Unit 1 of 4

1.1 — Overview and Purpose of NIST AI RMF

The NIST AI Risk Management Framework (AI RMF 1.0) was released in January 2023 by the National Institute of Standards and Technology. It provides a structured, flexible approach for organizations to manage risks associated with AI systems throughout their lifecycle.

Unlike prescriptive regulations, the AI RMF is a voluntary framework designed to be adopted by organizations of any size, sector, or jurisdiction. It complements existing risk management practices and can be mapped to other frameworks like ISO 42001 and the EU AI Act.

Voluntary, Not Mandatory

The NIST AI RMF is voluntary — it is not a law or regulation. However, it has become a de facto standard referenced by U.S. executive orders and is increasingly expected by regulators and customers. Know the distinction between 'voluntary framework' and 'mandatory regulation' for exam questions.

Key NIST AI Publications
Jan 2023
AI RMF 1.0 Released
The foundational voluntary framework for managing AI risks across the lifecycle.
Jan 2023
AI RMF Playbook Published
Companion resource providing suggested actions for each subcategory of the Core.
Oct 2023
Executive Order 14110
U.S. Executive Order on Safe, Secure, and Trustworthy AI references the NIST AI RMF extensively.
Jul 2024
Generative AI Profile (NIST AI 600-1)
Companion profile mapping 12 generative AI risk categories to the four core functions.

The framework defines 'trustworthy AI' across seven characteristics. These characteristics are not independent — they interact and may require trade-offs. For example, increasing explainability may reduce accuracy in certain model architectures. The framework emphasizes that organizations must balance these characteristics based on context.

Seven Characteristics of Trustworthy AI
  1. Valid and Reliable — AI systems perform as intended and consistently produce accurate outputs under expected and challenging conditions.
  2. Safe — AI systems do not endanger human life, health, property, or the environment under defined conditions of use.
  3. Secure and Resilient — AI systems withstand adversarial attacks, unexpected inputs, and environmental changes while maintaining confidentiality and integrity.
  4. Accountable and Transparent — Clear accountability structures exist, and information about the AI system is available to appropriate stakeholders.
  5. Explainable and Interpretable — Stakeholders can understand AI system outputs (explainability) and the mechanisms producing them (interpretability).
  6. Privacy-Enhanced — AI systems protect privacy through design, data minimization, and appropriate handling of personal and sensitive information.
  7. Fair — with Harmful Bias Managed — AI systems are designed to identify, assess, and mitigate harmful biases across the lifecycle.

The AI RMF is structured around two main parts: Part 1 discusses foundational information about AI risks and trustworthiness, while Part 2 introduces the Core — a set of four functions, categories, and subcategories that guide risk management activities. The Core is hierarchical: Functions contain Categories, which contain Subcategories, each with suggested actions documented in the companion Playbook.

Key Points
Released January 2023 — voluntary, not mandatory
Seven characteristics of trustworthy AI (know all seven)
Two parts: Foundational concepts + Core functions
Designed to complement (not replace) existing frameworks
Applicable across sectors, sizes, and jurisdictions
Referenced by Executive Order 14110 (Oct 2023)
CREATE YOUR CHARACTER ON THE PREP INDEX PAGE TO UNLOCK CHALLENGES
← Module overviewNext unit →