NIST AI RMF 1.0: trustworthy AI gets a practical framework

On January 26, 2023, the US National Institute of Standards and Technology published AI Risk Management Framework 1.0 - the first structured document at this level that offers a practical language for working with AI risks. It is not a regulation and not a law. But it is an important reference point.

I pay attention to how regulators and standards bodies shape the language around AI, because that language eventually becomes the language of contracts, audits, and vendor requirements. The NIST framework is exactly that kind of document.

What AI RMF is and who it is written for

The framework is written for organisations that develop, deploy, or use AI systems. It is not tied to a specific technology and does not require mandatory compliance. Its goal is to give a common vocabulary and structure so that the conversation about AI risks can happen between technical and non-technical participants.

The document is built around four functions: Govern, Map, Measure, Manage. This is not a linear process but a cycle. First, a culture and accountability structure for AI risk is established. Then risks are identified and assessed. Then they are managed in an operational mode.

Why this matters now

Before documents like this existed, conversations about AI risk were either very abstract ("AI can be dangerous") or very technical ("model accuracy is 94%"). A practical manager had trouble entering that conversation.

The NIST framework solves exactly this problem. It offers risk categories that are understandable without a technical background: reliability, safety, explainability, fairness, privacy, accountability. These categories can be discussed at board level and included in vendor requirements.

The emergence of such a document is also a signal about the direction regulation is heading. The European AI Act is already in progress. NIST standards have historically shaped how technology risk management practice looks across many industries.

What to do practically

The framework is not an instruction for immediate action. But it is useful as a maturity checklist.

If your company already uses AI systems in processes that affect customers or operational decisions, it is worth asking:

• Who in the company is responsible for the performance quality of an AI system?
• How will you know if a system starts making systematic errors?
• Are the limitations and risks of each system documented?
• How do you explain to customers or employees that a decision was made with AI involvement?

If there are no answers, it does not mean you need to implement the full framework immediately. It means the conversation about AI governance needs to start.

For those still planning adoption

For companies that have not yet launched AI in production processes, the framework is useful as a design requirement.

Before launching a system, it is worth answering: how will we track its quality? Who decides when the system is performing unacceptably? Is there a mechanism to switch it off or route around it?

These questions are cheaper to ask at the beginning than to deal with the consequences after launch.