAP, MEASURE, and MANAGE. Two facts most vendor pages skip: NIST does not certify anyone against this framework, and NIST itself says the framework is currently being revised. What the RMF actually asks organizations to produce is evidence, and evidence is checkable.

What it is, and what it is not

The AI RMF (document NIST AI 100-1) is a voluntary framework from the U.S. National Institute of Standards and Technology. It is not a law, not a regulation, and not a certification scheme. In July 2024 NIST added the Generative AI Profile (NIST-AI-600-1), which layers twelve generative-AI risk areas, including confabulation, on top of the base framework. In April 2026 NIST released a concept note for a critical infrastructure profile and states on its own site that AI RMF 1.0 is being revised. If you build to the framework, watch that revision.

The four functions, plainly

GOVERN is the standing structure: who is accountable, what the policies are, and how decisions get made before any single system is discussed. MAP is context: what the system is for, who it touches, and what could go wrong in that setting. MEASURE is testing and tracking: evaluating the risks you mapped with methods you can defend. MANAGE is acting on what you measured: prioritizing, mitigating, monitoring, and responding when something goes wrong. Every function generates records. A program that cannot show the records has not done the functions.

The claim nobody can honestly make

There is no such thing as NIST certified AI. NIST does not certify organizations or products against the AI RMF, so a vendor claiming certification is misreading the framework at best. What a vendor can honestly claim is alignment: practices mapped to the four functions, with artifacts to prove it. When you evaluate any AI vendor, including us, ask for the artifacts, not the adjectives. Our procurement checklist gives you ten questions that force that conversation.

Where receipts fit

MEASURE and MANAGE both collapse without records of what the system actually did. That is the layer we build in public: receipts for actions, denials, and corrections in an append-only, hash-linked ledger, tiered human oversight with quotas and a kill switch, and an audit trail standard an outsider can verify. For federal teams, our contractor guide covers how this evidence discipline supports an RMF-aligned program without overclaiming. The honest sentence is: we publish the evidence an RMF program needs, and you can check it yourself.

Sources

Primary sources: the NIST AI RMF page and the Generative AI Profile (NIST-AI-600-1). Last verified: July 8, 2026. This page is plain-language education, not legal or compliance advice. Explore services built on this evidence layer, or see how the framework relates to the EU AI Act timeline and ISO/IEC 42001.