NIST AI Risk Management Framework 1.0
Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1
Verified May 5, 2026
- Jurisdiction
- United States (federal, voluntary)
- Effective
- January 26, 2023
- Who must comply
-
- Voluntary; not binding on any specific entity
- Federal contractors that incorporate AI systems may be required to apply AI RMF principles per agency-specific procurement language
- Law firms citing AI RMF in vendor due diligence and policy templates as the structuring document
Summary
NIST released AI RMF 1.0 on January 26, 2023 as the federal government's first comprehensive AI risk-management standard. Voluntary but widely cited as the benchmark for AI governance, mapping, measurement, and management. Adoption is voluntary; relevance for law firms is as the framework most state bar opinions, the Colorado AI Act, and the ABA Op 512 vendor-diligence analysis treat as a recognized risk-management baseline.
On this page
What is the NIST AI Risk Management Framework?
The NIST AI Risk Management Framework, version 1.0 (AI RMF 1.0), is a voluntary, sector-agnostic guideline published by the US National Institute of Standards and Technology on January 26, 2023. It provides a process and vocabulary for managing risks associated with AI systems across their lifecycle. NIST published a companion AI RMF Playbook with operational guidance, and a Generative AI Profile (NIST AI 600-1) in July 2024 specific to generative AI risks.
The Framework organizes AI risk management into four functions: Govern, Map, Measure, and Manage. Each function decomposes into categories and subcategories that an organization can adopt in whole or part. The Framework is explicitly principles-based: NIST does not certify compliance, audit adoption, or maintain a registry of compliant entities.
For law firms, AI RMF 1.0 is the most-referenced framework when state bar opinions, the Colorado AI Act, the ABA Standing Committee, and malpractice carriers describe a “recognized” or “reasonable” risk-management standard for AI use. Citing AI RMF in a written firm AI policy is the most defensible single move toward demonstrating that policy is anchored in something other than an internal opinion.
Who must comply?
Adoption is voluntary. The Framework binds no entity directly. Indirect application reaches law firms in three patterns:
Federal procurement. Federal agencies including the Department of Defense, the General Services Administration, and the Department of Health and Human Services have incorporated AI RMF expectations into AI-related procurement language. A law firm representing federal contractors on AI matters may encounter AI RMF references in the contracts it reviews.
State and bar regulatory cross-reference. The Colorado AI Act expressly lists AI RMF as one of two frameworks (alongside ISO/IEC 42001) that establish a rebuttable presumption of “reasonable care” for risk management. ABA Formal Opinion 512 and several state bar AI opinions cite AI RMF as the benchmark vendor due diligence may track to.
Carrier and underwriter expectation. Malpractice carriers including ALPS and OBLIC reference AI RMF in their published guidance for policyholders. The OBLIC Model AI Use Policy and the Oregon PLF Sample Policy both incorporate AI RMF concepts. Application of AI RMF in firm policy is one signal underwriters look for at renewal.
What does the Framework require?
AI RMF 1.0 is structured as four functions, each with categories and subcategories. The four functions:
- Govern: cultivate a culture of risk management, with documented roles, accountabilities, and policies. Govern functions cut across the entire AI lifecycle and apply at the organization level.
- Map: establish the context, business value, and stakeholders for each AI system. Map functions identify what the system does, what could go wrong, and who is affected.
- Measure: assess the AI system against the risks identified in Map, including performance, robustness, fairness, and safety. Measurement is ongoing, not a one-time gate.
- Manage: prioritize and act on the risks measured. Manage functions include incident response, model retirement, and continuous improvement.
For a law firm using AI tools in practice, a minimum-viable AI RMF adoption looks like a written firm AI policy (Govern), a list of approved tools with intended uses and known limitations (Map), a documented verification process for AI output before client work product (Measure), and an incident log with a process for retiring tools that fail (Manage).
How does AI RMF interact with attorney duties?
The AI RMF is risk-management infrastructure, not legal advice or ethics guidance. It does not displace attorney duties under the Model Rules of Professional Conduct or state-specific RPCs. ABA Formal Opinion 512 (July 2024) maps the relevant rules: competence (1.1), confidentiality (1.6), communication (1.4), fees (1.5), supervision (5.1, 5.3), and candor (3.3). AI RMF gives a firm a coherent way to demonstrate that those rule-driven duties are being met systematically. For the generative-AI overlay covering hallucination, data leakage, and IP risks, see the NIST GenAI Profile.
Where the AI RMF and a state RPC overlap (for instance, a Map-function intended-use specification and the RPC duty to supervise non-lawyer assistants under Rule 5.3), the firm’s documentation should make the connection explicit. The cross-reference is what carriers, regulators, and bar counsel are looking for.
Primary sources
- NIST, Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1 (Jan. 26, 2023): PDF on nvlpubs.nist.gov.
- NIST AI Risk Management Framework hub page: nist.gov/itl/ai-risk-management-framework.
Primary sources
- https://www.nist.gov/itl/ai-risk-management-framework
- https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.100-1.pdf
Last verified against primary sources: May 5, 2026.