NIST AI RMF Explained: How GOVERN, MAP, MEASURE, and MANAGE Apply to Your Organization

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework published by the U.S. National Institute of Standards and Technology in document NIST AI 100-1, released January 26, 2023. It gives organizations a structured, repeatable way to identify, assess, and manage the risks of AI systems across their full lifecycle — from design and development to deployment and retirement.

Unlike a regulation, the AI RMF does not tell you what you must do. It tells you how to reason about AI risk, and it is deliberately flexible enough to work across industries and organization sizes. Version 1.0 is still the current edition; there is no 2.0 as of 2026. NIST has since added a companion Generative AI Profile (NIST-AI-600-1), released July 26, 2024, which maps the framework onto 12 generative-AI risk categories with more than 200 suggested actions. (The Generative AI Profile was commissioned under Executive Order 14110, which was rescinded in January 2025 — but the NIST-AI-600-1 document itself still stands and is widely used.)

The framework is built around four core functions: GOVERN, MAP, MEASURE, and MANAGE. The sections below explain what each one actually means in NIST's own terms, and how to make them operational rather than aspirational.

The four functions of the NIST AI RMF at a glance

GOVERN is a cross-cutting function that runs through the other three; MAP, MEASURE, and MANAGE form a working cycle you return to as each AI system evolves. Here is how NIST defines each one, and the practical question it answers.

GOVERN: who is accountable?

In the AI RMF, GOVERN is a cross-cutting function — NIST is explicit that governance is meant to be infused throughout MAP, MEASURE, and MANAGE, and to apply across every stage of the AI lifecycle. It is the function that cultivates a culture of risk management and makes the other three stick.

The GOVERN function covers the policies, processes, roles, and accountability structures behind AI risk management: defining your organization's AI policies and risk tolerances, naming executive sponsors and a governance body, clarifying who owns each AI system, setting review cadences, and connecting AI oversight to board- or council-level reporting.

The practical insight is simple: governance without accountability is just documentation. Every AI initiative needs a named owner — the person who answers when an auditor, board member, or resident asks, "who is responsible for this system?"

MAP: what are you working with, and in what context?

The MAP function establishes the context needed to frame the risks of an AI system. NIST's intent is that, after completing MAP, you have enough knowledge of an AI system's purpose, setting, and potential impacts to make an informed go / no-go decision about whether to build or deploy it. In practice, this is the inventory-and-context step.

Typical MAP activities include:

• Building an inventory of the AI systems and use cases in operation across the organization.
• Documenting the context each system runs in — operational, clinical, financial, or regulatory.
• Assessing potential impacts, including benefits, harms, and the populations affected.
• Identifying interdependencies between AI systems and the processes around them.

This is also where most organizations stumble first, because you cannot frame the risk of systems you have not catalogued. The evidence is stark in government: a 2024 GAO review of federal AI inventories (GAO-24-105980) found that only 5 of 20 agencies reported complete and accurate information for their AI use cases — the other 15 had incomplete or inaccurate data. And in April 2025, the New York State Comptroller reported (audit SGA-2025-23S50) that the state's Office of Information Technology Services "does not have an inventory of AI systems in use by state entities." No map, no governance.

MEASURE: how do you know it is working?

The MEASURE function uses quantitative, qualitative, or mixed-method tools to analyze, assess, benchmark, and monitor AI risk and its impacts. It is where governance gets evidence: the metrics, tests, and monitoring that tell you whether a system is performing as intended and whether new risks are emerging.

Common MEASURE activities include defining outcome metrics that track whether each system achieves its purpose; risk metrics that watch for bias, drift, and accuracy degradation; and the monitoring needed to assess systems continuously rather than once a year. NIST's framing is that risks which are not well defined are hard to measure — so MEASURE forces an organization to get specific about what "good" and "bad" look like for every AI system.

MANAGE: what happens when something goes wrong?

The MANAGE function allocates resources to the risks you mapped and measured, and defines how you prioritize, respond to, recover from, and communicate about risks and incidents. It is the closed-loop part of the framework — the point at which governance turns from monitoring into action.

MANAGE activities include prioritizing risks against your stated tolerance, standing up incident detection and escalation paths with clear ownership at each level, running corrective-action workflows with deadlines, and keeping the documentation that demonstrates responsive governance after the fact. This is where a program earns its credibility: anyone can write policies and build dashboards, but the organizations regulators and boards trust are the ones that can show what happened when a system drifted — and what they did about it.

Is the NIST AI RMF mandatory?

No. The AI RMF is explicitly voluntary. But its practical weight is growing for two reasons. First, a number of state and federal requirements now lean on inventory and risk practices that mirror the framework — for example, OMB Memorandum M-24-10 (March 2024) directs federal agencies to name a Chief AI Officer and maintain AI use-case inventories with minimum risk practices. Second, the framework is increasingly cited as a reasonable-care benchmark, which makes it a de facto reference point even where no statute names it.

A note of caution for public-sector readers: the state-law landscape is volatile and contested. Texas enacted the Texas Responsible AI Governance Act (TRAIGA), effective January 1, 2026, requiring state agencies to disclose AI interactions; California passed the Transparency in Frontier AI Act (SB 53) in 2025; and a December 2025 federal executive order created a Department of Justice task force to challenge some state AI laws. The throughline is the same regardless of which statute survives: agencies still need an operating system of record to show who owns each AI system and how its risk is managed. No state mandates the NIST AI RMF by name.

How to operationalize the NIST AI RMF

The hard part of the AI RMF is not understanding it — it is running it. Because the framework deliberately avoids prescribing tools, organizations are left to decide what "good enough" looks like. A workable starting sequence:

1. Inventory first (MAP). List every AI system and use case, including embedded AI features and tools adopted outside of IT. You cannot govern what you have not catalogued.
2. Assign an owner to each one (GOVERN). Attach a named person, a risk tier, and a review cadence to every entry. An unowned AI system is an ungoverned one.
3. Define and monitor metrics (MEASURE). For each system, set outcome and risk metrics and a monitoring rhythm, so drift is visible before it becomes an incident.
4. Build a response loop (MANAGE). Stand up escalation paths and corrective-action workflows with deadlines, and keep the audit trail that proves you acted.
5. Report and iterate (GOVERN). Roll the portfolio into a recurring, board-ready report, then mature the program over time.

The organizations that sustain this are the ones that fold AI governance into the strategic-management process they already run, instead of standing up a separate, parallel system. When AI oversight lives in the same place as the strategic plan, the KPIs, and the board reports, it becomes routine rather than an extra burden.

Running the framework in ClearPoint

The functions of the AI RMF map cleanly onto what a strategy execution platform already does. ClearPoint is not a NIST module and it is not the only software that can support the framework — it is a system of record you can use to make the four functions executable:

• GOVERN — give every AI initiative a named owner, a risk tier, role-based permissions, and a scheduled review.
• MAP — keep one current inventory of AI use cases, tagged by department, context, data sensitivity, and purpose.
• MEASURE — track outcome and risk metrics on dashboards with automated status evaluations and trend history.
• MANAGE — run corrective actions with owners and deadlines, with an audit trail from detection to resolution.
• Report — turn the whole portfolio into a board-ready report in minutes, not days.

That last point matters because the failure mode is rarely a missing policy; it is a missing owner. Across the 360,000+ measures ClearPoint customers track, 76.5% have no active owner — and measures that do have an owner are roughly 2.2× more likely to be on track (23.6% vs 10.6%). The same pattern decides whether AI governance is real or just written down: an AI initiative with an owner, a status, a risk tier, and a place on the board report is governed. One without is a line in a document.

If you want to put the framework to work, start with an AI initiative inventory (the MAP step), then build the governance program around it. For the wider strategy context, see our guide to strategic planning, or request a demo to see how ClearPoint gives every AI initiative an owner, a status, and a board-ready report.

Frequently asked questions

What are the four functions of the NIST AI RMF?

GOVERN, MAP, MEASURE, and MANAGE. GOVERN is a cross-cutting function covering culture, policy, and accountability; MAP establishes context and inventories AI systems; MEASURE analyzes, benchmarks, and monitors risk; and MANAGE allocates resources to prioritize, respond to, and remediate risks.

When was the NIST AI RMF released?

NIST AI 100-1 (AI RMF 1.0) was released on January 26, 2023. A companion Generative AI Profile, NIST-AI-600-1, followed on July 26, 2024. Version 1.0 remains the current edition as of 2026; there is no 2.0.

Is the NIST AI RMF mandatory?

No. The AI RMF is voluntary. It is increasingly referenced as a reasonable-care benchmark, and related rules such as OMB M-24-10 require federal agencies to maintain AI inventories and risk practices, but no statute mandates the NIST AI RMF by name.

What is the difference between the NIST AI RMF and the Generative AI Profile?

The AI RMF (NIST AI 100-1) is the general framework and its four functions. The Generative AI Profile (NIST-AI-600-1, July 2024) is a companion document that applies the framework specifically to generative AI, with 12 risk categories and more than 200 suggested actions.

How does ClearPoint support the NIST AI RMF?

ClearPoint is a strategy execution system of record — not a NIST module — that you can use to make the four functions executable: assign an owner and risk tier to each AI initiative (GOVERN), keep a current inventory of use cases (MAP), track outcome and risk metrics on dashboards (MEASURE), run corrective-action workflows with audit trails (MANAGE), and produce a board-ready report in minutes.