Framework · AI & technology

NIST AI RMF — voluntary, but how serious tech companies talk about AI risk.

NIST AI 100-1, published January 2023. A voluntary framework, but already the de-facto operating standard for US tech companies, federal contractors, and any non-EU company that wants a credible alternative to ISO 42001 certification. The GenAI Profile (NIST AI 600-1) extends the framework to generative AI specifically.

The four core functions

1. Govern — organisational policies, roles, accountability. Cross-cuts the other three. The function most companies underweight at the start and overweight by year two.
2. Map — establish context, categorise the AI system, identify risks. Applies before deployment and continuously.
3. Measure — analyse, assess, benchmark, monitor risks. Quantitative where possible; qualitative where not.
4. Manage — prioritise, respond to, recover from, communicate risks.

Each function is broken into categories and subcategories. The Playbook (a separate companion document) gives suggested actions per subcategory. Treat the Framework as the standard, the Playbook as an opinionated implementation guide.

RMF vs ISO 42001 vs EU AI Act

These three regimes are increasingly run in parallel. The structural differences:

• NIST AI RMF — voluntary framework, function/category/subcategory structure, no certification, US-published, broadly adopted globally.
• ISO/IEC 42001:2023 — certifiable AI management system, Annex A controls, third-party audited, harmonised structure with ISO 27001 and ISO 9001.
• EU AI Act — binding regulation, risk-tiered, conformity-assessment based, EU jurisdiction (extraterritorial in effect).

Side-by-side comparison: when to pick one, when to run both.

The GenAI Profile

NIST AI 600-1 — the Generative AI Profile, July 2024 — extends the RMF for the risks that emerge specifically with generative systems: confabulation, data privacy, environmental impact, harmful bias and homogenisation, human–AI configuration, information integrity, information security, intellectual property, obscene/abusive/hateful content, dangerous content, value chain and component integration. Each risk maps back to RMF subcategories, with suggested actions.

30-day onboarding

The framework is comprehensive — that's a feature for mature programmes and a problem for week-one. Our 30-day plan walks an AI-first company from no programme to a defensible Map / Measure / Manage cycle on the highest-risk systems first, with Govern bolted on in parallel.

Where Sia RegAI fits

Sia RegAI ingests the RMF, the Playbook, the GenAI Profile, and any sector-specific NIST AI 100-2 guidance. It produces the function/category/subcategory tree as a navigable obligation set, maps to your existing AI inventory, scores gaps, and drafts the policies that close them. Where you're already running ISO 27001 or ISO 9001, the shared annex controls are highlighted so you don't duplicate work.

Related guides

• NIST AI RMF for tech — from Govern to Measure in 30 days
• ISO 42001 vs NIST AI RMF — which AI governance framework should you adopt?
• EU AI Act high-risk classification — a decision tree for AI builders

Industry pages

• Sia RegAI for tech
• Sia RegAI for banking