NIST AI Risk Management Framework

Scope and obligations

Voluntary. Four functions (Govern / Map / Measure / Manage). GenAI Profile (NIST AI 600-1) added 2024 for GPAI-specific guidance.

NIST AI Risk Management Framework addresses 2 contested AI-governance topics explicitly, 6 via general principles,.

Topics governed

• governs
  Foundation Models / GPAI— GenAI Profile (NIST AI 600-1, 2024)
• implicit
  Deepfakes / Synthetic Content— GenAI Profile addresses synthetic content
• governs
  Transparency Obligations— Trustworthy characteristics 5 (transparency) + 6 (explainability)
• implicit
  Individual Redress— Accountability characteristic
• implicit
  Training-Data Rights— Manage 4: data integrity
• implicit
  Catastrophic & Existential Risk— Map 1.1 risk classification covers catastrophic via 'societal' impact tier; GenAI Profile (2024) adds explicit content
• implicit
  Agentic AI Governance— Map / Manage functions apply to autonomous systems; no agent-specific profile yet
• implicit
  Synthetic Content Provenance— General framework applies; provenance-specific guidance lives in the GenAI Profile

Enforcement record

Documented enforcement actions catalogued against NIST AI Risk Management Framework (or against rules that this instrument now subsumes).

• FTC investigation of OpenAIUS · 2023 · ongoing
  Federal Trade Commission v. OpenAI — Civil Investigative Demand alleging consumer-protection violations: misleading claims about ChatGPT capabilities, training-data privacy, and consumer harm from hallucinations.
  Lesson: First US federal enforcement action against a frontier-AI developer. Establishes that pre-AI-statute consumer-protection authority (FTC §5) can be applied to AI services — supports the US 'sectoral / ex-post liability' regime (vs EU's ex-ante AIA). Action remains pending; no judgment yet.
  Source record →news secondary

Cross-jurisdiction comparison

How peer instruments treat the topics NIST AI Risk Management Framework governs.

°= industry self-imposed voluntary framework. Comparing a voluntary code's "governs" tint with a binding regulation's "governs" tint flattens the legal-force distinction; use the instrument-page banner for the operative status of each.

How to cite this article

Policy Window. (2023). NIST AI Risk Management Framework [Wiki article — Instrument]. https://policywindow.org/wiki/nist-ai-rmf

Policy Window. 2023. "NIST AI Risk Management Framework." Wiki article (Instrument). https://policywindow.org/wiki/nist-ai-rmf.

@misc{policywindow-nist-ai-rmf,
  title  = {NIST AI Risk Management Framework},
  author = {Policy Window},
  year   = {2023},
  howpublished = {NIST AI 100-1},
  url    = {https://policywindow.org/wiki/nist-ai-rmf},
  note   = {Primary source: https://www.nist.gov/itl/ai-risk-management-framework}
}

Related debates — rival interpretations & counterevidence

Structured controversies where this instrument's provisions are the locus of disagreement. Each debate page lays out the competing positions with primary-source citations.

• Pre-Deployment Red-Team vs Post-Deployment Audit — Should AI capability + safety evaluations happen primarily before deployment (red-team gating release), or primarily after (post-deployment audit + incident response)?
• Risk-Based vs Principles-Based vs Ex-Post Liability Regimes — Should AI governance work via (a) risk-based ex-ante categorisation + obligations (EU), (b) high-level principles delegated to sector regulators (UK / OECD / G7), or (c) ex-post liability + civil litigation (US sectoral)?

Related instruments

• EU AI Act · EU
• G7 Hiroshima AI Process Code of Conduct · G7
• Seoul Declaration on Safe, Innovative and Inclusive AI · global
• NIST AI RMF Generative AI Profile · US
• Brazil AI Bill (PL 2338/2023) · BR
• Anthropic Responsible Scaling Policy (RSP) v2 · US
• Meta Frontier AI Framework · US
• White House Voluntary AI Commitments · US
• Singapore Model AI Governance Framework for Generative AI · SG
• Japan METI AI Guidelines for Business · JP