NIST AI RMF in plain English for executives, board members, and industry leaders. What it is, why it matters to your company, and how to get a defensible p
By Matthew Bertram · President of ModalPoint, CEO of EWR Digital · 2026
If your company uses AI to screen job candidates, score sales leads, recommend products to customers, or make decisions about pricing, hiring, or safety, the rules of the road just changed. The NIST AI Risk Management Framework, usually shortened to NIST AI RMF, is now the standard your board, your insurance carrier, and any future plaintiff’s lawyer will measure you against.
Most executives have heard the phrase. Few know what it actually means or what to do about it. This guide is for executives, owners, and board members who are AI-curious but have not been living inside this material. No jargon you cannot pick up on first read. Examples from real industries, not abstractions.
NIST stands for the National Institute of Standards and Technology. It is a U.S. federal agency. NIST is the agency that sets the standard for things like the inch, the second, and how strong concrete has to be for highway bridges. They are the rule-of-thumb keepers.
NIST AI RMF is the rule-of-thumb document NIST published for managing the risks that AI creates. RMF stands for Risk Management Framework. It is a guidebook, not a law. Following it is technically voluntary. But here is the part that matters: voluntary in this context means the same thing it means with NIST cybersecurity standards. Your insurance carrier expects it. Federal contracts reference it. Texas and other states are writing it into their AI laws (more on that below). And if your AI system causes harm and you end up in court, the plaintiff’s lawyer will hold up NIST AI RMF as the standard you should have followed.
So treating it as voluntary is a choice. Most executives, once they understand the picture, decide to treat it as the working standard.
Three quick examples of what is actually at stake. Pick the one closest to your business.
A mid-sized manufacturer turns on the AI hiring filter built into their ATS (the software they use to track applicants). It is a feature they paid for. The AI scores applicants and ranks them. Six months later, an applicant files a discrimination claim. The applicant alleges the AI screened her out because of factors that look neutral but disproportionately affect protected groups.
The court asks the manufacturer: what was the AI doing, who reviewed its decisions, what were you measuring, what changed when the model was updated by the vendor? If the answer is “we just turned it on and trusted it,” that is the moment NIST AI RMF starts to matter. The framework is what would have produced the documents the manufacturer needed.
A medical group adds an AI-powered patient-communication tool that drafts replies to patient messages in the portal. A doctor reviews and sends. After a year, a patient sues, alleging the AI’s draft missed a symptom that should have triggered an urgent referral. The practice did not know the AI vendor had quietly updated the model six weeks earlier with different training data.
The plaintiff’s expert witness produces NIST AI RMF and walks the jury through what the practice should have been doing: tracking the AI in an inventory, knowing when the model changed, monitoring its outputs against quality metrics, having a documented human-review checkpoint. Following NIST AI RMF would not eliminate the lawsuit. It would change the outcome.
An oil and gas operator runs predictive maintenance AI on critical compressors. The AI fails to flag a degrading bearing. The compressor fails. There is an environmental release. The state regulator asks how the AI was validated, who reviewed its alerts, and how often the model was retested against new data. Without NIST AI RMF documentation, the answers are anecdotal. With it, the answers are dated, signed, and on file.
The pattern is the same across industries: AI is making consequential decisions, the company has not documented how it does that, and the moment something goes wrong the gap becomes the problem.
The framework organizes the work into four functions. NIST gave them all-caps names: GOVERN, MAP, MEASURE, and MANAGE. The names are not what matters. What they ask you to do is what matters.
Name a senior person responsible for AI risk. Write down a one-page AI policy. Decide how often the board or owner gets a report on it. This is the part most companies skip and most boards regret skipping.
This sounds easy. It is not. Most companies have AI in their CRM, their HR software, their cybersecurity tools, their marketing automation, their accounting software, and they do not know it. The vendor turned it on. Someone clicked yes to a feature. It is now an AI system you are responsible for. The first job is to find all of them and write them down. Once you have the list, you have a starting point.
For each AI system, define what “working right” looks like and check it. The check might be quarterly. It might be continuous. It depends on what the AI is doing. A hiring filter needs different checks than a maintenance algorithm. The point is that someone is checking, and there is a record of the check.
If the AI starts making bad decisions, what do you do? Who do you tell? How do you turn it off? Most companies have IT incident plans. Few have AI incident plans. They are not the same. AI fails in different ways than servers fail.
That is the whole framework, in plain English. Most of the work is doing the boring documentation. The boring documentation is what stands up in court, in front of regulators, and in board meetings.
If you sit on a board, run an industry association, or chair a program committee for an executive event, your members are exactly the audience that needs this material. Not a deep-technical audience. A practical, AI-curious audience that wants to know what is coming at them and what to do about it.
I work with C&I companies, medical groups, and energy operators on this. I also speak at industry events about it, in plain English, with real examples. If that fits an upcoming event you are programming, here is the speaking page. Back to the framework.
Most companies do not need to do everything at once. Most companies need to do the right first thing.
That gets you 80 percent of the way to a defensible NIST AI RMF posture. Companies that do those three steps are dramatically better positioned than companies that have not.
Boards have three jobs under any working AI governance regime: oversight (was a framework adopted), assurance (is it actually being followed), and disclosure (does our public reporting reflect it). Most boards in 2026 have done some of the first one and none of the other two.
Three questions to ask at your next board meeting:
If the answers are uncomfortable, that is the conversation you needed to have. Better now than after an incident.
Primary sources: the official NIST AI Risk Management Framework (NIST.gov) and the Critical Infrastructure Profile concept note (April 7, 2026).
The next sections cover the formal NIST AI RMF taxonomy for readers who want the technical layer: the four functions in their original definitions, the Critical Infrastructure Profile process, the federal civil rights statutes that already attach strict liability, and how the framework maps to the broader 2026 governance environment. Skip ahead if you are interested.
GOVERN establishes policies, decision rights, accountability structures, and risk appetite. It is the function that produces the artifacts boards and audit committees review. GOVERN failures show up as: no documented AI policy, no named AI risk owner at the executive level, no board reporting cadence, no documented risk appetite.
MAP establishes inventory and context. What AI systems exist, where, used by whom, for what decision, with what input data, with what downstream effect. This is the function most operators have not operationalized. If you cannot answer “how many AI systems are in production at our company today” in a single number with provenance, MAP is not yet operational.
MEASURE establishes the technical and process controls for evaluating each AI system against its intended use. Pre-deployment validation, runtime monitoring, drift detection, fairness testing, robustness testing, security testing. Metrics differ by system type and risk tier; the discipline does not.
MANAGE establishes response protocols when MEASURE produces a problem. Incident response, model retirement, rollback procedures, customer notification, regulatory disclosure, post-incident review. Most operators have an IT incident response plan. AI incident response is not the same.
NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure on April 7, 2026. The Profile is in active development, not yet finalized. NIST has invited industry participation in the development process through a mailing list and a Slack channel, open to participants from across the critical infrastructure ecosystem.
The Profile, when complete, will provide guidance for AI risk management across the 16 critical infrastructure sectors: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government services and facilities, healthcare and public health, information technology, nuclear reactors and waste, transportation systems, and water and wastewater systems.
If you operate in any of those sectors, the Profile development process is one of the most consequential federal AI-policy efforts of the next 24 months. Operators who track and contribute to the Profile work early will have a clearer path through the regulatory cycle that follows. Participation costs staff time. Visibility is the value.
Title VII (employment), the Equal Credit Opportunity Act (lending), and the Fair Housing Act all impose disparate-impact liability that does not require proof of discriminatory intent. AI-driven adverse decisions in any of those domains are already actionable today, with NIST AI RMF cited in agency guidance and emerging case law as the reference standard of care. The federal disparate-impact framing is independent of (and in some respects broader than) state intent-based AI laws like TRAIGA in Texas. “We delegated this to the CEO” is not a defense if GOVERN artifacts do not exist.
NIST AI RMF is one of four anchor standards capital-intensive and regulated-industry operators are working through in 2026: NIST AI RMF (federal voluntary), ISO 42001 (international management standard, certifiable), the EU AI Act (statute, where applicable), and a growing patchwork of state laws including Texas TRAIGA and Colorado’s AI Act, with similar bills moving in California, New York, and others. The four overlap. None substitutes for any other.
For the broader four-standard treatment, see the 2026 AI Governance Framework implementation guide. For the Texas-specific picture, see the practical TRAIGA guide. For U.S. companies with EU exposure, see EU AI Act: What U.S. Businesses Actually Need to Know in 2026. For the externally-facing dimension of governance, see AI Governance vs AI Visibility: A Two-Layer Control System.
This material lands well in front of an AI-curious audience that wants the practical version, not the academic version. Boards. Executive offsites. Industry association keynotes. Sales-leadership summits. Medical group leadership meetings. C&I trade groups.
The talk is plain English. It uses your industry’s examples. It leaves the audience with one clear next step, not a binder.
Matt Bertram is the founder of EWR Digital (Houston), president of ModalPoint (an AI governance advisory holding the DIG framework), a member of the NIST AI Safety Institute Consortium (Cyber AI Profile and Zero Trust Communities of Interest), an IAPP member and AIGP candidate (see recent thought leadership), a Goldman Sachs 10,000 Small Businesses graduate (Houston Cohort, April 2026), and the moderator of record on the Ericsson Enterprise Wireless AI panel at the Offshore Technology Conference 2026 with co-panelists from Bechtel and Rockwell Automation. Texas A&M, Class of 2006.
This guide describes NIST AI RMF as published, with the Critical Infrastructure Profile in active development as of mid-2026. Statutory and regulatory text is the controlling authority; nothing on this page is legal advice. Companies should consult qualified counsel for any specific compliance question.
NIST AI RMF’s MANAGE function expects ongoing risk monitoring and incident response. For the runtime discipline that makes that operational rather than aspirational, see Decision Integrity as the runtime substrate for the MANAGE function.
Matthew brings this to mainstage keynotes and closed-door board briefings. Check availability → · More insights