Unorma

NIST AI RMF

The NIST AI RMF Playbook Explained: Govern, Map, Measure, Manage

A practical walkthrough of the NIST AI Risk Management Framework's four core functions, with the actions and artifacts each one expects you to produce.

Zofia Kubiak
Zofia Kubiak

July 1, 2026 · 12 min read

NIST AI RMF

The NIST AI Risk Management Framework (AI RMF) is voluntary, which is exactly why so many teams underestimate how much structure it actually has. The Playbook — NIST’s companion guidance to the AI RMF Core — turns four short function names into a genuinely usable implementation guide. Here is what each function requires in practice, and how to use the Playbook without getting lost in it.

TL;DR

  • The NIST AI RMF Core has four functions: Govern, Map, Measure and Manage. Govern is cross-cutting — it wraps around the other three rather than running before or after them.
  • Map establishes context: what the AI system does, who it affects, and what could go wrong. Measure analyzes and benchmarks those risks. Manage prioritizes and responds to them.
  • The Playbook is explicitly not a checklist — NIST designed it as a menu of suggested actions you pick from based on your use case, not a sequence you must complete in full.
  • Each function breaks into categories and subcategories with specific suggested actions — the Playbook is where those actions actually live, not in the AI RMF Core document itself.
  • The framework is voluntary in the US but increasingly used as the de facto structure referenced by procurement teams, insurers and other frameworks like ISO 42001.

What the NIST AI RMF and Playbook Actually Are

The AI RMF Core (published January 2023) defines four functions, their categories and subcategories, and the outcomes each one should produce. The Playbookis a separate, companion resource that gives suggested actions, references and guidance for how to actually achieve each of those outcomes. If the Core tells you what “good” looks like, the Playbook is where you find how to get there.

The Four Functions, Explained

GOVERN (cross-cutting)MAPEstablish context& frame riskMEASUREAnalyze, benchmark& monitorMANAGEPrioritize& respond to risk
The NIST AI RMF Core: Govern wraps around Map, Measure and Manage as a continuous cycle.
FunctionWhat it meansTypical output
GovernPolicies, processes and accountability structures for managing AI risk across the whole organization — this function is cross-cutting, informing all the othersAI governance policy, defined roles, risk tolerance statement
MapEstablish the context for a specific AI system: its purpose, intended use, affected stakeholders and potential impactsSystem context documentation, stakeholder impact analysis
MeasureAnalyze, benchmark and monitor AI risks using quantitative, qualitative or mixed methodsRisk metrics, testing results, ongoing monitoring plan
ManagePrioritize and respond to risks identified in Map and Measure, and plan for incidentsRisk treatment plan, incident response plan, residual risk decisions

Categories and Subcategories: The Real Depth of the Framework

Each function breaks down further into categories, and each category into subcategories with specific outcomes — this is the level of detail that actually determines what a team does day to day, and it's substantially larger than the four function names suggest.

FunctionCategoriesSubcategoriesWhat they cover
Govern6 (Govern 1–6)19Policy, accountability structures, workforce diversity, third-party risk, and organizational commitment to trustworthy AI
Map5 (Map 1–5)18Intended purpose and legal requirements, technical methods and known limitations, costs and benefits, third-party risks, and impact characterization
Measure4 (Measure 1–4)22Identifying appropriate metrics, evaluating trustworthy characteristics, tracking risks over time, and gathering feedback
Manage4 (Manage 1–4)13Prioritizing risk response, allocating resources, and planning for incidents and recovery

That's 19 categories and 72 subcategories across the full Core — which is exactly why the Playbook exists: nobody memorizes 72 subcategories, but a well-organized program tracks progress against them per AI system.

Why Govern Isn't 'Step One'

A common misreading of the RMF is to treat Govern, Map, Measure and Manage as four sequential steps. NIST is explicit that Govern is cross-cutting — it should be infused throughout Map, Measure and Manage, not completed once at the start and forgotten. In practice, this means governance policies get revisited every time you map a new system or manage a new risk, not just during an annual policy review.

How to Use the Playbook Without Getting Lost in It

NIST is explicit that the Playbook “is neither a checklist nor set of steps to be followed in its entirety.” Organizations are meant to borrow the suggestions relevant to their use case and risk tolerance, not implement every subcategory identically.

  1. Start with Govern — establish who owns AI risk decisions before you map your first system.
  2. Pick one AI system and run it through Map — document its purpose, users and potential harms.
  3. Use Measure to decide what evidence would actually tell you if the mapped risks are materializing (metrics, testing, red-teaming).
  4. Use Manage to decide what you'll do about risks that exceed your tolerance — mitigate, transfer, accept, or avoid.
  5. Repeat Map through Manage for each AI system — Govern stays constant as the umbrella that ties them together.

Voluntary in Law, Mandatory in Practice

The AI RMF carries no legal penalty for non-adoption in the US. In practice, it has become a reference structure that procurement teams, cyber insurers, and even other regulations point to when asking “how do you manage AI risk?” It also maps closely enough to frameworks like ISO 42001 and the EU AI Act that work done for one substantially reduces the work needed for the others.

Who Actually Uses Each Function Day to Day

FunctionPrimary ownerTypically consulted
GovernCompliance / risk leadershipLegal, executive sponsor
MapProduct owner for the AI systemData science, affected business unit
MeasureData science / ML engineeringCompliance, quality assurance
ManageCompliance / risk leadershipProduct, engineering, executive sponsor

A Simple Maturity Model for RMF Adoption

NIST doesn’t prescribe a maturity model, but many organizations layer a simple one on top of the RMF to track progress honestly rather than treating adoption as binary.

StageWhat it looks like
Ad hocIndividual teams apply risk practices inconsistently, with no shared Govern policy
DevelopingA Govern policy exists; Map, Measure and Manage are applied unevenly across systems
ManagedAll AI systems go through Map, Measure and Manage consistently, tracked centrally
OptimizingMetrics from Measure actively inform policy updates in Govern — the loop closes

Common Pitfalls When Adopting the RMF

  • Treating the four functions as a waterfall. Teams that finish Map once and never revisit it miss how the framework is meant to operate continuously.
  • Trying to implement all 72 subcategories at once. NIST explicitly designed the Playbook to be selective — pick what fits your use case and risk tolerance.
  • Measuring without a clear Map first. Metrics chosen before context is established often measure the wrong thing.
  • No feedback loop back to Govern. Findings from Measure and Manage should update policy — organizations that skip this repeat the same gaps every cycle.

Turning the Playbook Into an Operating Program

Where software helps

The hardest part of the AI RMF isn’t understanding the four functions — it’s tracking Map, Measure and Manage activity consistently across every AI system you have, especially as Govern policies evolve. Unorma’s AI inventory and gap analysis are mapped directly to the RMF’s functions, categories and subcategories, so each system carries its own live Govern/Map/Measure/Manage status instead of a static spreadsheet. Read next: AI Risk Management: A Practical Framework for Getting Started.

Primary Source

Frequently asked questions

Is the NIST AI RMF a legal requirement?

No, it's voluntary in the United States. There is no penalty for non-adoption, but it's increasingly referenced by procurement processes, insurers and other frameworks as the expected structure for AI risk management.

Do I need to complete Map before Measure, and Measure before Manage?

Broadly yes for a given AI system — you need context (Map) before you can meaningfully measure risk, and measurement before you can prioritize a response (Manage). Govern, however, runs continuously across all three rather than being a one-time first step.

Is the Playbook the same document as the AI RMF Core?

No. The AI RMF Core defines the functions, categories and subcategories and their intended outcomes. The Playbook is a separate, more detailed companion resource with suggested actions and references for achieving those outcomes.

How does the NIST AI RMF relate to ISO 42001 and the EU AI Act?

They overlap substantially in intent — risk-based governance of AI systems — though each has its own structure and legal status. Many organizations map evidence once and use it to satisfy multiple frameworks rather than running separate programs.

How many categories and subcategories does the AI RMF Core actually have?

19 categories and 72 subcategories across the four functions: Govern (6 categories, 19 subcategories), Map (5, 18), Measure (4, 22) and Manage (4, 13).

Do we need to implement all 72 subcategories?

No — NIST explicitly designed the framework to be selective. Organizations choose the subcategories relevant to their use case and risk tolerance rather than implementing every one uniformly.

Who should own the NIST AI RMF program inside an organization?

Govern and Manage are typically owned by compliance or risk leadership, while Map and Measure are usually driven by the product owner and data science/ML engineering team for each specific AI system.

Is there an official NIST maturity model for RMF adoption?

No, NIST doesn't publish one. Many organizations layer their own simple maturity model (e.g. ad hoc, developing, managed, optimizing) on top of the RMF to track adoption progress honestly.

About the author

Zofia Kubiak
Zofia Kubiak

Compliance Specialist

Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.

View full profile