Governance & guardrails
NIST AI RMF certification: why there isn't one, and what to do instead
NIST AI RMF certification is the thing people go looking for after a customer or a board asks them to "get certified" against the framework. The honest answer surprises them: there is nothing to get certified against. Here's why, what you can actually show instead, and where a real certificate does exist if that's what you need.
The common misconception
The search term "NIST AI RMF certification" almost always comes from the same moment: a customer's security questionnaire, a board request, or an RFP asks you to be "certified" against the NIST AI RMF, and you go looking for the certificate. People assume it works like ISO 27001 or ISO 42001, where an accredited auditor checks you and issues a certificate you can send to a customer. It does not. The assumption is reasonable, because the other names that arrive alongside the RMF do work that way. The RMF is the exception.
Why there is no certification
NIST built the AI RMF for voluntary use. It released version 1.0 on 26 January 2023 as a framework to help organizations reason about AI risk, not as a standard to be audited against. Two structural facts follow from that. First, NIST is a standards and research agency; for the AI RMF it is not a certification or accreditation body, and it has not set up a scheme for others to certify against it either. Second, the framework has no pass-or-fail controls. Its Core is functions, categories, and subcategories that describe outcomes to aim for, so there is nothing an auditor could tick as passed or failed even if a scheme existed. NIST also notes the AI RMF 1.0 is being revised, which is another reason no fixed certifiable version is pinned down.
What "conformance" and "attestation" actually mean here
Because there is no certificate, the honest word for what you do is self-attestation. You state that you have adopted the framework, and you back the statement with evidence. That evidence is the same set of artifacts the framework asks you to produce: an AI policy and clear accountability, an inventory of your AI systems tiered by risk, impact assessments and evaluations on the high-risk ones, and a current-versus-target profile that shows where you are against where you intend to be. A current-versus-target profile is the closest thing the RMF has to a conformance statement, because it documents your posture honestly, including the gaps.
So when a questionnaire asks whether you "conform to" or are "aligned with" the NIST AI RMF, the truthful answer is a description of what you have implemented plus the artifacts that prove it, not a certificate number. Buyers who know the framework understand this; the ones who wrote "certified" into the question usually meant "show us you take AI risk seriously," and the artifacts answer that better than a certificate would. Our NIST AI RMF Playbook walkthrough lists exactly which artifacts to produce.
The fork: individuals versus organizations
Most of the confusion clears up once you separate two very different things the word "certification" is doing.
For individuals, there are certificates. Third-party training providers run courses on using the AI RMF and award a personal credential at the end. That is a real, useful thing for a person building a career in AI governance, but it certifies that a human took a course, not that an organization manages AI risk well. Tillerbridge sells no training and issues no certificates, so we have no stake in which course you pick; we just want you to know it is a personal credential, not an organizational one.
For organizations, there are two real routes and neither is a NIST certificate:
- Implement the RMF and self-attest. Stand up the four functions, produce the artifacts, and state your alignment. This is the right answer when the ask is "show us you govern AI," which is most asks.
- Pursue ISO/IEC 42001 certification. When a customer, regulator, or board genuinely needs a third-party certificate, that is what ISO 42001 is for, and the work you did for the RMF carries most of the way there.
Where ISO 42001 is the certifiable route
ISO/IEC 42001:2023, published in December 2023, is the first AI management system standard, and unlike the RMF it is certifiable. An accredited certification body runs a stage 1 and stage 2 audit and issues a certificate on a three-year cycle with surveillance in between. It maps closely to the NIST AI RMF (NIST publishes an official crosswalk), so a program built to the four functions covers most of what an ISO 42001 auditor will look for. Roughly: the NIST AI RMF tells you how to reason about AI risk, and ISO 42001 gives you the certificate someone else will accept.
Whether that certificate is worth the cost is a real question with an honest answer, and we wrote it up with numbers in our ISO 42001 certification cost guide. The full path from readiness to certificate is in our ISO 42001 certification guide. Tillerbridge is not a certification body: accredited bodies certify, and we do the readiness and remediation that gets you ready for their audit.
What to do next
If the ask was "get certified against the NIST AI RMF," the answer is to implement it and show your work, and to reach for ISO 42001 only if a real certificate is genuinely required. The way to know which one you need is to look at what is actually being asked and at your own systems. That is the first thing our fixed-scope AI risk assessment settles, and if you want the framework stood up rather than explained, that is NIST AI RMF implementation. For the wider picture, start at the NIST AI RMF hub.
One line of hygiene: this page is general information, not legal advice. For what a specific contract, regulator, or customer requires of you, read the request carefully and talk to counsel.
Questions people ask
- Is there a NIST AI RMF certification?
- No. NIST certifies no organization against the AI RMF, and there is no audit or certificate at the end of adopting it. The framework is intended for voluntary use; you self-attest that you follow it. NIST is a standards body, not a certifying or accrediting one for this framework.
- Can a company be certified against the NIST AI RMF?
- Not by NIST or by anyone accredited to certify against it, because no such certification scheme exists. What a company can do is implement the framework and produce evidence of alignment, or, if it needs a real third-party certificate for its AI management system, pursue ISO/IEC 42001 certification instead.
- Is there a NIST AI RMF certificate for individuals?
- Sort of, and this is where the confusion starts. Third-party training providers sell personal certificates in using the framework. Those are credentials for a person who took a course, not certification of an organization's AI program. Tillerbridge sells no training and issues no certificates; we point you at the distinction so you buy the right thing.
- What is the difference between NIST AI RMF and ISO 42001 certification?
- The NIST AI RMF cannot be certified; ISO/IEC 42001 can. NIST gives you a voluntary method and you self-attest. ISO/IEC 42001:2023 is a management-system standard an accredited body audits in stage 1 and stage 2, issuing a certificate on a three-year cycle. Roughly: NIST tells you how to reason about AI risk, ISO gives you a certificate someone else will accept. We map both, capability by capability, in our AI compliance framework crosswalk.
- How do you prove NIST AI RMF compliance?
- You attest to it and back the attestation with artifacts: an AI policy, a system inventory, risk tiering, evaluations on high-risk systems, and a current-versus-target profile. There is no compliance certificate to hold up, so "proof" is your documentation plus a clear statement of what you have adopted. Our NIST AI RMF Playbook walkthrough lists the artifacts to produce.
- Is the NIST AI RMF mandatory?
- No. NIST states it is intended for voluntary use, and there is no penalty for ignoring it. It still matters because US enterprises, insurers, and federal guidance treat it as the default reference, and contracts increasingly ask vendors to align with it. Search demand for it is up 142 percent year on year, which tracks with how often it now shows up in agreements.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.