Governance & guardrails
The NIST AI RMF Playbook, and how to actually apply the four functions
The NIST AI RMF Playbook is NIST's companion to the framework, the part that tells you what to actually do rather than what to aim for. This is the practitioner's version: how to apply the four functions step by step, how the profiles work, and the artifacts you produce along the way. If you want the plain explanation of what the framework is first, that's the NIST AI RMF hub.
The Playbook versus the framework
People conflate the two, so it is worth separating them once. The framework is NIST AI 100-1, released 26 January 2023: it defines the four functions and the outcomes trustworthy AI should reach, and it is intentionally general. The Playbook is the companion that suggests, for each subcategory of the Core, actions you could take, references to consult, and documentation to produce. It lives in NIST's Trustworthy and Responsible AI Resource Center, alongside a roadmap, the official crosswalks, and use-case profiles.
Two things about it save you a lot of wasted effort. It is voluntary, so you use the suggestions that fit your systems and skip the rest; nobody is grading completeness. And it is not a checklist you pass, because the RMF has no pass-or-fail controls in the first place. NIST also notes the AI RMF 1.0 is being revised, so treat the current text as a living baseline, not a fixed specification.
How to use the Playbook, in one paragraph
Do not read it front to back. Set up Govern and a first inventory (Map), tier your AI systems by risk, and then, for each high-risk system, open the Playbook to the Measure and Manage subcategories that apply and pick the handful of suggested actions worth doing. The Playbook is a menu you shop from per system, not a program you complete once. The output of that shopping is a set of artifacts, and the artifacts are what let you show, later, that you managed the risk on purpose.
The four functions, and what to produce for each
The Core is organized into four functions, each broken into categories and subcategories. Three of them (Map, Measure, Manage) run as a loop over a system's life; the fourth, Govern, sits underneath all of them as the policy and accountability everything else depends on. Here is what the Playbook offers for each function and, more usefully, the artifacts that prove you did it.
| Function | What the Playbook gives you | Artifacts to produce |
|---|---|---|
| Govern | Suggested actions for writing an AI policy, assigning roles and accountability, setting a risk tolerance, and putting oversight on the AI you buy from vendors. | AI policy, a roles-and-accountability map, a written risk-tolerance statement, and vendor requirements you can point to in a contract. |
| Map | Suggested actions for establishing each system’s context, categorizing it, documenting intended use and foreseeable misuse, and mapping who it affects. | An AI system inventory, a one-page context note per system, an impact assessment, and a risk register with each system tiered. |
| Measure | Suggested actions for choosing metrics and evaluating the trustworthiness characteristics that matter for the system: accuracy, harmful bias, security, robustness, and the rest. | Evaluation and test plans with their results, model or system cards, bias and security test records, and the monitoring thresholds you will watch in production. |
| Manage | Suggested actions for prioritizing the risks you measured, treating them, monitoring live systems, responding to incidents and drift, and retiring systems. | A risk-treatment plan, a production monitoring setup, an incident-response runbook, a change log, and an updated current-versus-target profile. |
A step-by-step walkthrough
A realistic order for a medium-to-large company that has AI in production but no formal program yet:
- Govern: write the policy and name the owner. Before you touch a single system, decide who is accountable, what your AI policy says, and what your risk tolerance is. This is a short document and a named person, not a committee and a quarter. The Playbook's Govern subcategories give you the prompts; the artifact is a policy your people can follow and a clear line of accountability.
- Map: inventory everything, then tier it. List every AI system, vendor tool, and dataset, including the shadow tool a department signed up for on a credit card. For each, write a one-page context note: what it does, who it affects, and where it could fail. Then tier the list by risk, because a customer-facing model that decides something about a person needs far more scrutiny than an internal drafting tool. Skipping Map is the most common failure; you cannot measure risk in systems you have not found.
- Measure: evaluate the systems that earned it. For each high-risk system, use the Playbook's Measure subcategories to choose which trustworthiness characteristics matter here and how you will test them. The artifacts are evaluation results, a model or system card, and the monitoring thresholds you will watch once it is live.
- Manage: decide, treat, and monitor. Prioritize the risks you measured, decide what to mitigate now and what to accept, and write the decisions down. Put human oversight and incident response on the live systems that need it, monitor them, and log what changes. Document the deferrals too: which subcategories you are not doing yet, why, and what compensates.
- Loop back through Govern. Feed what you learned into the policy, revisit the profile, and repeat. NIST built the framework circular on purpose, and it is still revising it, so budget for re-reading the source a couple of times a year.
A worked example of selecting actions
Say the system is a customer-facing support chatbot. You are not going to apply all four functions in full to it in one sitting; you shop the Playbook for the actions that fit. Under Map, you document its intended purpose, its users, and its foreseeable misuse, and you write a one-page context note. Under Measure, the trustworthiness characteristics that actually matter here are accuracy, harmful bias in responses, and security against prompt injection, so you run those evaluations and keep the results, and you skip the ones that do not apply. Under Manage, you decide the residual risk is acceptable with human review on escalations and a monitored fallback, and you write that decision down with who signed off. That is the whole motion: pick the system, pick the handful of relevant actions, produce the artifact, move on.
Profiles: how you make it fit
A profile is how you turn the general framework into something specific to you, and it is the mechanism that keeps the Playbook from becoming busywork. Two kinds matter. A use-case profile tailors the functions and subcategories to a setting, so a hospital and a bank apply the same framework very differently. NIST's own Generative AI Profile (NIST AI 600-1), published 26 July 2024, is exactly this: it extends the Core with twelve GenAI-specific risks like hallucination, prompt injection, and data poisoning, and most companies start from it because generative AI is what they are actually deploying. A current-versus-target profile documents where your risk management is today against where you want it to be, which turns the whole framework into a roadmap you can budget against. You can adopt an existing profile or write your own.
The artifacts, collected
Implementation is easier to plan when you work backward from the documents you want to be holding at the end of a cycle. For a medium-sized company, that set is:
- an AI policy and a clear line of accountability
- an AI system inventory, kept current
- a one-page context note and risk tier per system
- an impact assessment for anything that affects a person's rights, safety, or access
- evaluation results and a model or system card for high-risk systems
- a risk register with treatment decisions and the deferrals you chose
- production monitoring, an incident runbook, and a change log
- a current-versus-target profile you revisit
None of these needs an ML team to start. The framework was written to be usable by a compliance, security, or legal lead, and it applies whether you build models or, far more commonly, buy them from vendors. If your AI is Copilot, a few SaaS features, and a chatbot, you are governing tools you did not build, which is its own real work.
Where this connects to ISO 42001 and the EU AI Act
The RMF rarely arrives alone. It maps closely to ISO/IEC 42001 (NIST publishes an official crosswalk) and covers roughly 60 to 70 percent of the EU AI Act's management-system and risk-governance requirements, so the artifacts above do double and triple duty. We mapped all three side by side, capability by capability, in our AI compliance framework crosswalk, which is the page to read before you decide how much to build.
What the Playbook won't do for you
It gives you suggested actions and a place to write things down. It does not discover your shadow models, run your evaluations, tier your inventory, or classify a system against the EU AI Act. That is the doing, and the doing is where most programs stall between a good intention and a working artifact. If you would rather have the four functions applied to your actual systems than read about them, that is our NIST AI RMF implementation engagement, and the fixed-scope first step is an AI risk assessment.
One line of hygiene: this page is general information, not legal advice. For obligations that apply to your specific systems, talk to counsel.
Questions people ask
- What is the NIST AI RMF Playbook?
- It is NIST's companion to the framework. Where the framework (NIST AI 100-1) describes the four functions and the outcomes to aim for, the Playbook suggests concrete actions, references, and documentation for each subcategory of the Core. It lives in NIST's Trustworthy and Responsible AI Resource Center. It is voluntary guidance, not a pass-or-fail checklist, and you are meant to use the parts that fit and skip the rest.
- How do I implement the NIST AI RMF?
- Stand up Govern and inventory your AI (Map) first, tier the inventory by risk, then run Measure and Manage on the systems that earned the scrutiny, using the Playbook's suggested actions as your menu. It is a loop, not a project with an end date. The realistic first milestone for most companies is an inventory, a short policy, and a risk tiering, which already puts you ahead of where you were.
- How long does it take to implement the NIST AI RMF?
- There is no finish line, because the framework is a continuous loop and NIST is still revising it. But a medium-sized company can produce the first useful artifacts, an inventory, a policy, and a risk tiering, in a few weeks, then build out Measure and Manage on high-risk systems over the following months. The effort scales with how many AI systems you run and how high the stakes are, not with the framework itself.
- Does the NIST AI RMF have a checklist?
- Not in the ISO or SOC 2 sense. The Core is organized as functions, categories, and subcategories that describe outcomes, not controls you pass or fail. The Playbook's suggested actions per subcategory are the closest thing to a checklist NIST publishes, and they are explicitly a menu to adapt, not a list to complete.
- Do I need the Playbook if I have the framework?
- The framework tells you what good AI risk management looks like; the Playbook tells you what you might actually do to get there. If you are implementing rather than just learning the model, the Playbook is where the practical suggestions and documentation prompts live. Neither is mandatory, and there is no certification at the end of either.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.