The National Institute of Standards and Technology (NIST) AI Risk Management Framework provides enterprises with a structured model for managing AI-related risks. It helps organizations identify, measure, and mitigate the risks posed by AI systems across operations, compliance, and security.
The stakes for getting this right are rising fast. AI use is spreading across business functions faster than organizations can govern it, while regulators, courts, and boards are asking for clearer oversight. That pressure now spans workforce governance, runtime protection, and agentic security.
The stakes for getting this right are rising fast. AI use is spreading across business functions faster than organizations can govern it: 40% of enterprise applications will include AI agents by 2026, up from less than 5% in 2025, while most governance programs are still catching up. That pressure now spans workforce governance, runtime protection, and agentic security.
This article breaks down the framework’s structure and core functions, examines the practical gaps enterprises face when implementing it, and outlines how to move from framework alignment to operational AI risk management.
Key takeaways
- The NIST AI Risk Management Framework provides organizations with a structured approach to governing AI risk through four core functions: GOVERN, MAP, MEASURE, and MANAGE. However, it remains a voluntary framework and not a certifiable standard.
- Enterprise AI risk is rising faster than many organizations can keep up with controlling it. It’s driven by shadow AI, legal exposure, board scrutiny, and the spread of generative and agentic systems.
- The framework helps define what trustworthy AI should look like. However, organizations still need cross-functional governance, a living AI inventory, continuous monitoring, nuanced policy enforcement, and runtime defenses to close practical gaps around shadow AI, autonomous agents, and audit-defensible documentation.
- For many organizations, the AI RMF works best as an operating model for AI risk management, while complementary controls, platforms, and standards such as ISO 42001 help turn alignment into an enforceable and auditable practice.
What the NIST AI Risk Management Framework covers
NIST AI 100-1 is a voluntary, use-case agnostic framework designed for organizations that design, develop, deploy, or use AI systems. Congress directed its creation through the National Artificial Intelligence Initiative Act of 2020. The framework applies across sectors and organization sizes, providing flexibility instead of rigid compliance checklists.
The document is organized into two parts:
- Part 1 establishes foundational concepts: how to frame AI risk, who the framework serves, and seven characteristics of trustworthy AI. Those characteristics are validity and reliability; safety, security and resilience; accountability and transparency; explainability and interpretability; privacy enhancement; and fairness with harmful bias managed.
- Part 2 contains the operational core: four functions, GOVERN, MAP, MEASURE, and MANAGE, that define what organizations should achieve, plus guidance on profiles and AI actor tasks.
Companion resources extend the core framework into more specific applications and implementation guidance. The Generative AI Profile (NIST AI 600-1), maps 12 risk categories and over 200 specific actions to generative AI systems. The Cybersecurity Framework Profile for AI (NIST IR 8596) was released as an initial preliminary draft in December 2025. It bridges NIST CSF 2.0 with the AI RMF, whileSP 800-53 controls are being addressed separately through the COSAiS overlays project, with an initial public draft of the Cyber AI Profile planned for release in 2026.
The framework’s voluntary status does not diminish its practical weight. Regulators across jurisdictions are increasingly drawing on similar risk-management concepts, and the EU AI Act’s risk-management requirements map structurally onto the framework’s four functions. For CISOs and compliance officers, alignment with NIST AI RMF is often a baseline expectation for auditors and boards.
You Can’t Secure What You Can’t See
WitnessAI gives you network-level visibility into every AI interaction across employees, models, apps, and agents. One platform. No blind spots.
Explore the PlatformHow the four core functions address enterprise AI risk
The AI RMF Core organizes AI risk management into four functions that work together across the AI lifecycle. These functions define outcomes, not sequential steps. GOVERN operates as a cross-cutting function across all stages, while MAP, MEASURE, and MANAGE address AI system-specific contexts.
The four functions work together in practice:
- GOVERN: Creates the organizational accountability architecture for AI risk management. It defines leadership responsibilities, risk tolerance boundaries, resource allocation, and the policies that make the other three functions operational.
- MAP: Requires organizations to establish context for each AI deployment, categorize systems, and document potential impacts. The practical prerequisite is straightforward: you must know what AI systems are operating before you can assess their risks.
- MEASURE: Employs quantitative, qualitative, or mixed-method tools to analyze, assess, benchmark, and monitor AI risk. In practice, modern AI risk management increasingly emphasizes continuous monitoring alongside assessment rather than relying only on periodic review cycles.
- MANAGE: Allocates resources to address the risks MAP and MEASURE have surfaced. Risk treatment plans, incident response, post-deployment monitoring, and decommissioning fall under this function.
When employees adopt unsanctioned AI tools across departments, a MAP implementation built on sanctioned-systems-only inventories can create a false sense of assurance. For agentic AI deployments, MANAGE is where agent behavior guardrails, circuit-breaker controls, and escalation paths live.
Your Employees Use 5x More AI Tools Than You Think
WitnessAI scans your entire network to catalog every AI app, agent, and conversation. No endpoint clients or browser extensions are required.
See How Observe WorksLimitations of the NIST AI risk management framework
The NIST AI Risk Management Framework tells organizations what trustworthy AI should look like. However, it deliberately leaves the how up to each organization, and that flexibility creates real implementation gaps.
Three areas stand out where the framework’s guidance alone falls short: detecting shadow AI without network-level visibility, governing autonomous agents that act beyond the framework’s original human-in-the-loop assumptions, and producing the audit-defensible documentation that regulators and boards expect.
Shadow AI defeats MAP without network-level visibility
Standard DLP, CASB, and network monitoring tools were designed for structured data and traditional traffic, making them poorly suited to identify AI-specific data flows or prompt-level interactions. NIST AI 600-1, mentioned earlier, includes an action to enumerate organizational GAI systems for incorporation into an AI system inventory, but these legacy tools miss much unsanctioned usage.
NIST IR 8596 (also mentioned before) identified gaps in securely implementing AI for organizational operations as a documented challenge area. An organization that inventories sanctioned AI applications but misses a large volume of unsanctioned usage still has a critical MAP gap.
Agentic AI breaks the framework’s original assumptions
The AI RMF 1.0 was designed around a premise: humans make the decisions. NIST recognized this gap and issued a Request for Information on agent security, receiving 937 public comments. Existing frameworks fall short on autonomous agents that act with discretion and adaptability, including ISO 27001, NIST CSF, and SOC. As mentioned earlier, 40% of enterprise applications will include AI agents by 2026, up from less than 5% in 2025. Agents inherit permissions, chain tool calls across systems without tool-call protection, and take irrevocable actions at machine speed.
The framework produces no audit-defensible documentation on its own
The AI RMF is voluntary and carries no certification mechanism. Unlike ISO 42001, it does not prescribe a certifiable audit structure. For organizations that need to demonstrate AI governance to EU AI Act regulators or board audit committees, framework alignment alone may not produce the proof they need.
Can You Prove How Your Organization Governs AI?
WitnessAI generates granular audit trails, enforces policies across every role and region, and redacts sensitive data before it ever leaves your network. Compliance-ready from day one.
See How Control WorksHow to close the gap between framework and enforcement
Closing the gap between NIST AI RMF alignment and operational AI risk management comes down to five structural investments. Each addresses a specific gap the framework identifies but does not solve on its own.
1. Stand up cross-functional AI governance before deploying the framework
Cross-functional governance is a structural prerequisite for AI risk management maturity. Organizations that treat AI governance as a board-level concern and integrate it into existing risk and audit committee oversight reach maturity faster than those that assign ownership solely to security or IT.
2. Build an AI system inventory that includes shadow AI and agents
Operationalize the inventory as a living system of record, not a one-time list. That means identifying AI applications and dependencies, distinguishing sanctioned from unsanctioned usage, assigning ownership, and mapping how agentic tools, plugins, and external servers connect across the environment before MAP assessments begin.
WitnessAI is the confidence layer for enterprise AI, enabling organizations to safely adopt and scale AI by providing unified visibility, governance, and runtime protection across human and agentic activity.
The platform’s Observe module provides network-level discovery across 4,000+ AI applications. The platform secures 250,000+ employees across 40+ countries. Organizations like InComm Payments use WitnessAI to maintain security and compliance while encouraging GenAI adoption. Agent and MCP server discovery identifies which agentic plugins teams have installed and which MCP servers they connect to.
3. Implement continuous monitoring, not periodic reviews
Regular AI system assessments significantly increase the likelihood of achieving high business value from generative AI. Organizations with real-time AI monitoring are meaningfully more likely to see revenue growth improvements. WitnessAI’s intent-based classification models interpret and categorize the intent behind AI interactions using machine learning engines that understand conversational context rather than keywords or regex patterns.
4. Enforce policies with nuance and deploy runtime defense
NIST AI 600-1 calls for acceptable use policies that define acceptable and restricted uses of AI applications, including policies for illegal or high-risk uses. Most legacy security tools default to binary enforcement: allow an entire application or block it. WitnessAI’s Control module enforces intent-aware policies through actions such as allow, warn, block, or route—enabling safe use rather than restricting it.
Sensitive queries can be automatically rerouted to approved internal models rather than being blocked outright.
Prompt injection can lead to disclosure of sensitive information and execution of arbitrary commands.WitnessAI’s Protect module delivers bidirectional runtime defense by inspecting prompts and model responses in both human-driven and agentic AI interactions.
Our platform achieves 99.7% true-positive guardrail efficacy, as validated by our customer organizations. Real-time data tokenization protects sensitive information before it reaches third-party models, then rehydrates it in the response.
5. Layer ISO 42001 for audit-defensible documentation
Use the NIST AI RMF as the risk management operating model and ISO 42001 as the certifiable audit structure, and design controls and evidence so that a single implementation can satisfy multiple frameworks simultaneously.
A single risk assessment can support multiple governance and compliance obligations simultaneously. WitnessAI supports this approach with immutable audit trails that capture AI interactions through the platform and SOC 2 Type II certification.
Runtime AI Threats Need Runtime Defense.
WitnessAI’s enterprise AI firewall delivers bidirectional runtime defense, blocking prompt injections, jailbreaks, and data exfiltration before they reach your models or your customers.
Explore ProtectBuilding the confidence layer for AI risk management
The NIST AI Risk Management Framework provides the structural vocabulary enterprise leaders need. GOVERN, MAP, MEASURE, and MANAGE define clear outcomes for trustworthy AI. The gap is operational: translating those outcomes into continuous visibility, intent-aware enforcement, and runtime defense across a workforce that now includes both human employees and autonomous agents.
WitnessAI gives security and AI teams a shared confidence layer that helps them move from hesitation to scaled AI adoption. Intent-based policies, bidirectional visibility, and runtime guardrails protect both human users and autonomous agents operating across the enterprise.
For organizations ready to operationalize their NIST AI RMF alignment, a demo is the fastest path to seeing how the confidence layer works in practice.