NIST AI RMF

NIST AI Risk Management Framework

Dominant voluntary AI governance framework in the US. Four functions (Govern, Map, Measure, Manage) operationalize what regulators expect. Not legally binding but heavily referenced.

Jurisdiction

United States

Enacted

Pending

Effective

Jan 26, 2023

Enforcement

None (voluntary framework)

NIST

Why It Matters

Colorado AI Act provides affirmative defense for NIST RMF compliance. Referenced by federal agencies and increasingly in procurement requirements.

At a Glance

Harms addressed

Discrimination Manipulation

Requires

Risk Assessment Transparency Human Oversight

Who Must Comply

Organizations developing or deploying AI (voluntary)

Obligations fall on:

Safety Provisions

Govern: organizational policies and culture
Map: context and risk understanding
Measure: risk assessment methods
Manage: response and mitigation strategies
Generative AI Profile (NIST AI 600-1) addresses GAI-specific risks

Primary Source

NIST

https://www.nist.gov/itl/ai-risk-management-framework

View on map

United States

Focus Areas

Algorithmic accountability

Cite This

APA

United States. (2023). NIST AI Risk Management Framework.

Related Regulations

In Effect US

State AG AI Warning

Coordinated state AG warnings: 44 AGs (Aug 25, 2025, led by TN, IL, NC, and SC AGs) and 42 AGs (Dec 2025, led by PA AG) to OpenAI, Meta, and others citing chatbots "flirting with children, encouraging self-harm, and engaging in sexual conversations."

In Effect US

White House AI Legislative Framework

Non-binding White House framework outlining seven legislative pillars for Congress, including child safety protections, federal preemption of state AI laws, liability limitations for AI developers, intellectual property protections, free speech safeguards, AI infrastructure investment, and workforce development. Calls for a unified national standard superseding state AI regulations while preserving state child safety, consumer protection, and anti-fraud laws.

In Effect TW

Taiwan AI Act

Comprehensive AI Basic Act (pending) establishes seven guiding principles and risk-based classification. Note: Taiwan already has ENACTED deepfake/election AI provisions via separate laws (Criminal Code 2023, Election Law 2023, Fraud Prevention Act 2024).

In Effect CN

China Minor Content Classification Measures

Establishes a four-category classification framework for online content that may harm minors' physical and mental health. Prohibits platforms from displaying classified harmful content in prominent positions (homepage, pop-ups, trending, recommendations). Requires preventive measures against content risks from algorithmic recommendations and generative AI.

In Effect NZ

NZ Biometric Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

In Effect US-TX

TX Healthcare AI Law

Requires healthcare practitioners using AI for diagnosis to review all AI-generated records and disclose AI use to patients. Mandates EHR data localization (Texas patient data must be physically stored in US). Applies to covered entities and third-party vendors.

All regulations Check if this applies to you

Last updated January 23, 2026. Verify against primary sources before relying on this information.