NIST AI RMF Compliance. Delivered.
NIST AI RMF 1.0 (AI 100-1) · GenAI Profile (AI 600-1)
The US standard for trustworthy AI risk management. 72 subcategories across 4 core functions, 7 trustworthiness characteristics, plus the GenAI Profile (NIST AI 600-1). Norivo delivers full NIST AI RMF alignment, including Colorado AI Act safe harbour readiness.
- Colorado AI Act safe harbour alignment
- GenAI Profile (NIST AI 600-1) built in
- Cross-maps to EU AI Act and ISO 42001
- Per-AI-system risk assessments
Why NIST AI RMF Matters Now
Three forces are turning NIST AI RMF from an optional best-practice into a competitive requirement.
Colorado AI Act safe harbour
SB 205 (effective June 2026) explicitly cites NIST AI RMF compliance as an affirmative defence with penalties up to $20,000 per violation.
Federal procurement alignment
US federal agencies are adopting NIST AI RMF as the mandatory baseline for AI systems sold into government markets.
Enterprise vendor requirements
Enterprise procurement increasingly requires AI RMF alignment in vendor questionnaires and security reviews.
The NIST AI RMF 1.0, published January 2023, has become the de facto AI governance standard in the United States. With 135 state AI laws passed in 2024 and the Colorado AI Act explicitly citing it for safe harbour, implementing NIST AI RMF is no longer optional for organisations deploying AI in regulated markets.
Four Functions. One Platform.
Every NIST AI RMF subcategory lives inside one of the four core functions. Norivo gives you a workspace for each.
GOVERN
19 subcategories
Establish AI governance culture, policies, accountability structures, and third-party oversight.
In Norivo: We document policies, assign RACI, build training records, inventory third-party AI, and capture DEIA integration evidence.
MAP
18 subcategories
Understand context, categorise AI systems, identify risks, and characterise impacts before deployment decisions are made.
In Norivo: We produce per-system context documentation, run risk tiering, conduct impact assessments, and define go/no-go gates, all linked to your AI System Registry.
MEASURE
22 subcategories
Evaluate AI systems against the 7 trustworthiness characteristics. Test for bias, safety, security, explainability, and privacy.
In Norivo: We deliver the trustworthiness coverage radar, the gap analysis, and the evidence-linked evaluations. You receive a quantified picture of where each system stands.
MANAGE
13 subcategories
Prioritise risks, implement treatments, manage third-party AI risks, and maintain incident response capabilities.
In Norivo: We track risk treatments, maintain the residual risk register, monitor third-party AI, document incident response, and define kill-switch procedures.
Generative AI? There's a Profile for That.
NIST AI 600-1 (July 2024) identifies 12 risks unique to generative AI. Norivo layers these directly into your NIST AI RMF workspace. No separate module required.
01
CBRN Information
02
Confabulation
03
Dangerous Content
04
Data Privacy
05
Environmental Impact
06
Harmful Bias
07
Homogenisation
08
Information Integrity
09
Information Security
10
Intellectual Property
11
Obscene Content
12
Value Chain
Each risk category maps to specific NIST AI RMF subcategories. When you flag an AI system as generative, Norivo automatically surfaces the relevant GenAI risks and suggested actions alongside your existing subcategory tracking.
Track Coverage Across All 7 Trustworthiness Characteristics
Every NIST AI RMF subcategory maps to one or more of the seven characteristics of trustworthy AI. Norivo calculates your coverage per characteristic, so you can see exactly where your AI systems are trustworthy and where the gaps are.
- Valid & Reliable
- Safe
- Secure & Resilient
- Explainable & Interpretable
- Privacy-Enhanced
- Fair with Bias Managed
- Accountable & Transparent
Customer Support Bot
NLP / Generative AI · High Risk · GenAI ✓
GOVERN
72%
MAP
65%
MEASURE
61%
MANAGE
70%
Priority subcategories
Assess Risk Per AI System, Not Just at Programme Level
Most frameworks treat AI governance as a one-size-fits-all programme. But your customer support chatbot has different risks than your fraud detection model.
Norivo links each AI system from your registry to NIST AI RMF and generates system-specific:
- Priority subcategories based on risk tier and system type
- GenAI risk profiles for generative AI systems
- Per-system function scores
- Smart evidence suggestions from your existing library
One Platform. Every AI Framework.
NIST AI RMF doesn't exist in isolation. Norivo maps every subcategory to its equivalent controls in other frameworks you're already tracking.
EU AI Act
28 mappingsDirect article-level mappings to GOVERN, MAP, MEASURE, MANAGE.
Learn moreISO/IEC 42001
35 mappingsAnnex A control + clause coverage across the AIMS lifecycle.
Learn moreISO 27001
18 mappingsInformation security overlap: access, secure dev, incident response.
Learn moreSOC 2
12 mappingsTrust Service Criteria mappings: common controls reused directly.
Learn moreEvidence uploaded for one framework is automatically suggested for mapped controls in another. Implement once, comply everywhere.
Know Where You Stand. Know What's Next.
Norivo's 5-level maturity model gives you a clear progression path, not just a compliance checklist.
Level 0: Initial
Ad hoc, reactive AI risk management
Level 1: Developing
Processes emerging but inconsistent
Level 2: Defined
Documented and standardised processes
Level 3: Managed
Measured, controlled, integrated
Level 4: Optimising
Continuous improvement embedded
Your maturity level updates in real time as you implement subcategories, link evidence, and assess AI systems. Each level has clear requirements for advancement.
Everything You Need to Operationalise NIST AI RMF
72 Subcategories
Tracked across 4 functions and 19 categories
GenAI Profile
NIST AI 600-1 built into the workspace
Per-System Scoring
Assessments linked to your AI System Registry
Trustworthiness Radar
Coverage across all 7 characteristics
Cross-Framework Mapping
EU AI Act, ISO 42001, ISO 27001, SOC 2
Evidence Reuse
Smart suggestions across frameworks
Maturity Model
5-level progression with clear gates
Auditor Portal + PDFs
Read-only views and downloadable reports
Colorado AI Act Safe Harbour
The Colorado AI Act (SB 205), effective June 2026, explicitly cites NIST AI RMF compliance as an affirmative defence. Organisations that demonstrate alignment may qualify for safe harbour protections against enforcement actions carrying penalties of up to $20,000 per violation.
Norivo generates the assessment reports, evidence packages, and trustworthiness evaluations needed to demonstrate NIST AI RMF alignment to regulators and auditors.
Read our Colorado AI Act guideHow We Deliver NIST AI RMF
Four phases, end-to-end. Your team approves the work; ours does it.
Inventory and Map to the 4 Functions
Our team catalogues every AI system in your organisation and maps each one across GOVERN, MAP, MEASURE, and MANAGE, including the GenAI Profile where it applies.
Implement All 72 Subcategories
Our specialists implement every relevant subcategory and collect the supporting evidence. Implementation status is tracked live in your workspace.
Generate Trustworthiness Coverage and Evidence Packages
We produce the trustworthiness coverage reports across all 7 characteristics, the per-system scoring, and the evidence packages, ready for auditors or regulators.
Monitor Continuously and Update for Regulatory Changes
We monitor your portfolio continuously and respond to drift within your SLA. When new guidance drops (Colorado AI Act, federal procurement, NIST updates), we assess the impact and update your programme.
Book a Scoping Call
NIST AI RMF compliance delivered as a managed service: all 72 subcategories, the GenAI Profile, and Colorado AI Act safe harbour readiness. Audit-ready in 30 days.