NIST AI 100-1: AI Risk Management Framework | The Rolling Thunder Security Codex

As artificial intelligence systems become embedded in critical infrastructure, hiring decisions, medical diagnostics, and national security, the question shifts from whether AI needs governance to how. NIST AI 100‑1 provides the first comprehensive, voluntary federal framework for thinking about AI risk systematically (National Institute of Standards and Technology [NIST], 2023).

Document Background

The AI Risk Management Framework (AI RMF 1.0) was released on January 26, 2023, following a multi‑year development process that included three public drafts, a request for information, several workshops, and input from over 240 organizations and individuals. Congress directed NIST to develop the framework through the National AI Initiative Act of 2020 (NIST, 2023).

The AI RMF is designed to be voluntary, rights‑preserving, non‑sector‑specific, and use‑case agnostic. It applies to any organization that designs, develops, deploys, or uses AI systems, regardless of whether those systems are commercial products, government tools, or research prototypes. Unlike a compliance checklist, it is a flexible framework that organizations can adapt to their specific context and risk tolerance (NIST, 2023).

Why It Matters

The AI RMF is rapidly becoming the reference point for AI governance across sectors. Executive Order 14110 (October 2023) on Safe, Secure, and Trustworthy AI directed federal agencies to use the AI RMF as a foundation for their AI risk management practices. Private‑sector organizations are adopting it voluntarily as a way to demonstrate responsible AI practices to regulators, customers, and the public.

What the AI RMF Does

The AI RMF helps organizations think about AI risks at every stage of the AI lifecycle, from initial concept through design, development, deployment, operation, and decommissioning. It recognizes that AI risks are different from traditional software risks in important ways (NIST, 2023).

First, AI systems can behave unpredictably. Unlike conventional software where outputs follow deterministic logic, machine learning models can produce unexpected results when they encounter data that differs from their training distribution. Second, the harms from AI can extend beyond the technical realm to include societal impacts like discrimination, loss of privacy, and erosion of trust. Third, AI risks are often emergent, meaning they may not be apparent until a system is deployed at scale in real‑world conditions.

The framework introduces the concept of AI actors: the people and organizations involved at each stage of the AI lifecycle. These include data scientists, engineers, product managers, executives, end users, and affected communities. Understanding who the AI actors are and what decisions they make is essential to managing risk effectively (NIST, 2023).

Key Design Principle

The AI RMF is intentionally not a compliance standard. It does not include certification processes, conformity assessments, or pass/fail criteria. Instead, it provides a structured way for organizations to identify, assess, and manage AI risks according to their own priorities and risk appetite. This flexibility is a feature, not a limitation.

The Four Functions

The AI RMF is organized around four core functions. If you are familiar with the NIST Cybersecurity Framework (CSF), the structure will feel familiar. Each function contains categories and subcategories that provide more specific guidance (NIST, 2023).

Govern

The Govern function is cross‑cutting. It establishes the organizational structures, policies, and processes needed to manage AI risk. This includes defining roles and responsibilities, setting risk tolerances, establishing accountability mechanisms, and fostering a culture of responsible AI development. Govern applies to and informs all other functions.

Key activities include: establishing AI risk management policies, defining organizational AI principles, creating oversight structures, engaging diverse stakeholders, and documenting decisions and rationale.
Map

The Map function is about context. Before you can manage the risks of an AI system, you need to understand what the system does, who it affects, and where the risks might emerge. Mapping involves identifying the intended and potential unintended uses of the system, understanding the operational environment, and recognizing the stakeholders and communities that may be impacted.

Key activities include: defining the AI system's purpose and scope, identifying affected stakeholders, cataloging data sources and their limitations, and assessing the potential for bias and other harms.
Measure

The Measure function focuses on assessment. It involves developing and applying metrics, methodologies, and tools to evaluate AI risks and the trustworthiness of AI systems. Measurement should occur throughout the AI lifecycle, not just at deployment. This function also emphasizes the importance of tracking known limitations and documenting the conditions under which the system performs well or poorly.

Key activities include: selecting appropriate metrics for the AI system's context, conducting bias testing, evaluating robustness and reliability, and documenting model performance and limitations.
Manage

The Manage function is about action. Based on what has been mapped and measured, organizations take steps to treat, mitigate, or accept identified AI risks. This includes deploying controls, monitoring systems in production, establishing incident response procedures, and making decisions about whether to continue, modify, or discontinue an AI system.

Key activities include: implementing risk treatments, monitoring deployed systems for performance degradation, establishing processes for user feedback and incident reporting, and maintaining the ability to decommission systems that pose unacceptable risks.

Trustworthy AI Characteristics

The AI RMF defines seven characteristics of trustworthy AI systems. These are not binary pass/fail criteria but rather dimensions along which organizations should evaluate their AI systems. Tensions can exist between these characteristics, and organizations must make informed trade‑offs (NIST, 2023).

The seven characteristics of trustworthy AI (NIST, 2023)
Characteristic	Description
Valid and Reliable	The system performs as intended for its defined conditions of use, produces consistent outputs, and meets performance requirements. Validation confirms the right system was built; reliability ensures it performs consistently over time.
Safe	The system does not endanger human life, health, property, or the environment under defined conditions. Safety considerations include both normal operation and foreseeable misuse scenarios.
Secure and Resilient	The system can withstand adversarial attacks (such as data poisoning, model evasion, and prompt injection) and can recover or degrade gracefully when compromised. This is the characteristic most directly connected to cybersecurity.
Accountable and Transparent	The system's development and deployment processes are documented and traceable. Stakeholders can understand who is responsible for the system, what data it was trained on, and what decisions it makes.
Explainable and Interpretable	The system's outputs can be understood by relevant stakeholders. Explainability refers to describing how the system works in human‑understandable terms. Interpretability refers to the ability to understand the meaning of the system's outputs in context.
Privacy‑Enhanced	The system protects personal and sensitive information throughout the AI lifecycle, from data collection through model training, deployment, and decommissioning. Privacy risks in AI can go beyond traditional data privacy to include inference risks and re‑identification.
Fair with Harmful Bias Managed	The system is developed and used in ways that actively identify and mitigate harmful biases. This includes biases in training data, algorithmic design, and deployment context. Fairness is not a single metric but a multifaceted consideration that depends on the use case and affected communities.

Tensions and Trade‑offs

These characteristics can conflict. For example, making a model more explainable may reduce its accuracy (and thus its validity and reliability). Enhancing privacy through techniques like differential privacy can reduce model performance. The AI RMF acknowledges these tensions and asks organizations to make deliberate, documented decisions about how to balance them rather than optimizing for one characteristic at the expense of others.

Parallels with CSF 2.0

Students who have studied the NIST Cybersecurity Framework (CSF) will notice structural similarities with the AI RMF. This is intentional. NIST designed the AI RMF to be compatible with and complementary to the CSF (NIST, 2023).

Mapping AI RMF functions to CSF 2.0 functions
AI RMF Function	CSF 2.0 Parallel	Shared Focus
Govern	Govern (GV)	Both establish organizational context, risk strategy, policies, and oversight structures as a cross‑cutting foundation. CSF 2.0 added Govern in its 2024 update, mirroring the AI RMF's emphasis on governance as foundational.
Map	Identify (ID)	Both focus on understanding the environment, assets, and risks before taking action. Map in the AI RMF is about understanding the AI system's context; Identify in CSF is about understanding the organization's cybersecurity environment.
Measure	Detect (DE)	Both emphasize monitoring and assessment. Measure evaluates AI system performance, bias, and risk indicators. Detect identifies cybersecurity events and anomalies.
Manage	Respond (RS) / Recover (RC)	Both address taking action on identified risks. Manage covers risk treatment for AI systems. Respond and Recover address incident handling and restoration in cybersecurity.

The parallels are not exact, and the AI RMF addresses concerns (bias, explainability, societal impact) that fall outside the traditional scope of cybersecurity. But the structural similarity means that organizations already using the CSF have a mental model and governance infrastructure they can extend to cover AI risks (NIST, 2023).

For Rolling Thunder Security Students

If you understand the CSF's Identify‑Protect‑Detect‑Respond‑Recover structure, you already have the conceptual scaffolding for the AI RMF. The AI RMF adds a governance layer (which CSF 2.0 now also includes) and replaces security‑specific functions with AI‑specific ones, but the logic of identifying risks, measuring them, and managing them is the same disciplined process.

Citing This Document (APA 7)

The AI RMF uses the AI 100 series designation rather than the SP 800 series, but it follows the same APA 7 citation format as other NIST publications: the agency as author, the report number in parentheses, and the parent department as publisher.

Format Demonstration

Reference list entry: National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0) (NIST AI 100‑1). U.S. Department of Commerce. https://doi.org/10.6028/NIST.AI.100-1
First in‑text citation: (National Institute of Standards and Technology [NIST], 2023)
Subsequent in‑text citations: (NIST, 2023)
Narrative citation: The National Institute of Standards and Technology (NIST, 2023) structured the AI RMF around four core functions: Govern, Map, Measure, and Manage.

References

National Institute of Standards and Technology. (2023). Artificial intelligence risk management framework (AI RMF 1.0) (NIST AI 100‑1). U.S. Department of Commerce. https://doi.org/10.6028/NIST.AI.100‑1
National Institute of Standards and Technology. (2023). AI RMF playbook. U.S. Department of Commerce. https://airc.nist.gov/AI_RMF_Playbook
The White House. (2023). Executive Order 14110: Safe, secure, and trustworthy development and use of artificial intelligence. Federal Register. https://www.federalregister.gov/documents/2023/11/01/2023‑24283