The NIST AI Risk Management Framework (AI RMF) 1.0 is a voluntary US framework published by the National Institute of Standards and Technology in January 2023. It provides guidance for managing AI risk across four functions — Govern, Map, Measure, and Manage — and is non-certifiable.
The EU AI Act is Regulation (EU) 2024/1689, binding EU regulation that came into force in August 2024 and applies in phased stages through 2027. It imposes specific obligations on providers, deployers, importers, and distributors of AI systems placed on the EU market, structured around a four-tier risk classification (unacceptable, high, limited, minimal).
The AI RMF is methodology and the Act is law. The two operate at different levels and serve different functions.
“The AI RMF is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.” — NIST AI RMF 1.0, Foreword
“This Regulation lays down: (a) harmonised rules for the placing on the market, the putting into service, and the use of artificial intelligence systems (AI systems) in the Union.” — Regulation (EU) 2024/1689, Article 1(2)(a)
Key definitions
| Term | AI RMF meaning | EU AI Act meaning |
|---|---|---|
| AI system | An engineered system generating outputs for human-defined objectives | A machine-based system designed to operate with varying levels of autonomy that may exhibit adaptiveness and that infers from input how to generate outputs (Article 3(1)) — triggers regulatory obligations |
| AI actor | Individual or organisation playing a role in the AI lifecycle | Not used — the Act identifies specific economic operators: provider, deployer, importer, distributor |
| Risk | Effect of uncertainty on objectives, addressed across four functions | Treated as a tiered classification (unacceptable, high, limited, minimal/no risk) that determines which obligations apply |
| Conformity | Not a term in the AI RMF | The state of meeting Act obligations — demonstrated through conformity assessment for high-risk systems |
| Trustworthy AI characteristics | Seven characteristics defined in the framework | Not a defined concept; related requirements appear across specific Articles |
| Profile | Use-case or sector-specific adaptation of the framework | Not a concept in the Act |
| Harmonised standard | Not a concept in the AI RMF | A European standard adopted on the basis of a Commission request, conferring presumption of conformity (Articles 40–41) |
NIST AI RMF and the EU AI Act: Where the two align
Substantive overlap between the AI RMF and the EU AI Act is significant. Both address risk management, data governance, transparency, human oversight, post-deployment monitoring, and incident response. The mapping below covers the obligations most relevant to AI RMF users preparing for Act compliance work.
| EU AI Act obligation | Article | AI RMF functions and categories |
|---|---|---|
| Risk management system | Article 9 | Map 4, Measure 1, Measure 2, Manage 1, Manage 4 |
| Data and data governance | Article 10 | Map 2, Map 4, Measure 2, Govern 6 |
| Technical documentation | Article 11 | Govern 1, Map 1, Map 2 (documentation considerations across all functions) |
| Record-keeping and logging | Article 12 | Measure 3 (risk tracking mechanisms) |
| Transparency and information to deployers | Article 13 | Govern 5 (engagement with AI actors), Map 1 (context for users) |
| Human oversight | Article 14 | Map 1, Map 3, Manage 2, Manage 4 |
| Accuracy, robustness, cybersecurity | Article 15 | Measure 2 (trustworthy characteristics: valid and reliable, safe, secure and resilient) |
| Quality management system (providers) | Article 17 | The framework as a whole, particularly Govern function |
| Post-market monitoring | Article 72 | Measure 3, Manage 4 |
| Serious incident reporting | Article 73 | Manage 4 (response and recovery), Govern 5 (engagement) |
| Transparency obligations to natural persons | Article 50 | Govern 5, Map 5 (impacts on individuals) |
The most consequential overlaps are Articles 9, 10, 14, and 72 — risk management, data governance, human oversight, and post-market monitoring. These are the obligations where AI RMF Map and Measure activities produce evidence that directly supports Act compliance work. An organisation that has applied the framework substantively to its high-risk AI systems has produced much of the underlying analysis the Act requires.
Where the two diverge
The alignment ends at five structural points. Each is a difference in kind, not in degree.
Legal effect
The AI RMF is voluntary throughout. Failure to adopt it produces no legal sanction — the consequences are contractual, reputational, and operational. The EU AI Act is binding regulation. Failure to comply produces administrative fines up to €35 million or 7% of worldwide annual turnover for the most serious violations (Article 99), and up to €15 million or 3% for other infringements. Market withdrawal, restrictions on placing systems on the market, and removal from the EU database are also available sanctions.
| Consequence | AI RMF | EU AI Act |
|---|---|---|
| Failure to adopt or comply | Contractual exposure; reputational risk | Administrative fines; market access restrictions |
| Authority | NIST (federal agency; non-regulatory in this context) | National competent authorities; EU AI Office for general-purpose AI |
| Enforcement | None (framework is voluntary) | Investigation, sanctions, withdrawal orders |
Risk model
The AI RMF treats risk as a context-specific concept identified through Map activities and analysed through Measure activities. Risk criteria are organisation-determined. The Act imposes a fixed risk classification that determines which obligations apply.
| Tier | Act treatment | AI RMF treatment |
|---|---|---|
| Unacceptable risk | Prohibited under Article 5 | No equivalent category — the framework does not prohibit specific use cases |
| High risk | Permitted subject to extensive obligations (Articles 8–27) | Standard application of all four functions |
| Limited risk | Permitted subject to transparency obligations (Article 50) | Standard application of all four functions |
| Minimal or no risk | Permitted without specific obligations | Standard application of all four functions |
The Act’s classification is a regulatory determination an organisation must make about each AI system. The AI RMF supports the analysis — Map and Measure activities produce evidence informing the classification — but does not itself produce the classification.
Conformity assessment and CE marking
The Act requires high-risk AI systems to undergo conformity assessment before being placed on the EU market, with CE marking demonstrating conformity. The assessment is performed through internal control (Annex VI) or by a notified body (Annex VII), depending on the system and the harmonised standards available.
The AI RMF has no equivalent. Adoption produces internal documentation, optionally supplemented by self-attestation or third-party assessment, but no certificate and no CE-equivalent mark. The CE mark cannot be applied on the basis of AI RMF adoption.
Harmonised standards status
The Act provides for presumption of conformity where harmonised standards published in the Official Journal of the European Union are applied. The European Commission has issued a standardisation request to CEN-CENELEC for harmonised standards supporting the Act. Standards developed in response to that request — typically European adaptations of, or new standards aligned with, ISO/IEC documents — may eventually be designated as harmonised standards.
The AI RMF is not a harmonised standard and is unlikely to be designated as one. It is a NIST publication, not a European standard, and the harmonisation mechanism in the Act applies to European standards specifically. Organisations using the AI RMF for Act compliance work do so on the basis that the framework supports substantive obligations — not on the basis of presumption of conformity.
General-purpose AI
The Act contains a dedicated regime for general-purpose AI models (Chapter V), with additional obligations for models with systemic risk. Obligations include technical documentation, copyright compliance, training data summaries, model evaluation, adversarial testing, incident reporting, and cybersecurity protection.
The AI RMF does not contain a parallel regime. The four functions apply to general-purpose AI as they do to any AI system, and the Generative AI Profile (NIST AI 600-1) adapts the framework to generative AI use cases. But the specific GPAI obligations under the Act — particularly the systemic-risk obligations — sit outside the AI RMF’s scope and require Act-specific work in addition to AI RMF adoption.
How AI RMF adoption supports AI Act compliance
For organisations preparing for both instruments, the AI RMF supports Act compliance in three operational ways.
| Function | What AI RMF adoption provides |
|---|---|
| Substantive methodology | The framework provides the substantive risk management methodology the Act requires under Articles 9 and 15. Where the Act states an obligation, the framework specifies how to perform the underlying analysis. |
| Evidence base | Documentation produced under Map, Measure, and Manage activities supplies the substantive content that Act technical documentation (Article 11) and post-market monitoring (Article 72) require. |
| Governance structure | Govern function activities — policies, accountability, third-party governance — produce the management infrastructure that Act quality management system obligations (Article 17) depend on. |
The framework does not replace Act-specific work. Conformity assessment, CE marking, registration in the EU database, post-market monitoring systems specific to the Act’s requirements, serious incident reporting through Act-defined channels — these are obligations the framework supports but does not satisfy. Most organisations preparing for both instruments operate the AI RMF as the methodology source and Act-specific work as the regulatory layer that consumes the methodology’s outputs.
How Act compliance constrains AI RMF adoption
The relationship runs in both directions. For organisations subject to the Act, Act obligations shape how the AI RMF is applied:
| Act provision | Effect on AI RMF adoption |
|---|---|
| Article 5 (prohibitions) | Map and Measure activities must identify whether the AI system falls within prohibited practices; positive identification ends Act-relevant work and ends AI RMF deployment-relevant work for that system |
| High-risk classification (Annex III) | Systems classified as high-risk trigger Act-specific obligations the AI RMF does not enumerate; AI RMF activities must produce evidence sufficient for those obligations |
| Article 50 (transparency) | Limited-risk systems trigger specific user transparency obligations; Govern 5 and Map 5 activities must support compliance with the specific Article 50 requirements |
| Chapter V (GPAI) | General-purpose AI models trigger obligations beyond the AI RMF; the Generative AI Profile supports the substantive work but does not satisfy Chapter V requirements |
The Act takes precedence where the two diverge. The AI RMF is voluntary; the Act is binding. Where AI RMF activities produce outcomes inconsistent with Act requirements, Act requirements govern. Organisations cannot rely on AI RMF adoption to argue that Act obligations have been modified or relaxed.
Practical sequencing: NIST AI RMF and the EU AI Act
Most organisations subject to both instruments do not work through them sequentially. Three patterns recur:
| Pattern | Description |
|---|---|
| AI RMF as methodology foundation, Act as compliance layer | Organisations build AI risk management capability through the AI RMF and consume its outputs to support Act compliance work. Common for organisations with mature US operations expanding into EU markets. |
| Act compliance work driving AI RMF adoption | Organisations facing imminent Act deadlines adopt the AI RMF as the methodology source for substantive compliance work. The framework provides the analytical depth Act compliance requires. |
| Parallel adoption from the start | Organisations building AI governance from scratch adopt both simultaneously, using the AI RMF for methodology and structuring the documentation to support Act conformity work. |
The first pattern is most common for organisations with existing US presence. The second is common for EU-based organisations encountering AI governance through the Act. The third is most common for new AI governance programmes in organisations with EU market exposure.
Practical considerations for organisations using both NIST AI RMF and the EU AI Act
Five considerations recur in implementations operating both instruments:
| Consideration | Practical implication |
|---|---|
| Risk classification cannot be derived from AI RMF activities | The Act’s tier classification is a regulatory determination; AI RMF Map and Measure activities inform it but do not produce it. Organisations should document the classification decision separately. |
| Technical documentation must meet Annex IV content | Article 11 documentation has specific content requirements in Annex IV. AI RMF Map and Measure outputs support the documentation but should be structured to satisfy Annex IV specifically. |
| Post-market monitoring under Article 72 has specific requirements | The AI RMF Measure function provides the methodology; Article 72 specifies what post-market monitoring systems must collect and document. The two must be aligned at design. |
| Serious incident reporting follows Act-defined channels | Manage 4 response and recovery activities must integrate with Article 73 reporting obligations, including reporting timelines and authorities. |
| GPAI obligations require Act-specific work beyond the AI RMF | Chapter V obligations — copyright compliance, training data summaries, systemic-risk obligations — are not addressed by the framework and require separate Act-specific implementation. |
NIST AI RMF resource references
The primary references for working with the AI RMF and the Act together:
| Resource | Source |
|---|---|
| NIST AI RMF 1.0 | https://www.nist.gov/itl/airc — the core framework |
| AI RMF Playbook | https://airc.nist.gov/airmf-resources/playbook/ — companion implementation guidance |
| NIST AI 600-1: Generative AI Profile | https://www.nist.gov/itl/airc — generative AI profile |
| AI RMF Crosswalks (including EU AI Act) | https://www.nist.gov/itl/airc — published crosswalks between the AI RMF and other instruments |
| EU AI Act | https://eur-lex.europa.eu — Regulation (EU) 2024/1689 |
| EU AI Act implementing acts and harmonised standards | https://digital-strategy.ec.europa.eu — Commission guidance on the Act’s implementation |
NIST publishes crosswalks between the AI RMF and the EU AI Act as a supporting resource. The crosswalks identify subcategory-by-Article correspondences and are useful planning tools, though they are not authoritative legal interpretations of either instrument.
FAQ
Does AI RMF adoption satisfy the EU AI Act?
No. The framework supports Act compliance work substantively but does not satisfy it. The Act imposes specific obligations — conformity assessment, CE marking, registration, technical documentation under Annex IV, post-market monitoring systems, serious incident reporting — that the AI RMF does not enumerate. Organisations subject to the Act must perform Act-specific work in addition to AI RMF adoption.
Is the AI RMF a harmonised standard under the EU AI Act?
No. The Act provides for presumption of conformity where harmonised standards published in the Official Journal are applied. The AI RMF is a NIST publication, not a European standard, and is unlikely to be designated as a harmonised standard. Standards developed by CEN-CENELEC in response to the Commission’s standardisation request may serve this function; the AI RMF supports substantive work but does not confer presumption of conformity.
Can I use AI RMF documentation as evidence in EU AI Act conformity assessment?
Yes, as supporting evidence. Documentation produced under Map and Measure activities supports the analysis Act conformity assessment requires. But the conformity assessment itself is a distinct procedure with specific evidentiary requirements under Annexes VI and VII, and AI RMF documentation alone does not constitute conformity assessment.
Does the AI RMF address EU AI Act prohibitions under Article 5?
The framework does not list prohibited practices, but Map activities should identify whether the AI system falls within Article 5 prohibitions. Identification of a prohibited practice ends Act-relevant work for that system and should end deployment work under the AI RMF as well. The framework supports the analysis; the Act provides the binding determination.
Do EU AI Act high-risk obligations apply differently to organisations that have adopted the AI RMF?
No. The Act’s high-risk obligations apply regardless of voluntary framework adoption. AI RMF adoption supports substantive compliance with the obligations but does not modify the obligations themselves.
How does the Generative AI Profile relate to EU AI Act general-purpose AI obligations?
The Generative AI Profile (NIST AI 600-1) identifies twelve risks distinctive to generative AI and provides suggested actions for managing them. Several of these risks — information integrity, intellectual property, dangerous content, value chain integration — map to specific Chapter V obligations under the Act. The profile supports substantive work on these obligations but does not satisfy them; Chapter V requires specific documentation, evaluation, and reporting that the profile does not enumerate.
Should organisations subject to the Act adopt the AI RMF?
There is no requirement to do so. Many organisations subject to the Act adopt the AI RMF because it provides substantive methodology the Act assumes but does not specify in detail. Others use ISO/IEC 23894, ISO/IEC 42001, or sector-specific methodologies. The choice depends on existing governance infrastructure, sector context, and the organisation’s broader AI strategy.
What is the relationship between the AI RMF and ISO/IEC 42001 for EU AI Act purposes?
The two are complementary. ISO/IEC 42001 provides the certifiable management system structure that supports Act Article 17 quality management obligations; the AI RMF provides substantive methodology that supports Articles 9, 10, 14, 15, and 72. Organisations operating in both US and EU markets commonly adopt both — ISO 42001 for the management system and certification, the AI RMF for methodology.
Does the EU AI Act recognise self-attestation under the AI RMF?
Not as a basis for presumption of conformity. AI RMF self-attestation may be useful evidence in interactions with customers, partners, and notified bodies, but it is not equivalent to conformity assessment and does not by itself demonstrate Act compliance.
What happens if AI RMF activities and EU AI Act requirements conflict?
The EU AI Act prevails. The AI RMF is voluntary; the Act is binding regulation. Where AI RMF activities produce outcomes inconsistent with Act requirements — for example, risk treatment decisions that would not satisfy the Act’s high-risk obligations — Act requirements govern. The framework accommodates this: AI RMF Govern activities expect risk management to address applicable laws and regulations as a substantive input.
Will the AI RMF be updated to reflect EU AI Act developments?
NIST publishes the AI RMF Roadmap as a planning document indicating where the framework will develop. Crosswalks between the AI RMF and the Act are maintained and updated as Act implementation guidance emerges. The core framework itself is unlikely to be substantively restructured to mirror the Act; the alignment is intended to be substantive rather than structural.
