NIST AI Risk Management Framework: Implementation Guide for UK Businesses

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework published by the US National Institute of Standards and Technology that organises AI risk management into four core functions: Govern, Map, Measure, and Manage (NIST, 2023). For UK businesses, it provides a structured methodology for identifying and mitigating AI risks — but requires adaptation for UK regulatory context, since it does not address UK GDPR, the ICO's AI guidance, or the DSIT five principles directly. The framework is free to use, does not require certification, and works well as an internal risk management tool regardless of company size. UK businesses should start with the Govern function — establishing accountability and policy — and layer in Map, Measure, and Manage as AI use matures.

What is the NIST AI RMF?

The AI Risk Management Framework was published by NIST in January 2023 to provide organisations with a structured, flexible approach to managing the risks of AI systems (NIST, 2023). It is not sector-specific, not legally binding, and designed to be adopted in full or in part depending on the organisation's AI maturity and risk profile.

The framework was developed through extensive public consultation and draws on international standards including ISO 31000 (risk management) and the OECD AI Principles. It is the most widely referenced AI risk framework globally, with adoption across US federal agencies, multinational corporations, and increasingly UK organisations seeking a structured approach to AI governance.

For UK businesses, the NIST AI RMF fills a gap: the UK government'sfive AI principlestell you what to aim for, but not how to operationalise it. The NIST AI RMF provides the "how" — a set of activities and outcomes you can implement, measure, and audit.

The four core functions

The framework organises AI risk management into four functions, each containing categories and sub-categories. The NIST AI RMF Playbook (NIST, 2023) provides suggested actions for each sub-category.

1. Govern

Govern is the cross-cutting function that establishes the organisational context for AI risk management. It covers: defining roles and responsibilities, setting risk tolerances, establishing policies and processes, building a culture of responsible AI, and ensuring legal and regulatory compliance. For UK businesses, this is where you embed UK GDPR obligations, ICO guidance, and the DSIT five principles into your AI governance structure.

Start here. Without governance foundations — a named owner, a policy, a risk appetite — the other three functions have no anchor.

2. Map

Map identifies and documents the context in which your AI systems operate. This includes: cataloguing your AI tools and use cases, identifying the data they process, understanding who is affected by AI outputs, and mapping the potential harms — to individuals, to the organisation, and to third parties. For UK businesses, mapping should explicitly include personal data flows to AI tools (a UK GDPR requirement) and any automated decision-making that may engage Article 22 of the UK GDPR (UK GDPR, 2016).

3. Measure

Measure establishes quantitative and qualitative methods for assessing AI risks. This includes: defining metrics for AI system performance, fairness, and reliability; testing for bias and accuracy; and monitoring AI outputs over time. Most UK SMEs will not need sophisticated measurement programmes — but establishing even basic metrics (e.g. error rates, user complaints, data incidents) creates a baseline for improvement and demonstrates due diligence.

4. Manage

Manage is where you act on what Govern, Map, and Measure have identified. It covers: prioritising risks based on severity and likelihood, implementing mitigations (policy changes, access controls, tool replacements), planning for incidents and failures, and establishing feedback loops so that AI risk management improves over time. This is the function that connects governance to day-to-day operations.

How UK businesses should adapt the NIST AI RMF

The NIST AI RMF was written for a US audience. UK businesses need to make several adaptations to ensure regulatory alignment:

• UK GDPR integration: The Govern function should reference UK GDPR obligations, particularly Articles 5 (data minimisation), 22 (automated decisions), and 35 (DPIAs). Map should explicitly track personal data flows to AI tools.
• ICO guidance:The ICO's guidance on explaining AI decisions (ICO, 2024) should inform both the Govern (policy) and Measure (transparency metrics) functions.
• DSIT five principles alignment: Map the five UK AI principles — safety, transparency, fairness, accountability, and contestability (DSIT, 2023) — against the NIST functions. Each principle has natural homes: safety maps to Measure and Manage, transparency to Govern and Map, fairness to Measure, accountability to Govern, and contestability to Manage.
• Sector-specific regulation: If your business is regulated by the FCA, CMA, Ofcom, or another UK regulator with AI guidance, integrate their specific requirements into the relevant NIST function.

Step-by-step implementation for SMEs

You do not need to implement the entire framework at once. A phased approach works for most UK SMEs:

1. Month 1 — Govern: Appoint an AI governance owner. Write or update yourAI acceptable use policy. Define your risk appetite for AI use.
2. Month 2 — Map: Run an AI tools audit. Document every AI tool, what data it accesses, and who uses it. Identify any automated decision-making.
3. Month 3 — Measure:Establish baseline metrics — even simple ones like "number of AI tools in use", "number of unsanctioned tools found", "data incidents involving AI". Set targets for the next quarter.
4. Month 4+ — Manage: Act on findings. Revoke access to high-risk unsanctioned tools. Implement approval processes for new tools. Schedule quarterly reviews.

NIST AI RMF vs UK regulatory requirements

The NIST AI RMF is not a compliance framework for any specific UK regulation. However, a well-implemented NIST AI RMF programme will cover most of the governance activities that UK regulators expect:

• ICO: Expects organisations to assess and mitigate risks of AI processing personal data — the Map and Measure functions address this directly.
• DSIT: The five AI principles are naturally accommodated within the four NIST functions.
• FCA / CMA / Ofcom: Sector regulators are developing their own AI guidance, but all reference the same core concepts — transparency, accountability, risk assessment — that the NIST AI RMF operationalises.

Adopting the NIST AI RMF does not guarantee regulatory compliance, but it demonstrates a systematic, documented approach to AI risk that regulators, clients, and insurers will recognise as credible.

How Governably helps with AI risk management

Governably automates key activities in the Map function — discovering AI tools connected to your business, identifying data access scopes, and surfacing credential exposures that increase AI-related risk. This gives you the inventory and risk data you need to implement the NIST AI RMF without weeks of manual discovery.Run a free scan to see what Governably finds across your email security, credential exposure, and AI tool access.

Frequently Asked Questions

Is the NIST AI RMF mandatory for UK businesses?

No. The NIST AI RMF is a voluntary framework published by the US National Institute of Standards and Technology. There is no UK law or regulation that requires its adoption. However, it is widely referenced by enterprise clients, insurers, and regulators as a credible approach to AI risk management, and adopting it voluntarily strengthens your governance posture.

How long does it take to implement the NIST AI RMF?

For an SME with fewer than 50 employees and a limited number of AI tools, a proportionate implementation of the core Govern and Map functions can be completed in four to six weeks. Full implementation across all four functions, including measurement baselines and ongoing management processes, typically takes three to six months depending on the complexity of your AI use.

Can an SME use the NIST AI RMF without a dedicated compliance team?

Yes. The framework is designed to be scalable. An SME can implement it with an existing IT manager or operations lead acting as the AI governance owner. The key is proportionality — you do not need to implement every sub-category in the framework, only those relevant to your AI risk profile.

How does the NIST AI RMF relate to UK GDPR?

The NIST AI RMF does not directly address UK GDPR, but the two are complementary. UK GDPR governs the processing of personal data, including by AI systems. The NIST AI RMF provides a broader risk management structure that can incorporate GDPR obligations — particularly around transparency, accountability, and data protection impact assessments — within its Govern and Map functions.

What is the difference between the NIST AI RMF and the NIST Cybersecurity Framework?

The NIST Cybersecurity Framework (CSF) focuses on protecting systems and data from cyber threats. The NIST AI RMF focuses specifically on risks arising from AI systems — including bias, lack of explainability, reliability failures, and misuse. They are separate frameworks that can be used together, with the AI RMF addressing risks that the CSF was not designed to cover.