The NIST AI Risk Management Framework (AI RMF 1.0) was published in January 2023. Unlike compliance frameworks that describe outcomes you must achieve, the AI RMF describes practices you should implement — organized around four core functions: GOVERN, MAP, MEASURE, and MANAGE. It is voluntary, but it is rapidly becoming the de facto standard for enterprise AI risk programs.
The Four Functions
GOVERN
Establish policies, accountability structures, and culture for AI risk management. For an API team: document who is responsible for AI system security decisions, establish a review process for new AI integrations, and define your risk tolerance for different AI use cases. GOVERN is mostly process and policy work, not technical implementation.
MAP
Categorise your AI systems by risk level and understand the context in which they operate. For API teams: inventory all API endpoints that involve AI model calls, classify them by use case (decision-making, content generation, classification), and identify which user populations they affect.
MEASURE
Establish metrics and testing to quantify AI risks. For API teams: measure false positive and false negative rates in AI-based security decisions, measure prompt injection attempt rates, track model behaviour drift over time, and test against adversarial inputs on a regular schedule.
MANAGE
Implement controls to address identified risks. For API teams: deploy input validation and output constraints, implement human review workflows for high-stakes AI decisions, establish incident response procedures for AI-specific failures, and maintain rollback capability to previous model versions.
The Controls That Map to API Security
- ▸MEASURE 2.5: Evaluate AI systems for robustness to adversarial inputs — maps to prompt injection testing
- ▸MANAGE 2.2: Establish incident response for AI failures — maps to anomaly alerting and circuit breakers
- ▸GOVERN 4.1: Ensure transparency about AI system behaviour — maps to audit logging and explainability
- ▸MAP 5.1: Identify trustworthiness characteristics — maps to output validation and hallucination detection
G8KEPR's compliance module maps its controls to NIST AI RMF sub-categories, generating evidence that MEASURE and MANAGE functions are operating. This accelerates the documentation phase of an AI RMF implementation significantly.
Related reading
ISO 42001: The AI Management System Standard Every Enterprise Will Need
ISO 42001 and NIST AI RMF are complementary — this explains where they overlap and which to start with if you need both.
Related reading
SOC 2 Type II Prep: The Controls That Actually Matter
If you are on the NIST AI RMF path, SOC 2 Type II is likely part of the same compliance initiative.
Map your AI controls to NIST AI RMF automatically
G8KEPR generates evidence for GOVERN, MAP, MEASURE, and MANAGE functions from live platform data — cutting compliance documentation from weeks to hours.
See compliance features