NIST AI RMF
NIST AI RMF Profiles: Building Your Organization's Risk Profile
A concrete guide to building a current and target risk profile under the NIST AI RMF, with a worked example and the fields a real profile needs.
May 13, 2026 · 7 min read
NIST AI RMF
"Build a NIST AI RMF profile" sounds abstract until you actually do it. A profile is just a structured answer to two questions — where are we now, and where should we be — applied to a specific AI system. Here's exactly what fields it needs, with a worked example.
TL;DR
- A profile has four core fields: system purpose and context, current risk posture, target risk tolerance, and the gap between them.
- Current profile describes where a system actually stands today; target profile describes where your risk tolerance says it should be.
- Profiles are built per AI system, not organization-wide — a single blended profile hides which systems actually need attention.
- The gap between current and target profile should generate specific, assigned actions, not just a descriptive comparison.
- Profiles should be revisited on a schedule, since a system's current profile shifts as it's retrained or used differently.
The Four Fields a Real Profile Needs
Current Profile vs. Target Profile
Current profile describes where a specific AI system actually stands today across Govern, Map, Measure and Manage. Target profile describes where your organization's risk tolerance says that system should be. The gap between the two is the actual work.
Build Profiles Per System, Not Organization-Wide
A single blended organization-wide profile hides exactly which systems need attention — a strong profile on your internal tools can mask a weak one on a customer-facing high-risk system. Build one profile per AI system.
Worked Example: A Hiring Screening Tool
| Field | Content |
|---|---|
| Purpose & context | Screens resumes for a technology role, used by HR with human final decision |
| Current profile | Govern: policy exists but not system-specific; Map: context documented; Measure: no bias testing yet; Manage: no formal treatment plan |
| Target profile | Bias testing run quarterly; documented treatment plan for any disparate impact found |
| Gap & actions | Assign bias testing owner, schedule first test within 30 days |
Profiles Aren't Static
- Revisit on a fixed schedule, more frequently for higher-risk systems
- Revisit immediately after retraining, a significant data change, or a new use case
- Treat a stale profile the same way you'd treat a stale risk register entry — a known gap, not a completed task
Primary Sources
- NIST — AI Risk Management Framework
- NIST — AI RMF Playbook
Sector and Use-Case Profiles
NIST also describes "profiles" at a broader level — a sector or use-case profile that captures common risk considerations shared across similar organizations, like healthcare AI or financial services AI. If your industry has a published or emerging community profile, it's a useful starting template for your own system-level target profiles rather than building the risk tolerance criteria entirely from scratch.
How to Document a Profile So It's Actually Useful Later
- Date the current profile assessment so staleness is visible at a glance
- Record who set the target profile and risk tolerance, not just what it says
- Keep the gap and its assigned actions in the same record as the profile itself, not a separate document
A Second Worked Example: A Customer Support Chatbot
| Field | Content |
|---|---|
| Purpose & context | Answers product questions for customers, escalates to a human agent below a confidence threshold |
| Current profile | Govern: general policy applies; Map: context documented; Measure: escalation rate tracked, no hallucination testing; Manage: no formal treatment plan |
| Target profile | Quarterly hallucination spot-checks against a sample of real conversations |
| Gap & actions | Assign an owner to build the sampling process, first check within 60 days |
Where Unorma Fits
Profiles per system, automatically
Frequently asked questions
What is a NIST AI RMF profile, concretely?
A structured record with four fields per AI system: its purpose and context, its current risk posture, your target risk tolerance for it, and the gap between the two.
Should we build one profile for the whole organization?
No — build one per AI system. An organization-wide blended profile hides which specific systems actually need attention.
How often should a profile be revisited?
On a fixed schedule based on risk tier, and immediately after retraining, a significant data change, or a new use case for the system.
What should happen with the gap between current and target profile?
It should generate specific, assigned actions with owners and deadlines — not just remain a descriptive comparison nobody acts on.
What's a sector or use-case profile?
A broader NIST concept describing common risk considerations shared across similar organizations in an industry — a useful starting template for your own system-level target profiles rather than building risk tolerance from scratch.
What details make a documented profile useful months later?
A date on the current profile assessment, a record of who set the target profile and tolerance, and the gap's assigned actions kept in the same record rather than a separate document.
Does a chatbot need a different kind of profile than a hiring tool?
The four fields stay the same, but the specific risk scenarios and measures differ — a chatbot's target profile might focus on hallucination sampling, where a hiring tool's focuses on bias testing.
Who should be able to see a system's profile besides its owner?
Compliance leadership at minimum, and ideally anyone who might need to produce it on short notice for a customer, insurer or regulator — a profile only one person can access defeats much of its purpose.
Key terms in this article
About the author

Compliance Specialist
Compliance specialist focused on management-system standards and risk frameworks, helping teams turn certification requirements into working programs.
View full profileKeep reading
More from the blog
AI Compliance Software
AI Compliance Software
What Is AI Compliance Software? A Complete Guide for 2026
AI compliance software turns scattered spreadsheets and PDFs into a live system of record for every AI system you build or use. Here's what it does, who needs it, and how to evaluate it.
EU AI Act
EU AI Act
EU AI Act Deadlines in 2026 and 2027: What the Digital Omnibus Actually Changed
In May 2026, EU lawmakers provisionally agreed to delay the AI Act's high-risk deadlines. Here's exactly what changed, what didn't, and what's legally binding today.
ISO 42001
ISO 42001
ISO 42001 Certification Requirements: The Complete Checklist
ISO 42001 has 10 clauses and 38 Annex A controls. This is the complete, plain-language checklist for what you actually need to have in place before your audit.