NIST AI Risk Management Framework

The NIST AI Risk Management Framework (AI RMF), released in January 2023, is the most widely adopted voluntary framework for managing AI risk in the United States. It is organized around four core functions: Govern, Map, Measure, and Manage. Unlike regulation, it does not mandate compliance, but it has become a de facto standard for organizations demonstrating responsible AI practices to regulators, customers, and auditors.

Federal agencies are increasingly required to align AI deployments with the AI RMF. NIST is actively developing profiles for specific sectors and use cases. ISO 42001, the international AI management system standard, is broadly compatible with its structure.

This hub tracks NIST AI RMF updates, sector profiles, implementation guidance, and how the framework is being applied in enforcement and procurement contexts.

6 items

Practitioner Scorecard Maps Enterprise AI Governance Controls to NIST AI RMF and ISO 42001, Filling a Board Reporting Gap

CCG Catalyst has published a practitioner guide structuring enterprise AI governance programs around policy content, human-in-the-loop standards, validation, monitoring, roles, and committee reporting. The guide provides a board-style scorecard approach and explicitly maps control expectations to the NIST AI Risk Management Framework and ISO/IEC 42001. It is designed for compliance, risk, and audit teams that need operating metrics rather than high-level principles.

Holistic AI's Enterprise Governance Blueprint Maps Red Teaming and Human Oversight to NIST AI RMF and EU AI Act Requirements

TechUK has published a case study detailing how Holistic AI's governance platform operationalizes enterprise AI risk management by combining benchmarking, red teaming, fine tuning, human oversight, and assurance mapping to frameworks including the NIST AI RMF and the EU AI Act. The study provides a reference implementation for compliance teams building model evaluation gates, continuous monitoring programs, and multi-framework regulatory readiness processes. It is positioned as a practitioner blueprint for enterprises deploying or scaling large language models.

AI Governance Requires Integrated Privacy, Cybersecurity, and Legal Functions, ISACA Article Argues

ISACA published "Collaboration and the New Triad of AI Governance," an industry article arguing that effective AI governance requires the formal integration of privacy, cybersecurity, and legal functions across the full AI life cycle. The article references the EU AI Act, the NIST AI Risk Management Framework, and recent U.S. executive orders as converging frameworks that make siloed governance approaches inadequate. It calls on organizations to establish cross-functional accountability structures to address overlapping AI risks.

Microsoft, Google DeepMind, and xAI Grant U.S. Government Pre-Release Access to Frontier AI Models

Microsoft, Google DeepMind, and xAI have each signed formal agreements with CAISI—the Center for AI Standards and Innovation at NIST—granting the U.S. government pre-release access to frontier AI models for national security evaluation. The agreements extend a program that previously covered only Anthropic and OpenAI, and align with directives in America's AI Action Plan. Developers provide model versions with safety guardrails removed so government evaluators can probe for national security risks, including in classified testing environments. CAISI has already completed more than 40 such evaluations, including models not yet publicly available.

Claude Opus 4.7 ships with reduced cyber capabilities and new safety evaluations, Anthropic confirms

Anthropic has released Claude Opus 4.7, a general-availability model focused on advanced software engineering tasks including complex long-running workflows, precise instruction following, and self-verification. The release includes documented safety evaluations and a deliberate reduction in cyber capabilities compared to the earlier Mythos Preview model, with Anthropic stating those safeguards were tested on less capable models before deployment. Anthropic has publicly disclosed these capability constraints as part of its corporate safety policy, specifically targeting high-risk application areas such as cybersecurity. For enterprise compliance teams, the release is notable because it demonstrates a voluntary, documented model-level risk mitigation practice that aligns with emerging expectations under frameworks such as the EU AI Act and NIST AI RMF for transparency and pre-deployment safety assessment. Organizations deploying Claude Opus 4.7 in security-sensitive or software development contexts should review Anthropic's published safety evaluations to support their own internal risk documentation and vendor due diligence obligations.

Multi-Jurisdictional AI Governance Gaps Threaten Enterprise Compliance, arXiv Study Finds

A research preprint published on arXiv analyzes overlapping and conflicting regulatory requirements across multiple jurisdictions in AI governance, identifying critical implementation gaps organizations encounter when translating legal obligations into operational practice. The study covers frameworks spanning regions including the United States, European Union, and Asia-Pacific, cataloging where requirements converge and where they create conflicting compliance burdens. The research does not carry binding legal force but offers practitioners a structured comparison of control requirements across major regulatory regimes. For enterprise compliance teams operating across borders, the analysis highlights the practical challenge of designing unified AI governance programs that satisfy divergent local mandates simultaneously. Organizations managing AI systems under frameworks such as the EU AI Act, NIST AI RMF, and various state-level or national regulations may find the gap analysis useful for prioritizing remediation efforts and assessing where existing controls fall short.