NIST AI RMF
Implementing NIST AI RMF Software: A 30/60/90 Day Rollout Plan
A concrete 30/60/90-day rollout plan for implementing NIST AI RMF software, with specific deliverables and milestones at each stage.
May 14, 2026 · 7 min read
NIST AI RMF
Buying NIST AI RMF software is the easy part — plenty of implementations stall right after, either by trying to configure everything at once or by never moving past the trial account. Here's a concrete 30/60/90-day plan with a specific deliverable at each stage.
TL;DR
- Days 1-30 focus on configuration and proving the platform on one AI system, not rolling out to everything at once.
- Days 31-60 expand to your priority (highest-risk) systems, using lessons from the first system to move faster.
- Days 61-90 bring in the full AI inventory and establish the recurring review cadence that keeps profiles current.
- Each phase has a specific, checkable deliverable — not just 'in progress' status.
- The most common stall point is trying to configure the platform for every system simultaneously in week one.
Three Phases, Each Building on the Last
Days 1-30: Configure and Prove It on One System
| Task | Deliverable |
|---|---|
| Configure Govern policy and roles in the platform | Policy document live in the system |
| Register one AI system | Complete system record |
| Run Map, Measure, Manage on that system | First complete current/target profile |
Days 31-60: Expand to Priority Systems
| Task | Deliverable |
|---|---|
| Register remaining high-risk AI systems | All high-risk systems in the platform |
| Run Map/Measure/Manage on each | Complete profiles for all high-risk systems |
| Train additional team members on the platform | At least 2 people able to operate it independently |
Days 61-90: Full Inventory and Steady State
| Task | Deliverable |
|---|---|
| Register remaining lower-risk AI systems | Complete organization-wide inventory |
| Set recurring review schedule per risk tier | Automated review reminders active |
| Produce a first full risk profile export | A document you could hand to a customer or auditor today |
The Most Common Stall Point
Trying to configure the platform for every AI system in week one, before proving the process works on a single system. This multiplies confusion instead of progress — proving the workflow once, then scaling it, is consistently faster than parallelizing from day one.
Who Owns Each Phase
| Phase | Primary owner | Supporting roles |
|---|---|---|
| Days 1-30 | Compliance/risk lead | Executive sponsor for policy sign-off |
| Days 31-60 | Compliance/risk lead | Engineering leads for the priority systems being registered |
| Days 61-90 | Compliance/risk lead | Newly trained team members operating the platform independently |
How to Know Each Phase Actually Succeeded
- Day 30: the first system has a complete, reviewed current/target profile — not just a registered name
- Day 60: every high-risk system has an assigned owner and a documented profile, and at least one more person can operate the platform
- Day 90: a real risk profile export could be handed to a customer or auditor today, without extra preparation
Primary Sources
- NIST — AI Risk Management Framework
- NIST — AI RMF Playbook
Beyond Day 90: What Steady State Actually Requires
Reaching day 90 successfully doesn't mean the work is finished — it means the RMF program has shifted from a one-time project to an ongoing practice. The risk is that momentum built during the rollout fades once the initial push ends, especially if review reminders are the only thing keeping profiles current.
| Ongoing practice | Why it matters after day 90 |
|---|---|
| Quarterly portfolio review | Catches systems whose profiles have quietly gone stale |
| New-system onboarding checklist | Keeps new AI systems from bypassing the process that took 90 days to build |
| Annual policy refresh | Keeps Govern connected to real findings from Measure and Manage, not frozen at launch |
Where Unorma Fits
Built for this exact rollout
Frequently asked questions
Should we configure the software for all our AI systems immediately?
No — prove the process on one system first in the first 30 days, then expand to priority systems, then the full inventory. Parallelizing from day one is the most common stall point.
What should be complete by day 30?
Govern policy configured, one AI system fully registered, and its first complete current/target risk profile produced.
What does 'steady state' look like by day 90?
The full AI inventory registered, a recurring review schedule active per risk tier, and a first complete risk profile export you could hand to a customer or auditor.
How many people should be trained on the platform by day 60?
At least two, so the program doesn't depend entirely on a single person's availability going forward.
What happens after day 90?
The program shifts from a one-time rollout to an ongoing practice — quarterly portfolio reviews, a new-system onboarding checklist, and an annual policy refresh keep it from quietly losing momentum.
What's the risk of stopping active management right after day 90?
Profiles that were current at rollout can go stale within a couple of quarters if review reminders are the only thing maintaining them — ongoing practice has to replace the initial push.
Can this 30/60/90 plan be compressed for a smaller organization?
The stages can move faster with fewer systems and less coordination overhead, but the sequence itself — prove on one system, expand to priority systems, then scale fully — still holds regardless of organization size.
What if leadership wants to see results before day 30?
Share the first system's completed current/target profile as an early proof point — it's a concrete deliverable that demonstrates the approach is working before the full 90-day plan concludes.
What's the single biggest predictor that a rollout will succeed?
A named, accountable owner who drives all three phases — rollouts split across multiple people without one clear lead consistently lose momentum somewhere between day 30 and day 90.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.