---
id: "framework-nist-ai-rmf"
type: "framework"
source_timestamps: ["\\\"§ Research", "Methodology", "and Findings\\\""]
tags: ["risk-management", "governance", "standards"]
related: ["entity-nist"]
steps: ["Govern: Establish organizational policies and culture for AI risk management.", "Map: Contextualize and identify AI risks within specific deployments.", "\\\"Measure: Assess", "analyze", "and track identified AI risks.\\\"", "Manage: Prioritize and act upon AI risks to mitigate impact."]
source_title: "Research: Conventional Cybersecurity Won't Protect Your AI"
source_url: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sources: ["tail2"]
sourceVaultSlug: "hbr-seg-tail2"
originDay: 2
articleStem: "hbr-tail-128-cybersecurity-wont-protect-ai"
sourceUrl: "https://hbr.org/2026/01/ts-research-conventional-cybersecurity-wont-protect-your-ai"
sourceTitle: "Research: Conventional Cybersecurity Won’t Protect Your AI"
---
# NIST AI Risk Management Framework (AI RMF)

The **NIST AI Risk Management Framework (AI RMF)**, authored by [[entity-nist-d2]], is the practical playbook the researchers used to structure their findings and translate complexity into actionable insight for executives. It provides a systematic approach to reducing AI vulnerabilities through four core functions:

1. **Govern** — Establish organizational policies and culture for AI risk management.
2. **Map** — Contextualize and identify AI risks within specific deployments.
3. **Measure** — Assess, analyze, and track identified AI risks.
4. **Manage** — Prioritize and act upon AI risks to mitigate impact.

The article's own recommendations — the [[framework-four-imperatives-ai-security|Four Imperatives]] — can be read as a domain-specific instantiation of this Govern–Map–Measure–Manage loop for the AI infrastructure and supply-chain layer.

**Enrichment grounding.** The description of the four functions is accurate to NIST's published AI RMF. The claim that the authors used it to organize their findings is internal to the article but fully consistent with how the RMF is designed to be applied. An expert would also situate the RMF alongside adjacent governance regimes such as the EU AI Act and sector-specific regulator guidance on AI risk and data protection.
