The NIST AI RMF is structured around four functions: Govern, Map, Measure, and Manage.
- Govern establishes the standing infrastructure — the culture, policies, processes, and accountability structures — that AI risk management depends on.
- Map establishes context, categorises the AI system, identifies risks and benefits, and characterises impacts.
- Measure analyses, assesses, benchmarks, and monitors AI risks through quantitative and qualitative methods, including evaluation against the seven trustworthy AI characteristics.
- Manage prioritises risks, allocates resources to address them, and responds to incidents.
Each function contains categories (numbered, for example, Govern 1 through Govern 6) and subcategories (Govern 1.1, Govern 1.2, and so on) that specify the outcomes the organisation seeks to achieve.
“The AI RMF Core is composed of four functions: GOVERN, MAP, MEASURE, and MANAGE. Each of these high-level functions is broken down into categories and subcategories. Categories and subcategories are subdivided into specific actions and outcomes.” — NIST AI RMF 1.0, Part 2
Key definitions
| Term | Meaning |
|---|---|
| Function | One of the four top-level structural elements of the framework: Govern, Map, Measure, Manage |
| Category | A grouping of related outcomes within a function. Categories are numbered within each function (e.g. Govern 1, Govern 2). |
| Subcategory | A specific outcome the organisation should achieve within a category — the framework’s most granular level (e.g. Govern 1.1, Manage 4.3) |
| Outcome | What the organisation should achieve at a given subcategory — stated as a result, not as a prescribed activity |
| Suggested action | A concrete activity proposed in the Playbook to achieve a subcategory outcome; voluntary, not required |
| Iterative function | A function performed continuously rather than once, with each iteration informed by outputs from the others |
How NIST AI RMF functions relate
The four functions are not performed in a single linear sequence. Govern provides standing infrastructure that operates continuously. Map, Measure, and Manage operate continuously as systems and contexts evolve, with each iteration informed by outputs from the others.
| Function | Position in the cycle | Relationship to other functions |
|---|---|---|
| Govern | Standing infrastructure | Underpins Map, Measure, and Manage; provides accountability, policies, processes within which the other three operate |
| Map | Situational analysis | Establishes context that Measure and Manage depend on |
| Measure | Evidence generation | Produces analysis and monitoring outputs that Manage acts on; feeds back into Map as context evolves |
| Manage | Decision and action | Acts on outputs from Map and Measure; produces feedback that informs future iterations of all three |
The framework places Govern first because it provides the structures within which the other three are performed. Map second because it establishes context. Measure third because it requires context to be measured. Manage fourth because it requires measurement to act on. But the framework is explicit that the cycle is iterative — all four functions are performed continuously, not in a single pass.
Function 1: Govern
Govern establishes the culture, policies, processes, accountability structures, and oversight mechanisms that enable an organisation to manage AI risks across the AI lifecycle.
Govern categories
| Category | Focus |
|---|---|
| Govern 1 | Policies, processes, procedures, and practices for AI risk management |
| Govern 2 | Accountability structures — empowered, responsible, and trained teams |
| Govern 3 | Workforce diversity, equity, inclusion, and accessibility |
| Govern 4 | Organisational culture that considers and communicates AI risk |
| Govern 5 | Processes for engagement with relevant AI actors |
| Govern 6 | Policies and procedures for third-party software, data, and supply chain |
What Govern produces
Four operational deliverables emerge:
- AI risk management policies. Documented policies covering AI risk tolerance, processes, and connection to broader organisational risk management. Reviewed periodically as the AI portfolio, regulatory environment, and risk landscape change.
- Accountability assignments. Named ownership across the lifecycle — risk identification, assessment, mitigation, monitoring, incident response. Authority must match responsibility.
- Workforce and culture practices. Training, diversity, equity, inclusion, and accessibility considerations integrated into AI development and deployment teams. The framework treats workforce diversity as a substantive risk management measure.
- Third-party governance. Processes for managing AI risks introduced through third-party software, models, data, and services. Due diligence, contractual provisions, ongoing monitoring, incident communication.
Why Govern matters
Govern is the function that determines whether AI risk management is an organisational capability or a project. The other three functions can be performed competently in isolation and still produce no durable change if Govern is absent. The framework places Govern first because it provides the structures within which Map, Measure, and Manage are continuously performed.
Three failure modes recur:
- Govern as policy without process. Policies and risk management statements produced without the underlying processes, accountability structures, and review cycles that make them operative.
- Accountability without authority. Roles assigned without the decision rights, budget, or escalation paths to perform the role. Govern 2 requires authority to match responsibility.
- Third-party AI treated as procurement, not risk management. Foundation models, AI-enabled SaaS, and AI components from suppliers handled exclusively through ordinary vendor management. Govern 6 requires these to be managed as AI risks.
Function 2: Map
Map establishes the situational understanding on which Measure and Manage depend — what the AI system is, what it does, where it operates, who is affected, what could go wrong, and what risks are worth attending to.
Map categories
| Category | Focus |
|---|---|
| Map 1 | Context — intended purposes, deployment settings, users, expectations, potential impacts |
| Map 2 | Categorisation of the AI system — capabilities, targeted usage, goals, expected benefits and costs |
| Map 3 | AI capabilities, targeted usage, goals, benefits, and costs relative to benchmarks |
| Map 4 | Risks and benefits across all components including third-party software and data |
| Map 5 | Impacts on individuals, groups, communities, organisations, and society |
What Map produces
Five operational deliverables emerge:
- System context documentation. Intended purpose, deployment setting, user populations, expected interaction patterns, operational environment, and the broader sociotechnical context.
- System categorisation. Type of AI, task domain, risk-relevant attributes (autonomy, adaptiveness, opacity), benchmarks against which performance and risk are assessed.
- Capability and goal articulation. What the system is intended to do, the goals it serves, expected benefits, expected costs — including costs to those outside the organisation.
- Component-level risk and benefit mapping. Risks and benefits attributable to specific components including third-party models, datasets, libraries, and infrastructure.
- Impact characterisation across five levels. Effects on individuals, groups, communities, organisations, and society. The five-level scope is the framework’s most distinctive feature in Map.
Why Map matters
Map is the function that determines whether subsequent risk management is grounded in reality. Measurements without context produce numbers without meaning; management without understanding produces actions without targets.
Three failure modes recur:
- Categorisation by technology rather than by function. Systems categorised as “machine learning model” or “large language model” without articulating task, deployment context, and user population.
- Impact analysis truncated to individual level. Map 5 requires impact analysis across five levels; analyses that stop at individual harms miss the group, community, and societal effects.
- Third-party components mapped at vendor level rather than component level. Risks mapped as supplier risks rather than as risks attributable to specific model behaviours, training data limitations, or capability boundaries.
Function 3: Measure
Measure analyses, assesses, benchmarks, and monitors AI risks through quantitative and qualitative methods. Where Map identifies what could go wrong, Measure analyses how likely and how severe, and tracks risks over time.
Measure categories
| Category | Focus |
|---|---|
| Measure 1 | Appropriate methods and metrics for the AI system’s intended purpose and deployment setting |
| Measure 2 | Evaluation of AI systems for trustworthy characteristics |
| Measure 3 | Mechanisms for tracking identified AI risks over time |
| Measure 4 | Feedback about efficacy of measurement |
The seven trustworthy AI characteristics under Measure 2
The framework’s substantive content is concentrated in Measure 2. Each characteristic requires its own measurement approach.
| Characteristic | Measurement focus |
|---|---|
| Valid and reliable | Performance accuracy, robustness across conditions, reliability over time |
| Safe | Hazard identification, fail-safe behaviour, harm avoidance |
| Secure and resilient | Adversarial robustness, attack resistance, recovery capability |
| Accountable and transparent | Documentation completeness, decision traceability, audit support |
| Explainable and interpretable | Method-appropriate explanation, stakeholder-appropriate interpretation |
| Privacy-enhanced | Privacy-preserving techniques, privacy impact, data minimisation |
| Fair with harmful bias managed | Bias measurement across groups, mitigation effectiveness, fairness across deployment contexts |
The characteristics interact. Optimising for one may reduce performance against another. Trade-offs must be made consciously and documented.
What Measure produces
Five operational deliverables emerge:
- Measurement methodology. Methods and metrics appropriate to the AI system’s intended purpose, deployment setting, and risk profile.
- Trustworthy characteristic evaluations. Documented evaluations against each of the seven characteristics where applicable.
- Risk tracking mechanisms. Standing processes for monitoring identified risks — drift detection, performance monitoring, incident tracking, reassessment triggers.
- Impact measurement. Quantification and tracking of impacts characterised in Map.
- Feedback on measurement efficacy. Documented assessment of whether the chosen measurement methods are producing useful information.
Why Measure matters
Measure is the function that produces the evidence on which Manage decisions are based. Without Measure, AI risk management operates on assertion rather than observation.
Three failure modes recur:
- Measurement of characteristics not relevant to the system. The full set of seven characteristics applied to every system regardless of relevance.
- Pre-deployment measurement without operational measurement. Systems evaluated thoroughly before deployment and monitored superficially after.
- Fairness measurement at aggregate level only. Bias and fairness measured across the user population without disaggregation by the groups most likely to experience disparate effects.
Function 4: Manage
Manage allocates resources to address identified risks and responds when things go wrong. It converts the framework’s analytical work into operational decisions and interventions.
Manage categories
| Category | Focus |
|---|---|
| Manage 1 | AI risks prioritised, responded to, and managed |
| Manage 2 | Strategies to maximise AI benefits and minimise negative impacts |
| Manage 3 | AI risks and benefits from third-party entities managed |
| Manage 4 | Risk treatments documented, monitored, and improved |
What Manage produces
Five operational deliverables emerge:
- Risk prioritisation and response decisions. Identified risks ranked by impact, likelihood, organisational risk tolerance, and resource constraints. Prioritisation explicit and documented.
- Benefit maximisation and impact minimisation strategies. Documented strategies that weigh AI benefits against negative impacts and articulate how the balance is maintained operationally.
- Third-party risk treatments. Risk controls applied to AI components, models, data, and services sourced from third parties — ongoing monitoring, contractual enforcement, incident communication.
- Response and recovery procedures. Documented procedures for responding to AI incidents, recovering from failures, and communicating with affected parties.
- Continuous improvement of risk treatments. Treatments monitored for effectiveness, updated as the system and context change, retired when no longer relevant.
Why Manage matters
Manage is the function that determines whether AI risk management changes what the organisation does. The other three functions can produce structures, context, and evidence without altering operational decisions.
Three failure modes recur:
- Prioritisation by visibility rather than by analysis. Risks that attract leadership attention or external scrutiny addressed; risks identified through systematic analysis but lacking visibility languish.
- Benefit articulation absent. Risks documented extensively without articulating the benefits the AI system is intended to produce. Manage 2 expects benefit-cost balancing to be explicit.
- Treatments implemented and not reviewed. Risk treatments applied at deployment and assumed to remain effective. Manage 4 requires monitoring of treatment effectiveness, updating as conditions change, and retirement when treatments become obsolete.
How the four functions interact in practice
A working implementation produces a continuous flow of activity across the four functions. The table below illustrates how a single AI system moves through the cycle.
| Stage | Govern role | Map role | Measure role | Manage role |
|---|---|---|---|---|
| System inception | Policies and accountability already in place | Context, categorisation, initial risk identification, impact characterisation | Methodology selection; initial benchmarking | Initial risk prioritisation; resource allocation |
| System development | Lifecycle policies governing development | Refinement of context and risk identification as design choices firm up | Pre-deployment evaluation against trustworthy characteristics | Risk treatment decisions; mitigations applied |
| System deployment | Deployment policies and accountability | Deployment context analysis; final impact characterisation | Validation against deployment context; baseline metrics | Deployment risk treatments; response procedures activated |
| Operation and monitoring | Ongoing governance; engagement with affected parties | Reassessment as deployment context evolves | Ongoing monitoring; drift detection; incident tracking | Response to detected issues; treatment effectiveness review |
| Incident or change | Incident escalation through governance channels | Reassessment of risks and impacts | Investigation and measurement of the incident | Response, communication, recovery; corrective treatments |
The cycle never closes definitively for a deployed AI system. Map, Measure, and Manage operate continuously, and Govern provides the standing infrastructure within which they operate. Static implementations — those that perform the four functions once at deployment and never revisit them — lose value as the system and its context evolve.
How NIST AI RMF functions integrate with other governance instruments
For organisations operating multiple frameworks, the four functions integrate with adjacent governance instruments in defined ways.
| Instrument | How the four functions integrate |
|---|---|
| ISO/IEC 42001 | Govern aligns with Clauses 4 and 5; Map and Measure align with Clause 6 and Annex A.5–A.7; Manage aligns with Clause 8 and Clause 10 |
| EU AI Act | Map and Measure support Articles 9, 10, 14; Manage supports Articles 72 and 73; Govern supports Article 17 quality management |
| ISO/IEC 23894 | Map and Measure align with the AI risk management methodology of ISO/IEC 23894 |
| Sector frameworks | Profiles adapt the four functions to specific sectors — healthcare, financial services, public safety |
The four functions provide the structural backbone within which other instruments’ substantive content operates. Organisations using multiple frameworks typically anchor implementation on the four functions and map other instruments’ requirements to them.
NIST AI RMF resource references
The primary references for working with the four functions:
| Resource | Source |
|---|---|
| NIST AI RMF 1.0 | https://www.nist.gov/itl/airc — the core framework defining the four functions |
| AI RMF Playbook | https://airc.nist.gov/airmf-resources/playbook/ — suggested actions for each subcategory across all four functions |
| NIST AI 600-1: Generative AI Profile | https://www.nist.gov/itl/airc — generative AI risks mapped to the four functions |
| AI RMF Crosswalks | https://www.nist.gov/itl/airc — mappings of the four functions to ISO/IEC 42001, EU AI Act, OECD principles, others |
| AI Resource Center (AIRC) | https://airc.nist.gov — central hub for AI RMF resources |
The Playbook is the most directly useful reference for operational work on the four functions. For each subcategory across Govern, Map, Measure, and Manage, it provides suggested actions, references, documentation considerations, and transparency considerations.
FAQ
Are NIST AI RMF four functions performed in order?
Not strictly. The framework places them in a logical sequence — Govern first, then Map, Measure, Manage — but in operation the four functions run continuously and iteratively. Govern is standing infrastructure; Map, Measure, and Manage are repeated as systems and contexts evolve. Each iteration of any function informs the others.
Can I focus on one or two functions and defer the others?
The framework expects all four functions to be operative for the AI systems within scope. Focusing on Measure without Govern produces measurement without accountability; focusing on Manage without Map produces decisions without context. Partial implementations are sometimes pragmatic during early adoption, but they should be understood as transitional rather than as steady states.
Which NIST AI RMF function is most demanding?
There is no single answer. Govern is most demanding when starting from no existing governance infrastructure — the policies, accountability structures, and processes are new work. Measure is most demanding for organisations with complex AI portfolios — the substantive evaluation methodology depth is significant. Map is most demanding for organisations with novel use cases — the context analysis cannot draw on standard templates. Manage is most demanding for organisations with mature governance and complex risks — the decisions and trade-offs require established analytical foundations.
How are NIST AI RMF categories and subcategories used in practice?
Categories group related outcomes within a function and provide a high-level structure for adoption planning. Subcategories specify the outcomes themselves and are the level at which the Playbook provides suggested actions. Organisations typically adopt the framework subcategory by subcategory, using the Playbook to translate each outcome into operational activities.
Does NIST AI RMF framework specify how to perform each function?
The framework specifies outcomes, not methods. It states what should be achieved under each subcategory but does not prescribe how. The Playbook provides suggested actions; profiles provide context-specific adaptations; external resources (NIST publications, academic literature, sector guidance) provide methodology. The framework treats methodology as the organisation’s responsibility within its context.
How does the Govern function relate to existing organisational governance?
Govern is designed to integrate with existing organisational governance — enterprise risk management, board oversight, executive accountability, compliance — rather than to replace it. The framework expects AI risk management to operate within the broader governance infrastructure, with AI-specific elements added where needed. Organisations with mature general governance typically find Govern less demanding than organisations starting from limited governance maturity.
Why are there five categories in Map but only four in Measure and Manage?
The category counts reflect the substantive territory each function covers. Map’s five categories cover context, categorisation, capability articulation, risk and benefit mapping, and impact characterisation — five distinct activities. Measure’s four categories cover method selection, characteristic evaluation, risk tracking, and measurement efficacy. Manage’s four cover prioritisation, benefit-impact balancing, third-party management, and treatment improvement. The counts are not significant in themselves; what matters is the substantive coverage.
What is the relationship between the NIST AI RMF functions and the seven trustworthy AI characteristics?
The characteristics are the substantive goals of AI risk management — what the four functions are designed to achieve in operation. Measure 2 is the most direct point of integration, where the characteristics are evaluated explicitly. But the characteristics also inform Map (impact characterisation), Govern (policy framing), and Manage (treatment selection). The framework expects the characteristics to be the working vocabulary across all four functions.
How long does it take to operationalise all NIST AI RMF functions?
Adoption is gradual. Organisations typically work through the four functions over six to eighteen months, with Govern foundational activity preceding substantive Map, Measure, and Manage work on specific AI systems. Full operation across all functions and all AI systems takes longer for organisations with large AI portfolios. Because the framework is voluntary and non-certifiable, there is no equivalent to the audit gates that structure ISO certification timelines.
Can I adapt the NIST AI RMF functions for sector-specific use?
Yes. The profile mechanism is designed for this. A profile adapts the four functions to a specific use case, sector, or technology — identifying which subcategories apply most heavily, what risks are distinctive, and what suggested actions are appropriate. The Generative AI Profile (NIST AI 600-1) is an example. Organisations operating in contexts without a published profile commonly develop internal profiles describing their adaptation.
