Practical AI and SaaS for Business

NIST AI Risk Management Framework

The NIST AI Risk Management Framework isn't a law, and most small businesses will never be legally required to follow it. But when an enterprise customer's security questionnaire asks about it, having a real answer matters. This guide explains what the framework actually covers.

Last verified: 17 July 2026. References checked against current legislation.

Editorial Perspective

You manage IT at a 20-person software vendor, and a large prospective customer's security questionnaire just asked whether your AI feature aligns with the NIST AI RMF. The problem is nobody on your team has worked with it directly, and you need a real answer, not a guess. This guide explains what the framework actually asks for, in plain language. No technical or legal background needed.

This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.

The NIST AI Risk Management Framework is voluntary guidance, not a law, and no US business is legally required to follow it. But it's become the de facto reference point enterprise customers, insurers, and federal contracts point to when asking whether a vendor manages AI risk responsibly, which means a small business selling to bigger customers can encounter it as a practical requirement even without any legal mandate behind it.

In short: The NIST AI RMF is a voluntary framework built around four functions, Govern, Map, Measure, and Manage, covering how an organisation identifies, assesses, and manages AI-related risk across a system's lifecycle. Most businesses already do informal versions of parts of this. The value of engaging with it properly is having a documented answer when a customer, insurer, or partner asks about it, not meeting a legal requirement.

The plain-English answer

You don't need to formally adopt the NIST AI RMF unless a specific contract, federal engagement, or customer requirement asks for it. What's useful about the framework, even for a business with no obligation to use it, is that it gives structure to questions most businesses are already asking informally, who's responsible for AI decisions, what could go wrong, and how do we check. Mapping your existing practices against the framework's four functions turns an informal, undocumented approach into something you can actually describe and evidence when asked.

Why this matters for your business

A 20-person software vendor getting an enterprise security questionnaire that mentions the NIST AI RMF by name is a genuinely common and growing scenario, larger companies increasingly use the framework's language as their own vendor-risk shorthand, even where they have no strict internal mandate to require it themselves. A vague or evasive answer on a questionnaire like this can cost a deal, not because the framework is legally required, but because it signals whether your business has thought seriously about AI risk at all.

The good news is that answering well doesn't require a large compliance program. Most of what the framework asks for maps to processes a reasonably careful small business already has some version of, the value is in documenting it in the language the questionnaire expects.

What the NIST AI RMF actually covers

Published by NIST in January 2023, the AI RMF is built around four core functions, not sequential steps but interconnected processes meant to be applied iteratively across an AI system's life. Govern covers organisational risk culture and accountability, who approves a given AI use case, how third-party AI tools get introduced, and how responsibility is assigned when something goes wrong. Map covers identifying the context an AI system operates in, who it affects, and what could realistically go wrong for those people. Measure covers actually assessing and monitoring risk using whatever quantitative or qualitative methods fit the system. Manage covers allocating resources to address the risks identified, following through on what Map and Measure surfaced.

NIST also publishes a companion AI RMF Playbook, with practical suggestions for implementing each function, useful if you want a concrete starting point rather than working from the core framework document alone.

What this looks like in practice

Picture the IT manager at the software vendor, staring at a questionnaire item asking for the company's NIST AI RMF alignment with no clear answer to give. Rather than treating this as a from-scratch project, working through the four functions against what the business already does turns up more than expected: someone already reviews new AI features before launch (a rough version of Govern), the team already knows which customer data the AI feature touches and who it affects (a rough version of Map), and there's already an informal bug-tracking process that would catch most AI-specific issues (a rough version of Measure and Manage).

Documenting these existing practices explicitly against the framework's own terms, rather than starting a new compliance program from zero, produces a genuine, honest answer to the questionnaire, current practice mapped to the framework, with a few concrete gaps identified as next steps rather than a claim of full alignment that isn't real.

What you can do about it

A practical way to engage with the NIST AI RMF without overbuilding:

  • Map your existing AI-related practices against the four functions, Govern, Map, Measure, Manage, before assuming you need to build something new.
  • Document who's actually accountable for AI-related decisions in your business, even if it's informal today.
  • Identify what could go wrong with each AI feature you use or offer, and who it could affect, this is the core of the Map function.
  • Note the honest gaps, don't overstate alignment on a questionnaire, an accurate partial answer is more credible than an inflated claim.
  • Revisit this mapping whenever you adopt a new AI tool or feature, not as a one-time exercise.

If your business is also making claims about what your AI product does, check our guide on what makes an AI claim unfair or deceptive to the FTC, a related but distinct question from risk management framework alignment.

Methodology (Real-World, Verified)

We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.

Related reading: our AI governance by region.

Free tools: AI Privacy Risk Scorer to score your current AI tool setup against data-privacy best practice | AI Compliance Checker to check whether your AI tools meet your compliance obligations.

Is the NIST AI RMF ever legally mandatory?

Not for private-sector businesses generally, it's voluntary guidance. It can become a practical requirement through a specific contract, a federal engagement, or a customer's own vendor-risk policy, but there's no general legal mandate requiring adoption.

Do we need external consultants to implement the NIST AI RMF?

Not necessarily for a small business's first pass. Mapping existing practices against the four functions is something most teams can do internally using NIST's own published Playbook as a guide. External help becomes more useful for a business with more complex or higher-risk AI use.

What if we genuinely have no formal AI risk process at all?

Start small rather than building a full program at once. Pick the Govern function first, decide who's accountable for AI-related decisions, then build out Map, Measure, and Manage incrementally as your AI use grows in scope or risk.

How is the NIST AI RMF different from ISO/IEC 42001?

NIST's framework is US-published voluntary guidance with no certification mechanism; ISO/IEC 42001 is an international standard a business can be formally certified against. Some businesses reference both, they're complementary rather than competing, though certification against ISO 42001 is a heavier undertaking than mapping against NIST's framework informally.

Find official guidance for your region

Requirements vary by jurisdiction. This article provides general information only. Consult your regional authority or a qualified professional for advice specific to your situation.

The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.

Also making public claims about what your AI product does?

Check the FTC guidance