Hael
Sign inRequest a demo
NIST AI RMF · Requirements

NIST AI RMF requirements and core guide

Updated 30 June 2026 · 6 min read
Key takeaway
Because the NIST AI RMF is voluntary, it has no mandatory requirements in the way a law does. Instead it sets out expectations: a structured set of outcomes and actions, organised under its four functions and broken into categories and subcategories, that describe what good AI risk management looks like. Treating these as your working requirements is how most organisations use the framework.
  • The RMF is voluntary, so its "requirements" are recommended outcomes, not legal obligations.
  • Its content is structured as functions, categories, and subcategories, moving from high-level to actionable.
  • The Playbook offers suggested actions; profiles tailor the framework to a context or sector.
  • Adopt a deliberate subset for your systems and connect the expectations to real records.
  • Current as of June 2026. This is general information, not legal advice.

"Requirements" in a voluntary framework

It helps to be precise about language. The RMF does not require anything in the legal sense, and no authority enforces it. What it provides is a recommended structure. Organisations choose how fully to adopt it. So when people ask about NIST AI RMF "requirements," they usually mean the outcomes and actions the framework recommends, which you can adopt as your own internal standard.

The structure you work to

The framework's content is organised as follows:

  • Functions: The four high-level functions, Govern, Map, Measure, and Manage.
  • Categories: Each function breaks into categories, which group related outcomes (for example, within Govern, categories cover policies, accountability, and risk tolerance).
  • Subcategories: Categories break into specific outcomes and actions, which are the concrete things an organisation can do.

This structure lets you move from the high-level idea of "managing AI risk" down to specific, actionable steps.

The Playbook

NIST publishes a companion Playbook that gives suggested actions, references, and guidance for the categories and subcategories. It is not mandatory and is meant to be used selectively, but it is the most practical resource for turning the framework into concrete activity. Organisations typically use the Playbook to decide which actions are relevant to them.

Profiles

The framework also supports profiles, which are tailored applications of the RMF to a particular use case, sector, or set of requirements. A profile lets an organisation adapt the framework to its specific context rather than applying everything generically. This is how the RMF flexes to different industries and risk levels.

What to actually adopt

Because the framework is flexible, the practical task is deciding which of its outcomes matter for your AI systems and adopting those as your internal standard. A small organisation with one AI product will adopt a focused subset; a large enterprise with many systems will adopt more, and may build profiles for different contexts. The discipline is in choosing deliberately rather than either ignoring the framework or trying to do everything at once.

Making the expectations real

The framework's expectations only deliver value when they connect to actual artefacts: documented governance, a risk map per system, defined measurements, and tracked mitigations. Organisations that treat the categories and subcategories as a source of concrete records, rather than as an abstract checklist, get a working risk-management practice that they can also show to buyers and regulators.

Key terms

Categories
Groupings of related outcomes within each RMF function.
Subcategories
Specific outcomes and actions within each category, the concrete units of work.
Playbook
NIST's companion guide with suggested actions and references for each subcategory.
Profile
A tailored application of the RMF to a particular use case, sector, or requirement set.

References

Related guides

Keep reading on NIST AI RMF.

Free check

See where you stand on NIST AI RMF, free.

Answer a few questions and get an indicative view of what NIST AI RMF expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
NIST AI RMF · indicative readiness
HAEL FREE TOOL
Applicability
Applies to your AI use
What's expected
Risk classification · governance · documentation · oversight
Where you stand
Banded result · pointed to the gaps that matter most
Result
On-screen, free · optional PDF
Pre-scoped to NIST AI RMF~ 5 MIN