AI Compliance · NIST AI RMF

The NIST AI RMF, read from your code.

The NIST AI Risk Management Framework is the reference point boards, insurers and enterprise buyers keep reaching for — and it is voluntary. There is no certification, no accredited assessor, no badge. What exists is evidence: which AI systems actually run in your code, what they touch, and how that maps to the framework's four functions. That's the read we produce.

Get a NIST AI RMF Technical Profile → Three weeks · Fixed price · Read-only
What the framework is

Voluntary by design. No certification exists.

NIST released the AI Risk Management Framework (AI RMF 1.0) on January 26, 2023 — explicitly voluntary, non-sector-specific, and use-case agnostic. In July 2024 it added a Generative AI Profile (NIST-AI-600-1) with suggested actions for generative-AI risks. In 2025 NIST was directed to revise the framework, so treat any summary — including this one — as a read of the 1.0 text, not a permanent fixture.

The framework organizes AI risk work into four functions, broken into 72 subcategories. NIST is explicit that it is not a checklist: organizations may select the categories and subcategories that fit their context.

The framework's own gap method is profile comparison: a Current Profile of where your AI risk practices stand, against a Target Profile of where they need to be. The gap between them is the work. Every credible version of that comparison starts with an inventory nobody has to take on faith.

The NIST AI RMF Technical Profile

The code-visible half of the framework, evidenced.

A Current Profile is only as good as its evidence. Questionnaires produce what people remember; the code records what is actually there. Our Technical Profile reads the codebase and produces the framework's code-visible evidence — mapped subcategory by subcategory, in NIST's own Current Profile / Target Profile format, with gaps ranked for remediation.

We map evidence to the framework. We do not certify — nobody can — and we do not claim a scan makes you compliant with anything. We surface what exists so the gap analysis stands on source-traced fact.

01 · MAP

The AI inventory

Every model, LLM call, API and AI-touching dependency in the code — including the shadow AI nobody reported. The system inventory the Map function assumes you already have, and most companies don't.

02 · MEASURE

Testing & monitoring evidence

What the framework's Measure function asks to see: documented test sets and TEVV tooling, production monitoring, validity and fairness evaluation artifacts — found in code, tests, CI and observability, or documented as absent.

03 · VALUE CHAIN

Models & dependencies

The Generative AI Profile's value-chain risk, read directly: which pre-trained models, procured datasets and third-party libraries your AI actually depends on, traced through the package tree and integration points.

What the code can't tell you. The Govern function — policies, accountable roles, training records, risk tolerances — is organizational evidence, and no code read can see it. We say so in the deliverable rather than papering over it: the Technical Profile covers the code-visible subcategories and states plainly which ones need a governance review. That's what makes the rest of it credible.

Why it comes up

Nobody is required to adopt it. Everyone is asked about it.

01

Boards & investors

“Where are we against the NIST framework?” is becoming a standing board question. A framework-mapped, source-traced answer beats a slide of assurances.

02

Enterprise procurement & insurers

Security questionnaires and AI riders increasingly borrow the RMF's vocabulary. Answering from an evidenced Current Profile is faster and safer than improvising per questionnaire.

03

Regulation converging on it

US state AI laws and the EU AI Act ask for the same underlying facts the framework organizes: which systems, what data, what decisions, what oversight. Map once from the code; reuse it across every regime that reaches you.

NIST AI RMF, answered

Common questions.

Is there a NIST AI RMF certification?

No. There is no NIST certification, accreditation, or authorized-assessor program for the AI RMF — unlike FedRAMP or CMMC. NIST designed the framework to be voluntary and non-prescriptive. Any vendor claiming to make you “NIST certified” or “NIST compliant” is claiming something NIST itself does not offer. The honest ceiling is alignment: mapping your AI systems and practices to the framework's functions and documenting the gaps.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework (AI RMF 1.0, released January 26, 2023) is a voluntary framework for managing risks from AI systems. It organizes the work into four functions — Govern, Map, Measure, and Manage — broken into categories and 72 subcategories. NIST states the framework is not a checklist: organizations may select the categories and subcategories that fit their context. In July 2024 NIST added a Generative AI Profile (NIST-AI-600-1) with suggested actions for generative-AI risks.

What is a NIST AI RMF gap assessment?

NIST's own method: compare a Current Profile (where your AI risk practices stand today) against a Target Profile (where they need to be), which NIST says “likely reveals gaps to be addressed,” with action plans to close them. NIST does not prescribe a profile template, so the quality of a gap assessment rests on the quality of its evidence. Ours starts from the code: the actual inventory of AI systems, what data they touch, and what testing and monitoring exists around them.

Which parts of the framework can be evidenced from code?

The Measure function is the most code-visible: documented test sets and TEVV tooling, production monitoring, validity and reliability evidence, and fairness evaluation artifacts all leave traces in code, tests, CI and observability infrastructure. The Map function's system inventory, and the Generative AI Profile's value-chain risk — pre-trained models, procured datasets, software dependencies — are also readable from the code. The Govern function is not: policies, roles and training records are organizational evidence, which is why a credible full-framework assessment pairs a code read with a governance review.

Does the Colorado AI Act give a safe harbor for NIST AI RMF conformity?

Not anymore. The original Colorado SB 24-205 (2024) referenced risk-management frameworks including the NIST AI RMF in its affirmative-defense provisions. But Colorado repealed and reenacted its AI law in 2026 as SB 26-189, which dropped the risk-management-program mandate — the reenacted text does not mention NIST. Framework alignment remains valuable evidence of reasonable care, but do not rely on a statutory safe harbor; confirm what currently applies with counsel.

This page is general information, not legal or compliance advice, based on AI RMF 1.0 (January 2023) and the Generative AI Profile (July 2024); NIST has been directed to revise the framework. We produce the technical read — the source-traced, framework-mapped evidence — that your counsel and risk owners apply to the obligations that actually bind you.

Know where you stand against the framework.

Three weeks. Fixed price. Read-only. A NIST AI RMF Technical Profile: every AI system in your code, mapped to Govern, Map, Measure and Manage — gaps ranked, in NIST's own profile format.

Get a NIST AI RMF Technical Profile

Three weeks · Fixed price · Read-only · No engineering meetings

Other AI compliance regimes

The read behind it