LevelUpAutomate
Frameworks / NIST AI RMF

NIST AI RMF in plain English

NIST AI RMF is the U.S. government's voluntary playbook for using AI safely. It's good. It's also written for compliance professionals. Here's the version for owners.

Talk to Level Up AutomateBack to AI Governance
Reviewed by Level Up Automate.This is general information, not legal advice. Confirm specifics with your own counsel.
TL;DR

  • NIST AI RMF is voluntary, not law. But it's becoming the de facto standard customers and insurers reference.

  • It boils down to four functions: Govern, Map, Measure, Manage. Most small businesses can demonstrate the first two with the artifacts in this site.

  • Adopting NIST does not require certification. You either follow it or you don't — and you can show your work.

What it is

NIST stands for the National Institute of Standards and Technology, the U.S. government body that publishes guidelines on cybersecurity, measurement, and AI. The AI Risk Management Framework (AI RMF) is their playbook for organizations that use or build AI systems.

It is voluntary. There is no NIST AI RMF certification. Adoption is a choice you make to demonstrate that you take AI risk seriously.

The four functions, explained

NIST AI RMF organizes work into four functions. You can think of them as four questions any responsible AI program should be able to answer.

  • Govern — who is accountable, what are the policies, how do we review? (For most small businesses: a one-page policy and a quarterly review meeting.)
  • Map — what AI are we using, what does it do, and where could it go wrong? (Your tool inventory plus your three-bucket risk assessment.)
  • Measure — how are we tracking whether AI is working safely? (Define a few metrics: incidents, near-misses, customer complaints involving AI output.)
  • Manage — when issues come up, how do we respond and improve? (Your incident response playbook and your never-again notes.)

What 'adopting NIST' actually looks like

For a 30-person business: a written policy, a tool inventory, a risk assessment per tool, an incident playbook, and a quarterly review. That's it. You don't need to map every NIST sub-control. You need to be able to point to your artifacts when someone asks how you handle each of the four functions.

For a regulated business or one with enterprise customers: expect customers to send you a NIST-RMF-flavored questionnaire. Your job is to demonstrate that the artifacts above exist and are kept current.

What this site gives you

Walk through the artifacts on this site and you'll have a defensible NIST-aligned program for a non-regulated small business.

  • [AI Policy Template](/ai-governance/ai-policy-template) — the Govern function.
  • [Risk Assessment guidance](/ai-governance/risk-assessment) and [vendor due diligence](/ai-governance/vendor-questions) — the Map function.
  • [Incident response playbook](/ai-governance/incident-response) plus a quarterly review meeting — the Measure and Manage functions.
Common questions

Plain-English answers

Is NIST AI RMF required by law?
No. It is voluntary. But many federal contracts, customer questionnaires, and insurer questionnaires now reference it as the expected standard for AI risk management.
Can we get NIST-certified?
There's no official certification. You can self-attest, and third parties can review your program against NIST's expectations — but the framework itself doesn't issue certificates.
How does this differ from ISO 42001?
NIST AI RMF is a U.S.-origin, voluntary framework. ISO/IEC 42001 is an international management-system standard you can be certified against. Many enterprises adopt both. See our [ISO 42001 page](/ai-governance/frameworks/iso-42001).
Related reading

ISO/IEC 42001 in plain English

Read on →

EU AI Act for U.S. businesses

Read on →

Getting Started with AI Governance

Read on →
Next step

Want a hand getting this right?

A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.

Talk to Level Up Automate