NIST AI RMF

NIST AI Risk Management Framework

Dominant voluntary AI governance framework in the US. Four functions (Govern, Map, Measure, Manage) operationalize what regulators expect. Not legally binding but heavily referenced.

Jurisdiction

United States

Enacted

Pending

Effective

Jan 26, 2023

Enforcement

None (voluntary framework)

NIST

Why It Matters

Colorado AI Act provides affirmative defense for NIST RMF compliance. Referenced by federal agencies and increasingly in procurement requirements.

At a Glance

Harms addressed

Discrimination Manipulation

Requires

Risk Assessment Transparency Human Oversight

Who Must Comply

Organizations developing or deploying AI (voluntary)

Obligations fall on:

Safety Provisions

Govern: organizational policies and culture
Map: context and risk understanding
Measure: risk assessment methods
Manage: response and mitigation strategies
Generative AI Profile (NIST AI 600-1) addresses GAI-specific risks

Primary Source

NIST

https://www.nist.gov/itl/ai-risk-management-framework

View on map

United States

Focus Areas

Algorithmic accountability

Cite This

APA

United States. (2023). NIST AI Risk Management Framework.

Related Regulations

In Effect US

State AG AI Warning

Coordinated state AG warnings: 44 AGs (Aug 25, 2025, led by TN, IL, NC, and SC AGs) and 42 AGs (Dec 2025, led by PA AG) to OpenAI, Meta, and others citing chatbots "flirting with children, encouraging self-harm, and engaging in sexual conversations."

In Effect US

Trump AI Preemption EO

Executive order directing federal agencies to preempt conflicting state AI laws while explicitly preserving state child safety protections. Creates DOJ AI Litigation Task Force to challenge state laws, directs FTC/FCC to establish federal standards. Highly controversial - legal experts dispute whether executive orders can preempt state legislation (only Congress or courts have this authority).

In Effect TW

Taiwan AI Act

Comprehensive AI Basic Act (pending) establishes seven guiding principles and risk-based classification. Note: Taiwan already has ENACTED deepfake/election AI provisions via separate laws (Criminal Code 2023, Election Law 2023, Fraud Prevention Act 2024).

Enacted NZ

NZ Biometric Code

Sets specific legal requirements under Privacy Act for collecting and using biometric data such as facial recognition and fingerprint scans. Prohibits particularly intrusive uses including emotion prediction and inferring protected characteristics like ethnicity or sex.

Enacted US-TX

TX Healthcare AI Law

Requires healthcare practitioners using AI for diagnosis to review all AI-generated records and disclose AI use to patients. Mandates EHR data localization (Texas patient data must be physically stored in US). Applies to covered entities and third-party vendors.

In Effect AU

AU Privacy Amendment 2024

Strengthens Privacy Act requirements for biometric data collection, raising the standard of conduct for collecting biometric information used for automated verification or identification. Cannot collect such information unless individual has consented and it is reasonably necessary.

All regulations Check if this applies to you

Last updated January 23, 2026. Verify against primary sources before relying on this information.