Cyber Horizon
Back to Blog
NIST AI RMFAI GovernanceUS

NIST AI Risk Management Framework: Governing AI in Practice

1 June 2026·7 min read·Cyber Horizon Team

The NIST AI Risk Management Framework (AI RMF 1.0) is fast becoming the common language for managing AI risk. It’s voluntary and not a law — but its structure is showing up in contracts, procurement and board questions, and it pairs naturally with the EU AI Act and ISO 42001.

Four functions

The framework organises AI risk work into four functions that run continuously across the AI lifecycle:

Govern

Build a culture of risk management — policies, accountability, roles, and oversight across the organisation.

Map

Establish context: what the AI system is for, who it affects, and where risks and impacts could arise.

Measure

Analyse and track risks — test for bias, robustness, security, explainability and validity with appropriate metrics.

Manage

Prioritise and act on risks, allocate resources, and respond to and recover from incidents.

Trustworthy AI characteristics

The RMF anchors everything to characteristics of trustworthy AI: valid and reliable, safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. These are the qualities your “Measure” work assesses.

How it fits with the EU AI Act and ISO 42001

FrameworkNatureBest for
NIST AI RMFVoluntary guidanceA practical risk process
ISO 42001Certifiable standardAn auditable management system
EU AI ActRegulation (law)Legal obligations in the EU

Use the AI RMF to run the work, ISO 42001 to certify it, and map both to the EU AI Act where it applies.

Getting started

  • Inventory your AI systems and the decisions they influence.
  • Stand up the Govern function first — roles, policy and accountability.
  • Map context and Measure the trustworthy-AI characteristics that matter for each system.
  • Manage: prioritise risks, document mitigations, and plan for AI incidents.
  • Map your RMF work to ISO 42001 and the EU AI Act so the effort counts more than once.

The bottom line

The NIST AI RMF gives you a pragmatic, lifecycle approach to AI risk without waiting for regulation to force your hand. Govern, Map, Measure, Manage — run it now, and it becomes the backbone for ISO 42001 certification and EU AI Act compliance later.

Govern AI with the rest of your programme

Cyber Horizon supports the NIST AI RMF, ISO 42001 and the EU AI Act on a shared control library — so your AI governance is evidence-backed and audit-ready, not a side project.

Book a Demo