NIST AI RMF Implementation
The NIST AI Risk Management Framework (AI RMF 1.0) provides a structured approach to governing, mapping, measuring, and managing AI risks. We assess your coverage across all four functions.
Scope note: NIST AI RMF is a voluntary framework with 72+ subcategories. We assess the subcategories directly testable through code analysis and endpoint testing (primarily MEASURE-2.x and MAP-1.x). Full framework adoption requires organisational policy and governance work beyond tooling.
What is the NIST AI RMF?
The NIST AI Risk Management Framework (NIST AI 100-1) was published in January 2023 as a voluntary framework for organisations that design, develop, deploy, or use AI systems. It provides a structured process for identifying, assessing, and managing AI risk throughout the AI lifecycle.
Unlike prescriptive regulations, the AI RMF is outcome-based — organisations define their own AI risk appetite and implement controls appropriate to their context and risk level.
The Four RMF Functions — What We Cover
Each function represents a category of activities for managing AI risks across the lifecycle.
AI Risk Governance
Establish policies, accountability, and culture for AI risk management. Covers organisational risk appetite, roles & responsibilities, and AI lifecycle oversight.
HAIEC coverage: We assess governance gaps: missing AI security policies, undocumented model provenance, and absence of human oversight for high-stakes AI decisions.
—GOVERN 1.1 — AI risk policy
—GOVERN 1.4 — Risk management strategy
—GOVERN 2.1 — Roles & responsibilities
—GOVERN 1.2 — AI risk tolerance
AI Risk Identification
Understand context, intended use, and risk categories. Identify what could go wrong with the AI system and who it affects.
HAIEC coverage: We identify AI-specific risk categories: attack surface mapping (prompt injection, tool abuse, RAG poisoning), third-party dependency risks, and deployment context risks.
—MAP 1.1 — AI system context
—MAP 5.1 — Vulnerability identification
—MAP 2.1 — Data pipeline risks
—MAP 1.6 — Third-party AI providers
AI Risk Analysis & Testing
Analyse, prioritise, and plan for identified AI risks. This includes testing, evaluation, validation and verification (TEVV) activities.
HAIEC coverage: Our 91-rule static scanner and 22-category runtime tester directly implement NIST AI RMF MEASURE subcategories. MEASURE-2.7 maps to our prompt injection scanner (R1).
—MEASURE 2.5 — AI output testing
—MEASURE 2.6 — Bias evaluation
—MEASURE 2.7 — Adversarial testing
—MEASURE 2.10 — Privacy risk analysis
AI Risk Response & Recovery
Prioritise and implement risk responses. Manage residual risks, incident response for AI failures, and continuous improvement.
HAIEC coverage: We generate prioritised remediation guidance (P0–P3 priority) and audit artifacts for your MANAGE function evidence. MANAGE-1.1 maps to our R1 prompt injection mitigations.
—MANAGE 1.1 — Risk response plans
—MANAGE 1.3 — Incident management
—MANAGE 2.2 — Residual risk tracking
—MANAGE 4.1 — Improvement mechanisms
Which NIST AI RMF Subcategories We Test
Direct mapping between HAIEC rules and NIST AI RMF subcategories.
Who This Assessment Is For
What the Assessment Produces
RMF Function Coverage Score
Percentage coverage across all four functions (GOVERN, MAP, MEASURE, MANAGE) with breakdown by subcategory.
Trustworthiness Characteristics Report
Assessment across the 7 NIST AI trustworthiness characteristics: valid, safe, secure, resilient, explainable, privacy-enhanced, and fair.
Risk Prioritisation Matrix
AI risks ranked by likelihood and impact, mapped to RMF subcategories with specific remediation actions.
Implementation Roadmap
Phased roadmap to improve AI RMF coverage, with estimates for quick wins vs. longer-term governance changes.
Assess Your NIST AI RMF Coverage
~12 minutes. Covers all four RMF functions with specific subcategory evidence generation.
No signup required • Free • Voluntary framework, not a certification