📐 NIST AI RMF: AI Risk Management in Practice
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework for managing AI risk, released by the U.S. National Institute of Standards and Technology (document AI 100-1, January 2023). It helps organizations build trustworthiness considerations — safety, reliability, privacy, explainability — into the design, development, deployment, and evaluation of AI systems. This guide walks through the four AI RMF functions (GOVERN / MAP / MEASURE / MANAGE), the seven characteristics of "trustworthy AI," the profile for generative AI (NIST AI 600-1), and shows honestly where the boundary runs: SYNTREX — the defense layer of the Spectorn platform — supplies the technical part (detection, policy, an immutable audit), but on its own does not make an organization "compliant."
Spectorn is a security and compliance-perimeter platform; SYNTREX is its AI-defense layer, deployed both inside Spectorn and standalone on customers' internal perimeters. The AI RMF is a management framework; SYNTREX closes concrete technical sub-tasks within the MEASURE and MANAGE functions.
What NIST AI RMF Is and Why It Exists
The AI RMF was developed under the mandate of the National AI Initiative Act of 2020 as a voluntary, sector- and use-case-agnostic, rights-preserving framework. Its purpose is to give organizations of any size a common language and an operating model for working with AI-specific risks: data drift over time, the sociotechnical nature of the systems, model opacity, emergent behavior.
The AI RMF has two parts. The first describes how to reason about AI risk and what "trustworthy AI" is. The second is the Core: four functions broken into categories and subcategories with concrete actions and outcomes. The framework is accompanied by the AI RMF Playbook (recommended actions for each subcategory), a Roadmap (a development plan), and profiles for specific classes of systems — first and foremost the Generative AI Profile (AI 600-1).
A key feature: the AI RMF is not certified and has no force of law. It is an operating model. Its certifiable analogue is the international standard ISO/IEC 42001 (an AI management system); binding force lies with the EU AI Act. These instruments complement one another, and controls mapped to one usually support the others.
The Four AI RMF Core Functions
The AI RMF Core is organized around four functions. GOVERN is cross-cutting: it permeates and feeds the other three across all lifecycle stages. MAP, MEASURE, and MANAGE are applied in the context of a specific system.
GOVERN — a culture of risk management
Shapes and instills a culture of AI risk management across the organization: policies and procedures across the entire lifecycle, accountability structures (roles and decision-making), a risk-aware culture, stakeholder engagement, and — as a separate category — managing the risks of third-party components, data, and the supply chain. GOVERN answers the question "who is accountable and under what rules."
MAP — context and risk identification
Establishes context and identifies risks across the whole system lifecycle: understanding the context of use, categorizing the AI system, its capabilities and goals, mapping risks and benefits across all components, assessing impact on individuals, groups, and society. By the end of MAP an organization should have enough contextual knowledge to make an initial go/no-go decision.
MEASURE — analysis, evaluation, monitoring
Applies quantitative, qualitative, and mixed methods to analyze, benchmark, and monitor AI risk: selecting appropriate metrics, evaluating the system against trustworthiness characteristics, mechanisms for tracking risk over time, gathering feedback on the effectiveness of the measurements. This is where concrete vulnerabilities are assessed — for example, against the OWASP Top 10 for LLMs — and red-teaming is conducted against MITRE ATLAS.
MANAGE — prioritization and response
Allocates resources to the identified and measured risks: prioritizing and treating risks, strategies to maximize benefits and minimize harm, managing third-party risks, documenting and monitoring risk treatment. This includes incident response — a plan for response, recovery, and communication.
The Seven Characteristics of Trustworthy AI
The AI RMF defines seven characteristics that together make AI "trustworthy." They must be balanced according to context — there are unavoidable trade-offs among them. NIST's exact formulations:
- Valid and Reliable — the foundation for all the others: confirmed by objective evidence as meeting the requirements of the use case, and able to operate without failure under the specified conditions.
- Safe — under defined conditions the system should not lead to a state that endangers human life, health, property, or the environment.
- Secure and Resilient — maintaining confidentiality, integrity, and availability through protective mechanisms; able to withstand unexpected adverse events.
- Accountable and Transparent — a cross-cutting characteristic: access to information commensurate with the lifecycle stage and the participant's role.
- Explainable and Interpretable — the ability to understand the system's functionality and the rationale for its operation.
- Privacy-Enhanced — norms and practices that safeguard human autonomy, identity, and dignity.
- Fair – with Harmful Bias Managed — attention to equity and the avoidance of discrimination through bias management.
In this scheme Valid and Reliable is the base (a necessary condition for the rest), and Accountable and Transparent is the cross-cutting element that ties all the characteristics together. The Safe and Secure and Resilient characteristics are two distinct characteristics in the AI 100-1 document, not one (a common error in secondary sources).
Generative AI Profile (NIST AI 600-1)
In July 2024 NIST released AI 600-1 — "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile," the AI RMF profile for generative AI, prepared in fulfillment of Executive Order 14110. It extends AI 100-1 with more than 200 recommended actions organized by the same four functions and lists 12 risks unique to or amplified by generative AI:
| Risk (AI 600-1) | Essence |
|---|---|
| CBRN Information or Capabilities | Easier access to information on chemical, biological, radiological, and nuclear weapons |
| Confabulation | Confidently presented but false content ("hallucinations") |
| Dangerous, Violent, or Hateful Content | Easier generation of violent, inciting, threatening content |
| Data Privacy | Leakage and unauthorized use/de-anonymization of personal data |
| Environmental Impacts | High consumption of compute resources during training/operation |
| Harmful Bias and Homogenization | Amplification of historical and systemic biases, homogenization |
| Human-AI Configuration | Inappropriate anthropomorphization and human-system interaction problems |
| Information Integrity | Lowering the barrier for content that does not distinguish fact from fiction |
| Information Security | Lowering the barriers for offensive cyber capabilities (automated vulnerability discovery and exploitation, malware, phishing) |
| Intellectual Property | Easier reproduction of copyrighted content |
| Obscene, Degrading, and/or Abusive Content | Easier generation of obscene content, including synthetic CSAM |
| Value Chain and Component Integration | Opaque integration of third-party components and data |
Several of these risks map directly onto SYNTREX's capabilities: Information Security (offensive capabilities through AI), Data Privacy (PII leakage), Information Integrity and Confabulation (dangerous output). For each, SYNTREX provides detection and an audit trail — see the map below.
How SYNTREX Helps: The Technical Part of the MEASURE and MANAGE Functions
The AI RMF is a management framework. SYNTREX does not "implement the AI RMF" in full, but it closes concrete technical sub-tasks within the MEASURE (measuring and monitoring risk) and MANAGE (treating and responding) functions, and the Decision Logger provides the immutable audit trail required in GOVERN for accountability.
| Function / AI 600-1 risk | What SYNTREX provides | Engines / components |
|---|---|---|
| MEASURE — evaluation against input/output threats | Detection of injections, jailbreaks, dangerous output | injection, jailbreak, output_scanner |
| MANAGE / Data Privacy | Masking PII and secrets before the response leaves | pii, secret_scanner, exfiltration |
| MANAGE / Information Security | Control of the "lethal trifecta," tool abuse | lethal_trifecta, tool_abuse, cross_tool_guard |
| MEASURE — monitoring over time | Event correlation, surfacing anomalous spikes | SOC Correlation Engine |
| GOVERN — accountability and provability | An immutable log of all decisions (SHA-256/HMAC) | Decision Logger |
| MANAGE — integrity of the agent's memory/context | Memory protection and model containment | memory_integrity, model_containment |
syntrex.yaml configuration
A profile oriented toward the technical controls of MEASURE/MANAGE and toward producing the audit trail for GOVERN:
# syntrex.yaml — profile for AI RMF technical controls (MEASURE/MANAGE)
version: "1.0"
mode: ai_gateway
engines:
injection: # MEASURE: injection detection
action: block
confidence_threshold: 0.7
jailbreak: # MEASURE: policy-bypass detection
action: block
confidence_threshold: 0.85
output_scanner: # MEASURE: dangerous/leaking output
action: sanitize
pii: # MANAGE: Data Privacy
action: redact
mask_character: "*"
secret_scanner: always_on # MANAGE: secrets never leave the perimeter
exfiltration: # MANAGE: Information Security
action: block
lethal_trifecta: # MANAGE: data + untrusted + egress
action: alert
tool_abuse: # MANAGE: tool abuse
action: block
memory_integrity: # MANAGE: integrity of the agent's context
action: alert
model_containment: # MANAGE: model containment
action: alert
audit:
decision_logger: true # GOVERN: an immutable trail for accountability
retention_policy: regulatory
SOC correlation rule (monitoring over time)
The MEASURE function requires tracking risk over time. An example rule that surfaces an anomalous spike as an attack indicator:
rules:
- id: ALERT_FLOOD
name: "Anomalous event spike (MEASURE)"
description: "100+ events from one source in 60 seconds — an indicator of an attack or failure"
enabled: true
conditions:
- threshold:
count: 100
window: "60s"
group_by: "source_id"
action:
create_incident: true
severity: HIGH
metadata:
nist_rmf: ["MEASURE-2", "MANAGE-1"]
An honest boundary of responsibility. AI RMF compliance is an organizational task: policies, roles, processes, a culture of risk management (the whole GOVERN function, most of MAP). SYNTREX does not make an organization "compliant" on its own. It closes the technical part — detection, the Shield policy, and an immutable audit — within the MEASURE and MANAGE functions, and provides a provable trail of decisions needed for accountability. System categorization, societal impact assessment, risk appetite, and risk treatment remain with the organization.
NIST AI RMF and the Russian Market
There is no direct analogue of the AI RMF in Russia — the approach is spread across several instruments:
- GOST R 59276-2022 ("Ensuring trust in AI systems") is the closest in spirit to the notion of "trustworthy AI"; PNST 776-2022 covers AI risk management (a preliminary national standard, the closest functional analogue of a risk framework); GOST R 59277-2020 covers AI-system classification. Russia adapts the norms of ISO/IEC JTC 1/SC 42 as national GOST standards. (GOST = the Russian national standardization system; PNST = a preliminary national standard.)
- The Code of Ethics for AI (adopted in October 2021) is "soft," voluntary self-regulation with ethical principles; it does not contain a risk-management structure at the MAP/MEASURE/MANAGE level.
- 152-FZ ("On Personal Data") — the Russian federal personal-data law — intersects with the Data Privacy and Privacy-Enhanced characteristics: AI systems processing personal data must meet requirements for localization, consent, and data-subject rights.
- FSTEC — the Russian Federal Service for Technical and Export Control — sets security requirements for critical information infrastructure (CII), which apply to AI systems deployed within its perimeter.
For a Russian customer, SYNTREX supplies the same technical part (detection, PII masking under 152-FZ, an immutable audit), while the compliance program typically references the combination of GOST R 59276 + PNST 776 + 152-FZ + FSTEC orders. More on the sector specifics is in the Government and CII and Healthcare scenarios.
Frequently Asked Questions (FAQ)
What is NIST AI RMF in plain terms? It is a voluntary framework from the U.S. standards institute (NIST) that helps organizations manage AI risk. It consists of four functions — GOVERN (culture and rules), MAP (context and risk identification), MEASURE (measurement and monitoring), MANAGE (prioritization and response) — and describes seven characteristics of "trustworthy AI."
Is NIST AI RMF mandatory? No, the AI RMF is voluntary and has no force of law. Binding force belongs to the EU AI Act for systems whose output is used in the EU. The certifiable analogue of the AI RMF is ISO/IEC 42001. Many organizations use the AI RMF as a management framework on top of which they prepare for mandatory requirements.
What are the four AI RMF functions? GOVERN (cross-cutting — the culture and policies of risk management), MAP (establishing context and identifying risks), MEASURE (quantitative and qualitative evaluation, monitoring over time), and MANAGE (prioritization, risk treatment, incident response). GOVERN permeates the other three.
What does the Generative AI Profile (AI 600-1) add? It is an AI RMF profile specifically for generative AI (July 2024). It lists 12 risks unique to or amplified by GenAI — CBRN, confabulation (hallucinations), Data Privacy, Information Security, Information Integrity, and others — and provides more than 200 recommended actions tied to the same four functions.
Does SYNTREX make my organization compliant with NIST AI RMF? No, and we note this boundary honestly. AI RMF compliance is an organizational task (policies, roles, processes — the GOVERN and MAP functions). SYNTREX closes the technical part within MEASURE and MANAGE: threat detection, data masking, the Shield policy, and an immutable audit trail (Decision Logger) needed for accountability. The management loop remains with the organization.
How does AI RMF relate to MITRE ATLAS and OWASP? It is a three-layer model: the AI RMF is the strategic management layer, MITRE ATLAS is the tactical threat layer (TTPs for red teams and detection), and the OWASP Top 10 for LLMs is the operational layer of concrete vulnerabilities. ATLAS data and OWASP assessments give substance to the MEASURE and MANAGE functions.
Is there a Russian analogue of NIST AI RMF? There is no direct one. The closest instruments are PNST 776-2022 (AI risk management), GOST R 59276-2022 (trust in AI systems), plus the voluntary Code of Ethics for AI, 152-FZ (personal data), and FSTEC requirements for CII. There is as yet no single integrated framework on the scale of the AI RMF in Russia.
Sources
- NIST AI Risk Management Framework — main page — overview of the AI RMF 1.0 (AI 100-1).
- NIST AI 100-1 — document PDF — the primary source: the four functions and seven characteristics.
- NIST AI 600-1 — Generative AI Profile (PDF) — the 12 GenAI risks and recommended actions.
- NIST AIRC — Trustworthy & Responsible AI Resource Center — trustworthiness characteristics, the Core, the Playbook.
- NIST AI RMF Playbook — recommended actions by subcategory.
- ISO/IEC 42001 — the certifiable AI management system standard (complementary to the AI RMF).
- MITRE ATLAS and OWASP Top 10 for LLMs — the tactical and operational layers.
Related guides: MITRE ATLAS · EU AI Act · OWASP Top 10 for LLMs · Government and CII · Industry Scenarios