Turning the NIST AI Risk Management Framework Into a Working System
How we adapt the AI RMF's four functions into a custom, auditable risk framework that matches how your team actually uses AI.
The NIST AI Risk Management Framework gives you four functions to work through: Govern, Map, Measure, and Manage. Turning it into something real means mapping each function to how your specific team uses AI, then producing the artifacts an auditor can actually read. A copied policy fails because it describes a generic organization that does not exist. Yours has to describe yours.
We build AI RMF-aligned risk frameworks for organizations that need governance to hold up under HIPAA, HITRUST, SOC 2, or PCI DSS scrutiny. Here is how we make the framework do work instead of sitting in a binder.
The four functions, briefly
The AI RMF is intentionally not a checklist. It is a structure for thinking about AI risk across the life of a system.
- Govern establishes the culture, roles, and accountability that the other three functions depend on. It is the only function that runs continuously across all the others.
- Map builds context. What is this AI system for, who does it affect, what could go wrong, and what is the impact if it does.
- Measure assesses the risks you mapped using methods you can repeat. It turns "this feels risky" into evidence.
- Manage acts on what you measured, prioritizing and treating risks, and deciding what to accept.
The functions are not strictly sequential. Govern wraps the whole thing, and you cycle through Map, Measure, and Manage as systems change.
Why a copied policy fails
We regularly review governance documents that were lifted from a template or another company. They share the same problem: they describe controls for AI uses the organization does not have, and they miss the uses it actually relies on.
A copied policy talks about model training pipelines when your team only calls hosted models through an API. It mandates bias testing for a recommendation engine you do not run. Meanwhile the marketing team is pasting customer data into a public chatbot every afternoon, and the policy says nothing about it because the template author never imagined your workflow.
An auditor sees through this immediately. The tell is a policy that does not match the evidence. When the document claims you review every model output and the logs show no such review, the gap becomes the finding. A framework only protects you when it describes what you really do and you can prove you do it.
Map controls to how your team actually uses AI
The Map function is where a custom framework earns its keep. Before writing a single control, we inventory the real AI usage across the organization.
That inventory usually surfaces three categories:
- Sanctioned and built. Systems you designed, like a clinical summarization tool or an internal agent.
- Sanctioned but bought. Hosted models and AI features inside SaaS products your teams already pay for.
- Unsanctioned and present. The public chatbots and browser extensions staff use without approval. This category is almost always larger than leadership expects, and it carries the most concentrated risk.
Once the inventory is honest, we attach controls to each use case rather than to abstract categories. The control for an internal agent that touches patient records looks nothing like the control for a marketing assistant drafting blog copy. Same framework, different intensity, matched to actual impact.
A good risk register entry from this work ties a real use case to real controls and a named owner. Take a clinical note summarization tool that runs in an isolated cloud tenant and handles protected health information. The entry names the two risks that matter for it, PHI leaking through a prompt and an inaccurate summary affecting care. It records how those risks get measured, in this case a monthly sample of summaries reviewed by clinicians. It lists the controls applied: vendor retention disabled, every output flagged for human confirmation, and access logged on each request. Then it names the owner, the Director of Clinical Informatics, and the review cadence, quarterly. Each entry captures the same seven things: the use case, where it runs and how sensitive its data is, the risks mapped to it, how each risk is measured, the controls in place, the person accountable for it, and how often it is reviewed.
Measure with methods you can repeat
The Measure function asks for evidence, and evidence has to be repeatable. A one-time check that nobody runs again is not measurement, it is reassurance.
For each mapped risk we define how it gets measured and how often. For an accuracy risk, that might be a monthly sample of model outputs reviewed by a qualified human, with the error rate recorded. For a data leakage risk, it might be an automated scan of outbound traffic and a periodic review of what the model received. The method matters less than its consistency. Auditors trust a modest measurement you run every month more than an elaborate one you ran once.
Manage means deciding, on the record
The Manage function is where risk decisions get made and written down. Not every risk gets eliminated. Some you accept because the cost of treating them exceeds the harm, and that decision is legitimate as long as someone with authority makes it and signs it.
We help organizations record three things for every significant risk: the treatment chosen, the residual risk that remains after treatment, and the name of the person who accepted it. That last item is what separates a governed organization from one that merely hopes nothing goes wrong.
What an auditor wants to see
When an assessor reviews your AI governance, they are checking that the framework is real and lived in, not written and shelved. The artifacts that demonstrate this are consistent across frameworks.
- A current AI system inventory that matches what is actually running.
- A risk register tying each use case to mapped risks, controls, and an owner.
- Evidence the measurements happened, with dates and results, not just a plan to measure.
- Records of risk acceptance decisions with the accountable signature.
- Logs showing the controls operate, such as access records and human review confirmations.
- A revision history proving the framework changes as your AI usage changes.
The through-line is traceability. An auditor should be able to start at any control and follow it to the risk it addresses, the use case it protects, and the evidence it works.
Working with us
We build AI RMF-aligned risk frameworks that match how your organization actually uses AI, then help you produce the artifacts that hold up under audit. If your current policy reads like it could belong to anyone, that is a sign it belongs to no one. Reach out and we will help you build one that is genuinely yours.
Published Jun 4, 2026 · 6 min read