Governance & guardrails
NIST AI RMF implementation
NIST AI RMF implementation is the work of turning the framework from a document into a program your teams actually run. We do that with you, and unlike most firms selling it, we'll tell you what it costs before you talk to anyone.
What you get
The four functions, translated into things that exist rather than a slide deck:
- an AI policy and a clear line of accountability (Govern)
- an inventory of every AI system and vendor tool, tiered by risk (Map)
- evaluations, model cards, and monitoring thresholds on the systems that earned the scrutiny (Measure)
- a risk-treatment plan, human oversight, and an incident runbook for what's live (Manage)
- a current-versus-target profile so the program is a roadmap, not a one-time push
How the engagement runs
We start small on purpose. The first step is a fixed-scope AI risk assessment: we inventory what you're running, tier the risk, and hand you a gap report with a first-90-days plan mapped to the four functions. If the honest recommendation is that a policy and an inventory are most of what you need, that's what the report says. Build and ongoing work follow only when the assessment shows they're worth paying for.
What it costs
The assessment is $20,000 to $80,000 over 3–6 weeks; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. For context, published 2026 ranges for a scoped implementation run $50,000–$250,000, and that band is a single scoped build; multi-system, multi-year programs run seven figures and beyond, and scale like that is work we take. We publish our range because we'd want it published if we were buying.
What we don't do
We're not a certification body, and the NIST AI RMF has no certificate to audit for anyway; you self-attest that you've adopted it (the honest version is on our NIST AI RMF certification page). We sell no training, resell no software, and take no vendor commissions, so a recommendation only ever has one reason behind it. If you're headed for a certificate, that's ISO/IEC 42001, and we do the readiness work while an accredited body does the audit.
Who does the work
The senior people at Tillerbridge are Nick Major, an engineer, and Isaac Major, an operator. What you see in the first call is who does the work. Backgrounds are on the about page. The standing version of this engagement, once the framework is in place, is AI governance consulting.
Questions people ask
- What does NIST AI RMF implementation involve?
- Turning the four functions (Govern, Map, Measure, Manage) into things that exist: a policy and clear accountability, an inventory of every AI system tiered by risk, evaluations and monitoring on the high-risk ones, and the artifacts that show your work. We use the NIST AI RMF Playbook as the menu of actions and adapt it to your systems, not the other way around.
- Do we need an ML team to implement the NIST AI RMF?
- No. The framework was written to be usable by a compliance, security, or legal lead, and it applies whether you build models or, far more commonly, buy them from vendors. Most of the work is inventory, policy, risk tiering, and oversight of tools you did not build. That is exactly the gap we fill.
- How much does NIST AI RMF implementation cost?
- Engagements start with a fixed-scope assessment at $20,000 to $80,000 over 3–6 weeks; where in that range depends on scope: how many systems and teams we assess, company size, and regulatory exposure. Build and ongoing work are scoped after that, only if the assessment shows they are worth paying for. For wider context, published 2026 ranges for a scoped implementation run $50,000–$250,000, and that band is a single scoped build; multi-system, multi-year programs run seven figures and beyond, and scale like that is work we take.
- Is this the same as certification?
- No. There is no NIST AI RMF certification; you self-attest that you have adopted it. We implement it and leave you able to show your work. If you need a third-party certificate for an AI management system, that is ISO/IEC 42001, and we do the readiness work for it. The full explanation is on our NIST AI RMF certification page.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.