What are the four functions?

Govern establishes the AI risk culture, policies, and accountability. Map develops the context and identifies risks for each AI use case. Measure analyzes, assesses, and tracks those risks with appropriate metrics. Manage prioritizes and acts on risks — mitigate, transfer, avoid, or accept — and handles monitoring and incident response.

Is the AI RMF mandatory?

The AI RMF itself is voluntary, but it has become the de facto US baseline for AI governance and is widely referenced in contracts, procurement, and policy. It also pairs naturally with the certifiable ISO/IEC 42001 standard and helps structure EU AI Act readiness.

What is the Generative AI Profile?

NIST published a companion Generative AI Profile (NIST AI 600-1) in July 2024 that identifies risks unique to generative AI and suggested actions across the four functions. episki incorporates these considerations for organizations deploying generative models and agents.

Trustworthy AI, operationalized

Run the NIST AI Risk Management Framework

An AI and agent inventory, risk mapping and measurement, and the Govern-Map-Measure-Manage workflow — pre-mapped to ISO 42001 and the EU AI Act so one AI program serves them all.

Start free trial Book a demo

What is the NIST AI RMF?

The NIST AI Risk Management Framework (AI RMF 1.0) — published as NIST AI 100-1 in January 2023 — is voluntary guidance for identifying and managing the risks of artificial intelligence across its lifecycle, from design and development through deployment and decommissioning. It was developed through an open, multi-stakeholder process at the direction of Congress and has quickly become the de facto reference for AI governance in the United States.

Rather than prescribe specific controls, the AI RMF defines a set of trustworthy-AI characteristics — valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair (with harmful bias managed) — and a flexible process for achieving them.

The four functions

The AI RMF core organizes that process into four functions:

Govern — the foundation. It establishes the organization's AI risk culture, policies, roles, and accountability, including who approves high-risk use cases, how third-party and foundation models are introduced, and how resources are allocated to testing.
Map — the scoping function. It builds the context for each AI system and identifies the risks that context creates.
Measure — analyzes, assesses, benchmarks, and monitors AI risks with quantitative and qualitative methods.
Manage — allocates resources to prioritized risks, applies treatments (mitigate, transfer, avoid, accept), documents residual risk, and handles monitoring, incident response, and recovery.

Who uses the AI RMF

Any organization that builds, deploys, or procures AI — including generative AI and autonomous agents — uses the AI RMF to put structure around AI risk. It is especially common for US-based companies and federal contractors, and it is the natural companion to the certifiable ISO 42001 AI management system and to EU AI Act readiness. NIST's companion Generative AI Profile (NIST AI 600-1), published in July 2024, extends the framework with risks specific to generative models.

How episki helps

episki turns the AI RMF into a working program: a live registry of your AI systems, models, and agents; the Govern-Map-Measure-Manage workflow as repeatable tasks and evidence; and crosswalks that let the same work feed your ISO 42001 certification and EU AI Act obligations — so AI governance is one program, not three.

NIST AI RMF outcomes with episki

Quantify the impact security and compliance brings to your business.

4 functions

Govern, Map, Measure, and Manage implemented as a working AI risk workflow.

AI inventory

A live registry of AI systems, models, and agents with owners and risk tiers.

ISO 42001 mapped

AI RMF outcomes cross-walked to ISO 42001 and the EU AI Act for reuse.

Why teams choose episki for NIST AI RMF

Framework-specific automation, collaboration, and reporting in one workspace.

Govern, Map, Measure, Manage

The four AI RMF functions as a repeatable workflow, not a PDF.

Govern — AI policy, roles, and accountability
Map and Measure — context, risks, and metrics
Manage — prioritized treatments and monitoring

AI and agent registry

Inventory every model, system, and autonomous agent with its risk profile.

Use-case and model inventory with owners
Third-party and foundation-model tracking
Generative AI Profile considerations built in

One AI program, many frameworks

AI RMF evidence feeds ISO 42001 certification and EU AI Act obligations.

Crosswalk to ISO 42001 (AIMS)
Crosswalk to EU AI Act risk tiers
Reuse security evidence from ISO 27001 / SOC 2

NIST AI RMF readiness inside episki

What an AI governance program needs in place.

Plug episki into your stack and work directly from this checklist during the free trial.

✓ AI system, model, and agent inventory
✓ AI governance policy and accountable roles (Govern)
✓ Context and risk mapping per AI use case (Map)
✓ Risk metrics and evaluation evidence (Measure)
✓ Risk treatments, monitoring, and incident response (Manage)
✓ Crosswalks to ISO 42001 and the EU AI Act

NIST AI RMF accelerators

AI risk program accelerators

Stand up trustworthy-AI governance without starting from a blank page.

AI use-case intake

Capture new AI systems and agents with risk tiering at request time.

Risk profile builder

Map and measure risks against the trustworthy-AI characteristics.

ISO 42001 / EU AI Act crosswalk

See which AI RMF outcomes satisfy which 42001 clauses and AI Act obligations.

NIST AI RMF frequently asked questions

Build a trustworthy-AI program in episki

Run the NIST AI RMF once and reuse the work for ISO 42001 and the EU AI Act.

Start free trial Book a walkthrough