NIST AI RMF 1.0
Voluntary AI governance framework from NIST. GOVERN, MAP, MEASURE, MANAGE — four functions that organise the controls an AI-using organisation should ship.
What it is #
NIST AI RMF 1.0 (released January 2023) is the United States’ voluntary AI risk-management framework. Adoption is widespread — most large regulated organisations reference it in their internal AI policy documents, and many regulators (the EU AI Office, the FCA’s GC23/2, the BoE’s MRM Principle 1 guidance) cross-reference it.
The framework organises AI governance into four functions:
- GOVERN — establish accountability, policy, and culture.
- MAP — categorise the AI system and its context.
- MEASURE — evaluate performance and risk.
- MANAGE — prioritise, treat, and monitor risks.
Each function has sub-categories (GOVERN-1.1, MAP-2.3, etc.) with specific actions.
How Regulus maps to it #
Every Regulus audit event carries framework_citations. When the
nist-ai-rmf framework is active, events get tagged with the
specific sub-category IDs the event provides evidence for:
| Regulus control | NIST AI RMF citations emitted |
|---|---|
| Policy plugin (DENY decisions) | GOVERN-1.1, MANAGE-2.1 |
| Privacy plugin (PII redaction) | MEASURE-2.10, MANAGE-1.4 |
| Audit plugin (every event) | GOVERN-1.4, MANAGE-4.3 |
| Kill-switch plugin (engagement) | MANAGE-2.4, MAP-5.2 |
| Model-risk plugin (tier-3 invocations) | MAP-2.3, MEASURE-2.5, MANAGE-1.3 |
| Residency plugin (DENIED writes) | GOVERN-6.1, MAP-4.1 |
Filter the audit chain by framework_citations contains 'nist-ai-rmf:GOVERN-1.1'
to produce the coverage report for any AI RMF sub-category.
Activating the framework #
regulus:
frameworks:
- nist-ai-rmfOr via the CLI:
regulus init my-agent --frameworks=nist-ai-rmfStatus #
NIST AI RMF 1.0 is shipped and stable. The companion profile
nist-ai-rmf-600-1 (GenAI Profile) layers an additional 12 GenAI
risk categories on top.