> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.
# NIST AI RMF
> 16 NIST AI Risk Management Framework requirements mapped to Observatory controls across Govern, Map, Measure, Manage.
NIST AI RMF organises risk management around four functions: **Govern**, **Map**, **Measure**, **Manage**. Observatory maps 16 of the framework's high-impact subcategories to operational controls.
***
## The four functions
```mermaid theme={"system"}
flowchart LR
Govern["Govern
(culture, policy, accountability)"] --> Map
Map["Map
(context, classification, scope)"] --> Measure
Measure["Measure
(testing, monitoring, evaluation)"] --> Manage
Manage["Manage
(prioritise, treat, communicate)"] -.feedback.-> Govern
```
A healthy AI RMF posture closes the loop: governance decisions feed mapping, mapping feeds measurement, measurement feeds management, and management updates governance.
***
## Mapped subcategories
### Govern (4 mapped)
| Subcategory | Backing controls |
| ---------------------------------------- | ------------------------------------- |
| Govern 1.1 — policies and procedures | Policies + Audit Trail |
| Govern 1.4 — accountability and roles | RBAC + AI Registry ownership |
| Govern 4.1 — AI risk management training | Manual evidence |
| Govern 5.1 — communication channels | Manual evidence (incident-comms plan) |
### Map (4 mapped)
| Subcategory | Backing controls |
| -------------------------------------- | ----------------------------- |
| Map 1.1 — AI system context | AI Registry metadata |
| Map 1.2 — intended use and limitations | AI Registry + manual evidence |
| Map 3.3 — record-keeping | Telemetry + retention setting |
| Map 5.1 — third-party AI components | AI Registry vendor section |
### Measure (4 mapped)
| Subcategory | Backing controls |
| ----------------------------------- | -------------------------------------- |
| Measure 1.1 — relevant metrics | Analytics |
| Measure 2.3 — performance over time | Drift Monitor |
| Measure 2.7 — security tests | Policies (prompt-injection) + Evidence |
| Measure 4.2 — feedback mechanisms | Thread feedback + Evidence |
### Manage (4 mapped)
| Subcategory | Backing controls |
| ---------------------------------------- | -------------------------- |
| Manage 1.1 — prioritise risks | Risk Dashboard |
| Manage 2.3 — incident response | Alerts + Audit Trail |
| Manage 3.1 — manage third-party risks | AI Registry vendor section |
| Manage 4.1 — communicate to stakeholders | Compliance heatmap export |
***
## Overlap with EU AI Act
Several NIST subcategories overlap directly with [EU AI Act](./eu-ai-act) requirements:
| NIST subcategory | Overlaps with |
| ---------------- | -------------------------------------------- |
| Govern 1.1 | EU AI Act Article 9 (risk management) |
| Map 3.3 | EU AI Act Article 12 (record-keeping) |
| Measure 2.3 | EU AI Act Article 15 (robustness) |
| Manage 2.3 | EU AI Act Article 62 (incident notification) |
Closing one usually closes both. The [gap analysis](./gap-analysis-heatmap) prioritises remediation by cross-framework impact.
***
## Producing the audit pack
Same shape as EU AI Act: a ZIP with per-subcategory evidence and the framework score.
```http theme={"system"}
POST /api/compliance/export?framework=nist-ai-rmf&app_id=...
```
***
## Related resources
Sister framework with significant overlap.
Where Manage 1.1 (prioritise risks) is operationalised.