NIST AI Risk Management Framework 1.0 + Generative AI Profile

NIST AI Risk Management Framework 1.0 (AI RMF) is a voluntary framework published 26 January 2023 by NIST under the National AI Initiative Act of 2020. Four core functions: GOVERN (cultivate risk-management culture), MAP (establish context and characterise risks), MEASURE (analyse and assess risks), MANAGE (prioritise and act on risks). 19 categories and 72 subcategories total. Generative AI Profile (NIST AI 600-1, July 2024) adds GenAI-specific actions across the 12 GenAI risks: CBRN information; confabulation; dangerous/violent/hateful content; data privacy; environmental impacts; harmful bias; human-AI configuration; information integrity; information security; intellectual property; obscene/degrading content; value chain and component integration. NIST has NOT published AI RMF 2.0 as of May 2026 — v1.0 remains canonical, though the AI Action Plan indicates revision is underway. Companion resources in active development include the Cybersecurity Framework 2.0 Cyber AI Profile (NIST IR 8596 ipd, December 2025 preliminary draft; comments closed 30 Jan 2026), the AI Agent Standards Initiative launched through CAISI in February 2026 (the US AI Safety Institute became the Center for AI Standards and Innovation in mid-2025), the Trustworthy AI in Critical Infrastructure Profile concept note (April 2026), and Control Overlays for Securing AI Systems (COSAiS) on SP 800-53. Voluntary but widely adopted including by US federal agencies and sector regulators (FTC, CFPB, FDA, SEC, EEOC). Cross-mapped to ISO/IEC 42001, EU AI Act, OECD AI Principles, CSA AICM (August 2025 AICM↔AI 600-1 mapping). B9 expansion: 28 operationally-consequential subcategories + 10 GenAI Profile risk-specific controls.

Composition

58 controls currently indexed; participates in 23 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI conformity assessment, EU database registration, regulatory sandbox
• AI content labelling — testing consent, deep fakes, SGI, deployer notices
• AI data governance — provenance, preparation, external reporting
• AI governance lifecycle — GOVERN function and inventory
• AI incident reporting — serious incidents to authorities
• AI lifecycle — policies, safety mindset, environmental impact
• AI policy and AIMS leadership commitment
• AI post-deployment monitoring and incident response
• AI principles — Seven Sutras + ISO 42001 + NIST + EU AI Act literacy
• AI resource inventory — data, tooling, systems, people across AI lifecycle
• AI risk classification — EU AI Act high-risk + GPAI + NIST risks
• AI roles and responsibilities across the lifecycle
• AI supplier management — third-party AI systems and components
• AI system impact assessment (AISIA / FRIA / DPIA convergence)
• AI transparency — fairness, explainability, deep fake disclosure
• AI-generated content provenance — C2PA, watermarking, SGI
• Automated Decision-Making Technology — pre-use notice, opt-out, access rights
• GDPR Article 35 DPIA + cross-jurisdiction high-risk assessment
• General-Purpose AI model provider obligations
• India-specific AI risk classification reflecting societal context
• Processing integrity — change management, redundancy, clock synchronisation, storage integrity
• Responsible AI use — operational guardrails
• SDF algorithmic due diligence and traffic-data localisation