NIST AI Risk Management Framework (AI RMF 1.0)
Effective date
Penalty
NIST AI RMF is voluntary. Alignment may support an affirmative defense or safe-harbor style argument under state AI frameworks that reference NIST practices.
Obligations mapped
4 obligations
Overview
NIST AI RMF is a voluntary framework used as a practical benchmark by regulators and lawmakers. NIST released AI RMF 2.0 in February 2024, building on early adoption experiences and adapting to generative AI paradigms. Companion documents include the AI RMF Playbook and Generative AI Profile (NIST AI 600-1), developed under EO 14110, which persists as a voluntary framework even though EO 14110 was revoked. State laws that reference NIST as a safe harbor or affirmative defense include Texas TRAIGA (HB 149), Tennessee TIPA, and Montana Right to Compute Act (SB 212). Colorado SB24-205 NIST-aligned controls remain useful historical and reusable governance evidence after SB26-189, but they should not be described as the current Colorado ADMT minimum-law safe harbor without legal review. Alignment with NIST AI RMF increasingly affects legal exposure under these state laws.
This is a voluntary or non-binding framework or standard.
See if this regulation applies to your company with the free exposure scan.
Who this applies to
This regulation applies to the following roles:
- Developers of covered AI systems
- Deployers and users of covered AI systems
- United States federal law
This regulation applies to both companies that build AI products and companies that use AI tools from other vendors.
Section 5.1, Table 1 (categories GOVERN 1 through GOVERN 6; 19 subcategories) · Section 5.2, Table 2 (categories MAP 1 through MAP 5; 18 subcategories) and related sections
AI categories covered
- Employment and hiring
- Consumer-facing AI
- Healthcare AI
- Financial services AI
- Insurance
Specific AI use cases:
- Resume screening and ranking
- Credit scoring and risk assessment
- Insurance underwriting
What this requires you to do
4 obligations identified from statutory analysis.
Section 5.1, Table 1 (categories GOVERN 1 through GOVERN 6; 19 subcategories)
Section 5.2, Table 2 (categories MAP 1 through MAP 5; 18 subcategories)
Section 5.4, Table 4 (categories MANAGE 1 through MANAGE 4; 13 subcategories)
Section 5.3, Table 3 (categories MEASURE 1 through MEASURE 4; 22 subcategories)
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.
Enforcement and penalties
NIST AI RMF is voluntary. Alignment may support an affirmative defense or safe-harbor style argument under state AI frameworks that reference NIST practices.
Penalty amounts are based on statutory text and may be subject to adjustment, judicial interpretation, or enforcement discretion.
Related regulations
- In EffectFederal
Executive Order 14110 on AI (Revoked)
Established federal policy priorities for AI safety, security, and rights protections across agencies. Directed agencies to issue additional standards, procurement rules, and risk controls. Revoked by Executive Order 14148 on January 20, 2025. Listed for historical reference. Key provisions revoked include NIST AI safety testing requirements, reporting requirements for dual-use foundation models, and watermarking mandates. However, NIST work products developed under EO 14110 (AI RMF, GenAI Profile) persist as voluntary frameworks.
Effective
- In EffectAI-Specific
California Transparency in Frontier AI Act (SB 53)
Requires developers of frontier AI models trained above the statutory compute threshold (10^26 FLOPs) to publish safety frameworks, report critical safety incidents to the Office of Emergency Services, and implement whistleblower protections. Also reaches large frontier developers with annual revenues over $500 million. Replaces the vetoed SB 1047 with a narrower transparency approach. Currently applies to approximately five to eight companies worldwide given the FLOP threshold. Includes a federal deference provision: compliance with comparable federal standards, including the EU AI Act, is accepted where the statute allows.
Effective
- UpcomingAI-Specific
Colorado ADMT / AI Act (SB 26-189)
Colorado SB 26-189 repeals and reenacts SB 24-205 into an automated decision-making technology (ADMT) framework for consequential decisions. Starting January 1, 2027, covered developers may need to provide deployers with technical documentation and material-update notices. Covered deployers may need point-of-interaction notices, post-adverse-outcome disclosures, data-access and correction processes, human-review and reconsideration workflows, and three-year compliance records. SB 24-205 risk-management, impact-assessment, and reasonable-care artifacts remain useful governance evidence, but they are historical or reusable controls rather than standalone current-law duties under the new Colorado framework.
Effective
- In EffectAI-Specific
Texas TRAIGA (Responsible Artificial Intelligence Governance Act, HB 149)
Texas RAIGA (HB 149) prohibits AI systems from intentionally manipulating behavior to cause harm, infringing constitutional rights, or discriminating against protected classes. Where applicable, government agencies may need to disclose AI interactions. Updates biometric consent for AI training data. Creates a regulatory sandbox program. AG exclusive enforcement with 60-day cure period. Intent-based liability standard (no disparate impact).
Effective
- In EffectAI-Specific
Texas TRAIGA Biometric and AI Training Amendments (HB 149, 89th Legislature)
Amends the Texas Capture or Use of Biometric Identifier Act (CUBI) and related Business and Commerce Code provisions for biometric data used with AI. Relaxes CUBI for AI training with a carveout for publicly available data and adds anti-scraping consent requirements for biometric identifiers. Enforced under the same HB 149 TRAIGA framework as the core act: intent-based liability, 60-day cure, preemption of local AI rules, and the statutory penalties and safe harbors that apply to TRAIGA generally.
Effective
- In EffectAI-Specific
Texas Government AI Ethics and Oversight (SB 1964)
Requires Texas state agencies and local governments to inventory AI systems, adopt an AI code of ethics aligned with NIST AI RMF, conduct impact assessments for AI that autonomously influences consequential decisions, and disclose AI use to affected individuals. Applies to government entities only, not the private sector.
Effective
- In EffectAI-Specific
Maryland AI Governance Act of 2024 (SB 818)
Requires Maryland state agencies to inventory AI systems, conduct impact assessments, and follow DoIT policies for AI procurement and use. Applies to state government agencies only, not the private sector.
Effective
- In EffectFederal
EEOC Guidance on AI in Employment Selection
EEOC technical assistance documents explain how existing Title VII and ADA obligations apply to AI and algorithmic employment tools. Not binding regulation, but signals enforcement priorities. Employers are liable for adverse impact from AI tools even when tools are designed by third-party vendors. Requires adverse impact analysis per UGESP four-fifths rule. ADA prohibits AI tools that screen out individuals with disabilities or make pre-offer disability inquiries.
Effective
- In EffectFederal
FTC Enforcement Policy on AI and Algorithmic Fairness
FTC enforces Section 5 of the FTC Act against deceptive and unfair AI practices. Key areas: unsubstantiated AI marketing claims, AI products harmful to children, discriminatory AI outcomes, and deceptive AI-powered services. Operation AI Comply (September 2024) targeted five companies simultaneously. Algorithmic disgorgement remedy requires deletion of AI models trained on improperly collected data. Administration change in 2025 narrowed speculative risk enforcement but maintained fraud and misrepresentation focus.
Effective
- In EffectFederal
Executive Order 14281: Restoring Equality of Opportunity and Meritocracy
Directs federal agencies to deprioritize disparate-impact enforcement across civil rights statutes (Title VII, Title VI, ECOA, Fair Housing Act). Affects AI-driven hiring, lending, housing, insurance decisions. AG directed to assess and potentially preempt state laws imposing disparate-impact liability (Section 7(a)). Companies remain exposed to private Title VII litigation and state AI laws (CO AI Act, IL HRA AI, NYC LL 144) that codify disparate-impact standards.
Effective
- In EffectFederal
DOJ AI Litigation Task Force
Coordinates federal civil litigation strategy on AI-related matters across the Department of Justice. Executive orders cannot preempt state law. Only Congress or courts can do that. Task Force is authorized to file lawsuits challenging state laws but as of April 2026 has NOT filed any. Congress rejected federal preemption twice: Senate vote 99-1 in July 2025, preemption language also dropped from NDAA in December 2025.
Effective
- In EffectFederal Guidance
SEC AI Guidance in Financial Services
SEC enforces existing fiduciary duties and disclosure requirements as applied to AI. Pursuing AI washing enforcement against companies overstating AI capabilities in securities filings. Proposed rule on predictive data analytics (2023-17958) unlikely to be finalized under current administration.
Effective
This rule references NIST AI RMF practices. See the federal NIST AI RMF entry for context and source links.
Regulation summaries are simplified for readability and may not capture every nuance of the underlying statute. Verify important details against primary sources linked on this page.