NIST Risk Management Framework: From Systems to AI

## Key takeaways

• The NIST Risk Management Framework (RMF) is a seven-step process defined in NIST SP 800-37 Rev 2 that builds security, privacy, and supply chain risk management into a system’s life cycle.
• The seven steps are Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor, with controls drawn from NIST SP 800-53.
• SP 800-37 is the process and SP 800-53 is the control catalog: the distinction resolves the most common point of confusion.
• For artificial intelligence, NIST published a separate companion, the AI Risk Management Framework (NIST AI 100-1), built around four functions: Govern, Map, Measure, and Manage.
• The classic RMF and the AI RMF are complementary, and both can feed one governance program aligned to ISO/IEC 42001 and the EU AI Act.

What is the NIST Risk Management Framework?

The NIST Risk Management Framework is the United States government’s structured method for managing security and privacy risk across the life of an information system. It is maintained by the National Institute of Standards and Technology and defined primarily in NIST SP 800-37 Rev 2. In NIST’s own words, the framework “provides a process that integrates security, privacy, and cyber supply chain risk management activities into the system development life cycle.”

Two design choices make the RMF durable. First, it is technology-neutral. NIST states that “the RMF approach can be applied to new and legacy systems, any type of system or technology (e.g., IoT, control systems), and within any type of organization regardless of size or sector.” Second, it treats risk as a continuous property of a system rather than a one-time audit. A system is authorized to operate on the basis of accepted risk, then monitored so the authorization stays honest as the system and its threats change.

The RMF began as a federal instrument tied to the Federal Information Security Modernization Act, yet its discipline (categorize, control, assess, authorize, monitor) has been adopted well beyond government. It is the backbone that many private governance, risk, and compliance programs quietly inherit, which is why understanding it pays off even outside the public sector.

The seven steps of the RMF

SP 800-37 Rev 2 organizes the framework into seven steps. The first, Prepare, was added in Revision 2 to set organizational context before any single system is assessed.

1. Prepare. Establish the organizational and system-level context for managing risk: assign roles, set a risk management strategy, define risk tolerance, and draft control baselines. This step exists so that later decisions are made against a known appetite for risk, not improvised system by system.
2. Categorize. Classify the system and the information it processes by the impact that a loss of confidentiality, integrity, or availability would cause. Categorization sets the ambition level for everything that follows: a high-impact system inherits a far stricter control baseline than a low-impact one.
3. Select. Choose the set of controls that fit the categorization, drawn from the NIST SP 800-53 catalog, then tailor them to the system. Tailoring is where judgement enters: organizations add, remove, or adjust controls to match real conditions.
4. Implement. Deploy the selected controls and document how each one is realized in the system. The documentation is not bureaucracy for its own sake: it is the evidence the next step assesses.
5. Assess. Determine whether the controls are in place, operating as intended, and producing the desired outcome, using the methods in SP 800-53A. Findings feed a plan of action for any gaps.
6. Authorize. A senior official reviews the residual risk and makes an accountable, risk-based decision to authorize the system to operate, or to withhold that authorization. This is the moment a named human owns the risk.
7. Monitor. Continuously track control effectiveness, system changes, and new threats, feeding findings back into the earlier steps.

The loop matters more than any single step. Monitoring is not the end of the process: it is the trigger that sends a system back to Categorize or Select when something material changes, which is what keeps an authorization from going stale.

Who runs the RMF: the key roles

The RMF assigns risk to people, not just to documents. Three roles carry most of the weight. The Authorizing Official is the senior leader who accepts residual risk and signs the authorization to operate. The System Owner is accountable for the system across its life cycle and for keeping its controls current. The Assessor independently tests whether controls work, which is why the assess step is meant to be separate from the people who implemented them. Clear ownership is the difference between a framework that lives and a binder that gathers dust.

SP 800-37 vs SP 800-53 (and the wider document family)

A frequent question is the difference between SP 800-37 and SP 800-53. The short answer: one is the process, the other is the parts list.

• SP 800-37 defines the RMF process: the seven steps and the roles that run them.
• SP 800-53 is the catalog of security and privacy controls you select from in step three and implement in step four.
• SP 800-53A provides the procedures for assessing whether those controls work, used in step five.
• SP 800-30 covers how to conduct a risk assessment.
• SP 800-39 describes managing information security risk at the organization level, the layer the Prepare step draws on.
• SP 800-137 defines information security continuous monitoring, the engine behind step seven.

Read together, these publications explain why the RMF feels heavier than a checklist: it is a small library, not a single document, and each step leans on a different reference. People sometimes describe the framework as having five components (the categorization scheme, the control catalog, the assessment procedures, the authorization decision, and continuous monitoring), which is a useful mental model, but the seven-step process is the authoritative structure.

Why classic risk methods fall short for AI

The RMF was designed for systems whose behavior is specified in advance. You can categorize them, select controls, and assert that those controls hold because the system does what its documentation says. Artificial intelligence breaks that assumption in three ways.

First, AI systems are socio-technical. Their risk lives as much in how people interpret and act on outputs as in the code, so a purely technical control set misses real harm. Second, they are data-dependent and probabilistic: the same model can pass testing and still behave badly in production because the data shifted, not because a control failed. Third, AI introduces harms that confidentiality, integrity, and availability thinking was never meant to catch, including discriminatory bias, confabulated output presented as fact, and consequential decisions that no one can explain.

None of this makes the RMF wrong. It makes it incomplete for AI. A model can sit on perfectly authorized infrastructure and still produce biased decisions, because the risk has moved from the platform to the behavior. That gap is exactly what NIST set out to close with a dedicated framework.

The NIST AI Risk Management Framework (AI RMF 1.0)

In January 2023, NIST released the Artificial Intelligence Risk Management Framework, NIST AI 100-1, usually shortened to the AI RMF. It is voluntary, sector-agnostic, and built to help organizations design, develop, deploy, and use AI systems while managing risk to individuals, organizations, and society. Where the classic RMF secures a system, the AI RMF governs whether an AI system is trustworthy.

The four functions: Govern, Map, Measure, Manage

The AI RMF Core is organized around four functions rather than sequential steps:

• Govern establishes the culture, policies, roles, and accountability for AI risk, and it runs across every other function rather than being a single phase.
• Map establishes context: what the AI system is for, who it affects, and what could go wrong, which is enough to inform an initial go or no-go decision.
• Measure uses quantitative, qualitative, and mixed methods to analyze, benchmark, and monitor the risks identified in Map.
• Manage allocates resources to treat the prioritized risks, including response, recovery, and communication when something goes wrong.

Govern is deliberately the anchor. Without it, Map, Measure, and Manage become one-off exercises that fade once the launch pressure passes. With it, they become a standing capability.

The trustworthy AI characteristics

The four functions exist to operationalize what NIST calls trustworthy AI. The framework names seven characteristics: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. These are not boxes to tick once. They trade off against each other (a more explainable model may be less accurate, a more private one harder to audit), and the framework expects organizations to balance them in context rather than maximize one in isolation.

RMF vs AI RMF: how the two relate

It is tempting to treat the two frameworks as rivals. They are not. They answer different questions about the same system.

In practice, an AI system on federal infrastructure may sit inside both at once: the RMF authorizes the platform to operate, while the AI RMF governs the model’s trustworthiness. For most private organizations, the useful move is to keep their existing RMF-style controls and add the AI RMF functions on top, rather than replace one with the other. The instinct is the same in both: name the risk, treat it, and keep watching.

From framework to governance program

A framework is only as good as the program that runs it. NIST published two companions that turn the AI RMF from principles into practice.

The AI RMF Playbook maps each subcategory of the four functions to concrete suggested actions, references, and guidance. It is a living document, updated roughly twice a year, and it is the most operational NIST AI artifact for teams that need to know what to actually do rather than what to aspire to.

The Generative AI Profile, NIST AI 600-1, published in July 2024, applies the framework to generative systems. It identifies twelve risks that are unique to or amplified by generative AI, from confabulation and harmful bias to information security and value chain exposure, and offers more than two hundred recommended actions mapped back to Govern, Map, Measure, and Manage.

The final step is connecting all of this to the standards an organization is actually audited against. The AI RMF maps cleanly onto ISO/IEC 42001, the management-system standard for AI, and its functions align with the obligations in the EU AI Act. A program that records each function as concrete controls, owners, and evidence is what converts a voluntary framework into something defensible. That is the work an AI governance platform is built to carry: turning Govern, Map, Measure, and Manage into living controls with an audit trail, mapped to ISO/IEC 42001 and the EU AI Act in one place, so the same effort satisfies the framework and the regulation at once.

Frequently asked questions

What is the difference between NIST 800-37 and 800-53? SP 800-37 is the Risk Management Framework process: the seven steps and the roles that execute them. SP 800-53 is the catalog of security and privacy controls you select and implement during that process. You use them together: 800-37 tells you when to choose controls, and 800-53 tells you which controls exist.

How many steps are in the NIST Risk Management Framework? Seven: Prepare, Categorize, Select, Implement, Assess, Authorize, and Monitor. Older material sometimes lists six, because the Prepare step was added in SP 800-37 Rev 2 in 2018.

Is the NIST AI Risk Management Framework mandatory? No. The AI RMF is voluntary for the private sector. It can still become a practical requirement through contracts, procurement, or as evidence of due diligence, and it aligns closely with binding regimes such as the EU AI Act.

What are the four functions of the NIST AI RMF? Govern, Map, Measure, and Manage. Govern runs across the whole life cycle, while Map, Measure, and Manage can be applied at specific stages and to specific AI systems.

How does the NIST AI RMF relate to ISO/IEC 42001? They are complementary. ISO/IEC 42001 is a certifiable management-system standard for AI, while the AI RMF is a voluntary risk framework. The AI RMF functions map onto ISO/IEC 42001 controls, so organizations often use the framework to operationalize the standard.

Can the classic RMF and the AI RMF be used together? Yes, and for AI systems on regulated infrastructure they often must be. The classic RMF authorizes and secures the underlying system, and the AI RMF governs the trustworthiness of the AI. Running both closes a blind spot that either one alone would leave open.

Conclusion

The NIST Risk Management Framework remains the reference model for managing risk across a system’s life: categorize, control, assess, authorize, and monitor, with SP 800-53 supplying the controls. Artificial intelligence does not retire that discipline, it extends it. The AI RMF keeps the same risk-management instinct but re-centers it on trustworthiness through Govern, Map, Measure, and Manage. Organizations that treat the two as one continuum, then map them to ISO/IEC 42001 and the EU AI Act inside a single governance program, turn a pair of frameworks into an operating system for responsible AI. That is the practical path from a NIST document to governance you can actually defend.