NIST AI RMF Two Years In: What Adoption Actually Looks Like

The NIST AI Risk Management Framework — released in January 2023 after two years of public drafting — has become the most cited AI governance document in the United States. Federal procurement language cites it. Agency AI strategies reference it. Vendor marketing decks tout alignment with it. A growing body of state legislation directs agencies to apply it.

What the document does not have is a compliance mechanism. It is a framework, not a standard, and NIST was explicit that it “is not intended to be used as a checklist.” That distinction has not stopped institutions from using it as one, which creates a specific problem: widespread nominal adoption producing a false picture of how much AI risk management is actually happening.

What the RMF says, precisely

The AI RMF 1.0 ↗ organizes AI risk management into four functions: GOVERN, MAP, MEASURE, and MANAGE. Each function has categories and subcategories. The document is explicit that the functions are not a sequence — an organization does not “complete” GOVERN and then move to MAP. They are intended to operate in parallel, continuously, with different teams responsible for different functions depending on organizational role.

The GOVERN function covers organizational policies, culture, and accountability structures for AI. MAP covers contextual understanding of the AI system — what problem it solves, who it affects, what the failure modes look like. MEASURE covers quantitative and qualitative risk evaluation. MANAGE covers response, prioritization, and recovery plans for identified risks.

The framework’s own introduction acknowledges that operationalizing any of these functions requires organization-specific decisions the framework does not make for you. It provides categories of action, not procedures. Two organizations can both “adopt the AI RMF” with implementations that differ by an order of magnitude in rigor.

OMB M-24-10 and the federal mandate

Executive Order 14110, issued in October 2023, directed OMB to issue guidance on federal agency AI governance. The result was OMB Memorandum M-24-10 ↗, published in March 2024.

M-24-10 established several concrete requirements for federal agencies:

• Designate a Chief AI Officer (CAIO) at each covered agency
• Inventory AI use cases (consistent with Executive Order 13960, which had already required inventories)
• Apply minimum risk management practices to AI “impacting rights or safety”
• Report on AI use to OMB annually

The memo specifically referenced the AI RMF as a resource agencies should use — not a standard they must certify against, but a framework to draw on in developing their risk management approaches.

The GAO’s assessment

In early 2024, the Government Accountability Office published GAO-24-106648 ↗, an assessment of federal AI governance progress against the AI RMF and related requirements. The findings were diplomatic but pointed.

The GAO reviewed 23 federal agencies against a set of leading practices it derived from the AI RMF and related documents. The headline finding: no agency had fully implemented any of the four AI RMF functions. Average implementation rates ranged from 40 to 60 percent across the functions assessed. The MAP function — the one requiring actual analysis of system-specific context and affected populations — had the lowest implementation rate.

The GAO identified three recurring gaps:

Inventory incompleteness. Federal agencies are required to maintain AI use case inventories, but the inventories consistently undercounted systems. The GAO found systems that met the definition of AI — and that agencies were actively using for decisions affecting individuals — that were absent from public inventories. The reason given was definitional uncertainty about what counts as AI, which the GAO noted is a gap the AI RMF was partly intended to address but does not resolve.

Impact assessment avoidance. The “impacting rights or safety” threshold in M-24-10 requires agencies to apply elevated risk management practices to certain high-risk applications. The GAO found that agencies were in some cases avoiding the elevated requirements by classifying systems below the threshold — reasoning that did not always withstand scrutiny. Predictive analytics used in benefits eligibility decisions, for instance, appeared in agency documentation in ways that understated the directness of the system’s role in individual outcomes.

No CAIO authority in practice. The Chief AI Officer designation requirement created new titles more readily than it created new decision-making authority. The GAO found that in several agencies, the designated CAIO had no independent budget authority, no veto over AI procurement, and no mandate to conduct post-deployment reviews. The title existed; the governance function it was supposed to anchor did not.

What this looks like for state-level AI laws

Several states have passed or are actively developing AI laws that reference the NIST AI RMF. Colorado’s SB 21-169 on AI use in insurance underwriting predates the RMF but established a precedent for risk management requirements that later state legislation has built on. California’s executive order on AI directed state agencies to develop AI risk management frameworks “consistent with” NIST guidance. Texas HB 149 on automated decision systems in certain benefit contexts uses language that maps to MAP and MANAGE function concepts.

The problem the federal GAO identified translates directly to the state context: referencing a voluntary framework in mandatory language does not make the framework mandatory in the ways that count. A state law that says an agency must use a risk management approach “consistent with the NIST AI RMF” without specifying which functions, which subcategories, which documentation artifacts, and what independent review mechanism creates an obligation that is practically impossible to enforce.

The better-drafted state-level provisions — and some emerging ones are better — specify the following: what an impact assessment must contain, who conducts the review (independent or internal), what must be publicly disclosed, and what the remedy is when the assessment was not conducted or was materially incomplete. Without those specifics, a requirement to follow the RMF is a compliance-documentation exercise, not a governance one.

For practitioners

If you are a compliance or GRC lead at an organization using the AI RMF — federal agency, contractor, state entity, or private organization that has adopted it as a reference — three practices distinguish substantive implementation from checkbox adoption:

Document MAP function outputs for deployed systems, not just new ones. The MAP function requires analysis of the intended use, affected populations, potential harms, and societal context of each AI system. Most organizations do this during development and skip it for legacy systems. Deployed systems in production use — often for years — are the highest-risk category and the most likely gap in any external assessment.

Test MEASURE function coverage against your actual impact categories. The MEASURE function calls for quantitative and qualitative evaluation of identified risks. The question to ask is whether your measurement approaches actually cover the harms your MAP function identified. A bias evaluation that runs on demographic proxies but misses intersectional effects is a MEASURE function gap, not a MEASURE function completion.

Verify CAIO or equivalent authority. The GAO’s finding on nominal CAOs with no authority applies outside the federal context as well. The person designated as AI risk lead should have documented authority to slow or halt AI deployment when risk management requirements are not met. If the governance role is purely advisory, it is not governance.

Sources

• NIST AI Risk Management Framework 1.0 (January 2023) ↗ — primary document; the four-function structure is in Section 2.2.
• OMB Memorandum M-24-10 (March 2024) ↗ — federal agency requirements, including CAIO designation, inventory requirements, and risk management mandates.
• Federal AI Use Case Inventory (AI.gov) ↗ — the public inventory; reviewing it against known agency AI deployments gives a sense of the undercounting problem the GAO documented.
• GAO-24-106648: Artificial Intelligence — Agencies Have Begun Implementing Key Practices But Significant Work Remains ↗ — the primary audit finding on federal AI RMF implementation gaps.
• Executive Order 14110 (October 2023, Federal Register) ↗ — the governing EO; most of its specific directives have now been executed or modified, but it established the policy framework.