NIST AI RMF
This guide explains how VeriProof supports the NIST AI Risk Management Framework across GOVERN, MAP, MEASURE, and MANAGE. It is useful for teams that want a flexible but structured operating model for AI governance rather than a single regulation-specific checklist.
Use it to align portal metrics, policies, and response workflows with the RMF functions most relevant to your risk program.
NIST AI Risk Management Framework
The NIST AI Risk Management Framework (AI RMF 1.0), published by the National Institute of Standards and Technology in January 2023, provides a structured, flexible approach to managing risks associated with AI systems throughout their lifecycle. The AI RMF was developed with broad public and private sector input and is referenced in US executive orders, financial regulatory guidance, and global AI governance standards.
The AI RMF is organised around four core functions: GOVERN, MAP, MEASURE, and MANAGE. Each function contains categories and subcategories with suggested actions. Unlike the EU AI Act, the AI RMF is voluntary — but adoption is increasingly expected by regulated industries and federal contractors.
The NIST AI RMF Playbook provides suggested actions for each category. This section focuses specifically on how VeriProof supports the subcategories where production observability plays a role.
Framework Structure
GOVERN
└── Policies, accountability structures, culture, and oversight
MAP
└── Operational context, risk identification, stakeholder analysis
MEASURE
└── Quantitative and qualitative assessment of identified risks
MANAGE
└── Prioritisation, response, monitoring, and continuous improvementThe four functions are not sequential — they operate concurrently and feed each other. A mature AI governance program runs all four functions continuously throughout the system’s operational lifetime.
VeriProof’s Coverage
VeriProof provides infrastructure that directly supports MEASURE and MANAGE, and contributes evidence relevant to GOVERN and MAP:
Policies, accountability, risk tolerance statements, and governance structure
GOVERNOperational context documentation, deployment context, and impact tracking
MAPQuantitative metrics, bias monitoring, trustworthiness assessment, and privacy risk
MEASUREIncident response, root cause analysis, risk treatment, and continuous improvement
MANAGERelationship to EU AI Act
The EU AI Act and NIST AI RMF are complementary:
| Dimension | EU AI Act | NIST AI RMF |
|---|---|---|
| Type | Mandatory regulation | Voluntary framework |
| Geography | EU market | Global, US-centric |
| Risk classification | Prescriptive tiers (prohibited, high-risk, limited-risk, minimal) | Flexible risk characterisation |
| Audit requirements | Conformity assessment, technical documentation | Internal practices, voluntary attestation |
| Production monitoring | Required for high-risk systems (Article 9, 17) | Recommended (MEASURE 3.3, MANAGE 1.3) |
If you’re building for both EU compliance and US regulatory expectations, your VeriProof configuration satisfies both frameworks simultaneously — the session capture, governance scoring, and evidence export that satisfy EU AI Act Articles 9, 11, and 17 also satisfy the NIST AI RMF MEASURE and MANAGE subcategories.
Getting Started with AI RMF
- Review the GOVERN function first — Establish the organisational policies and risk tolerance statements before configuring monitoring thresholds
- Map your deployment context (MAP function) — Document what the system does, who uses it, and what risks have been identified
- Configure MEASURE — Set up governance scoring dimensions that correspond to your identified risks
- Activate MANAGE — Configure alert rules and establish an incident response procedure
This sequence mirrors the recommended starting point in the NIST AI RMF Playbook.
Generating an AI RMF Evidence Package
To gather NIST AI RMF evidence for a review period, use the available export paths:
- Session evidence pack: Open the session in the Customer Portal and download the evidence pack PDF from the session detail view.
- Auditor Evidence ZIP: Open the Compliance workspace and use the Evidence Exports tab to download an evidence ZIP covering the application and reporting period.
- Blockchain Audit Certificate: Download from the Compliance workspace for integrity attestation.
Assemble these artifacts with your governance policy configuration, alert rule inventory, and score trend exports into a package for the reporting period. For a step-by-step approach, see the Evidence Packaging Walkthrough.
Next Steps
- GOVERN function — Policies and accountability
- MEASURE function — Quantitative assessment
- MANAGE function — Incident response
- EU AI Act — EU regulatory counterpart