FRAMEWORK

NIST AI RMF

The US risk-management framework for AI. Voluntary guidance, organised around four functions — Govern, Map, Measure, Manage — and the de facto baseline US enterprises and regulators expect.

Book a demo See coverage

Coverage updated2 min ago

Coverage · NIST AI RMF

Framework coverage

88%

Coverage

4 functions / 19 categories

Obligations mapped

+4% wk

Files on record

Live · synced 2 min ago · 7-day trend

Recent activity

Annex IV v4Approved

FRIA v2Approved

Monitoring plan v1Draft

THE OBLIGATION

A framework, not a law — but the baseline buyers and regulators expect.

NIST AI RMF is voluntary and carries no certification path, yet it has become the common language for AI risk in the US. It is organised around four functions — Govern, Map, Measure, Manage — each broken into categories and subcategories.

Enterprise procurement and US regulators increasingly treat a credible RMF profile as table stakes. The work is not a certificate; it is demonstrable practice across the four functions, evidenced.

At a glance

Applies toUS enterprises and anyone selling AI into them

Your likely roleRisk owner across the AI lifecycle

Key deadlineVoluntary — expected by enterprise buyers now

Penalty exposureNo direct penalty; a gating factor in procurement and a defence reference under state laws

ARTEFACTS

The files this framework actually requires.

NIST names practices, not paperwork. Hael turns each function into evidenced, versioned records.

Files · Evidence pack

PDFAI RMF Profilev3updated 2 min agoApproved

PDFGovern Function Recordv2updated 14 MayApproved

PDFRisk Map — Map Functionv2updated 11 MayApproved

PDFMeasurement Plan — Measurev1updated 04 MayDraft

PDFManagement & Monitoring Record — Managev1updated 02 MayDraft

PDFSystem Inventoryv2updated 28 AprApproved

GRC tools tell you these are missing. Hael generates them — from each system's real configuration.

THE DIFFERENCE

A checklist tells you what's missing. Hael puts it on record.

NIST tells you what good practice looks like. Hael produces the evidence that you do it.

Typical GRC tool

AI RMF Profileupload required

Govern Function Recordupload required

Risk Map — Map Functionupload required

Measurement Plan — Measureupload required

Management & Monitoring Record — Manageupload required

System Inventoryupload required

Tracks the gap. You still author every document.

Hael

AI RMF Profilev3Generated 2 min agoview

Govern Function Recordv2Generated · Approvedview

Risk Map — Map Functionv2Generated · Approvedview

Measurement Plan — Measurev1Generated · Draftview

Management & Monitoring Record — Managev1Generated · Draftview

System Inventoryv2Generated · Approvedview

Generated from each system's real configuration, versioned, and kept current as it changes.

HOW HAEL WORKS

Discover, classify, produce — for NIST AI RMF.

01DISCOVER

Find the systems in NIST AI RMF scope, including embedded third-party AI.

Inventory · 14 systems

Credit scoring enginehigh

HR screening bothigh

Salesforce Einsteinlimited

02CLASSIFY

Assess each against NIST AI RMF's risk tiers and obligations.

Risk tier

Prohib.HighLimitedMin.

Role: ProviderArt. 9 · 11 · 14

03PRODUCE

Generate the NIST AI RMF records, versioned and current.

Generated files

Annex IV v4Approved

FRIA v2Approved

Monitoring v1Draft

COVERAGE

Every obligation, mapped to the control that satisfies it.

Rows are the framework's clauses.

Columns are the controls and files that satisfy them.

Cells update as the underlying configuration changes.

Explore the platform

Coverage Map

Obligation → Control

4 obligations · 5 controls

88%

covered

Profile

Inventory

Risk Map

Measurement

Monitoring

GOVERN

✓

—

MAP

✓

—

MEASURE

✓

•

—

MANAGE

✓

—

✓

•

GOVERN

Profile

v3 · sealed

Approvedopen file →

MAPPING

Clause by clause.

Obligation
What it requires
Hael control / file
Status

GOVERNPolicies, accountability and culture for AI riskGovern Function RecordApproved

MAPEstablish context and identify risksRisk MapApproved

MEASUREAnalyse, assess and track risksMeasurement PlanIn progress

MANAGEPrioritise and act on risksManagement & Monitoring RecordDraft

REUSE

Author once. Satisfy many.

An RMF profile shares most of its substance with ISO/IEC 42001's management system and the EU AI Act's risk-management process. Author the practice once; evidence it against all three.

→ shared evidenceISO/IEC 42001EU AI ActSOC 2

Trust & Security

SOC 2 Type IIISO/IEC 27001EU & US data residencySSO / SCIMEncryption in transit & at restAudit logging

On record before the buyer asks, not after the deal stalls.

Hael turns the four NIST functions into evidenced, versioned records — ready for enterprise procurement and as a defensible baseline under emerging state laws.

Book a demo Explore the platform