NIST's AI Risk Management Framework: America's voluntary standard, and how 2026 turns it into security controls

Where the European Union legislates AI through a binding regulation with fines, the United States has, so far, set its federal direction through a document no company is obliged to follow. The AI Risk Management Framework of the National Institute of Standards and Technology (NIST) is voluntary by design. Yet it has become the closest thing the United States has to a national AI standard, and the reference that American customers invoke the way European customers invoke the AI Act. For an organisation outside the United States, it is worth understanding for a simple reason: the suppliers you depend on increasingly describe their AI governance in its vocabulary — and in 2026 that vocabulary is hardening into something far more concrete than principles.

What the framework is

NIST released AI RMF 1.0 on 26 January 2023, "intended for voluntary use." It is not a checklist of obligations but a structure for managing the risks of an AI system across its lifecycle, organised around four functions:

• Govern — building a culture of risk management: policies, accountability, roles.
• Map — establishing the context and identifying risks of a given system.
• Measure — analysing, assessing and tracking those risks with metrics.
• Manage — prioritising and acting on risks, including response and recovery.

The framework was deliberately built to "align with and support" the risk-management work of others, which is why it sits naturally beside the certifiable ISO/IEC 42001 management-system standard and the OECD principles. On 26 July 2024 NIST added the Generative AI Profile (NIST-AI-600-1), a companion that maps the four functions onto the specific risks of generative systems — the first sign that the abstract framework would be pulled toward concrete technologies.

2026: from principles to controls

The defining shift of 2026 is that NIST is translating a framework written in the language of governance into one written in the language of security controls. Through its Control Overlays for Securing AI Systems (COSAiS) project, NIST is developing overlays on top of its long-established SP 800-53 security-control catalogue — the same catalogue that underpins federal information-security compliance — tailored to AI systems and their components (training data, model weights, configuration).

COSAiS is notable for how it carves up the field. It defines five use cases, each to receive its own overlay: generative AI (LLM assistants), predictive AI, single-agent systems, multi-agent systems, and security controls for AI developers. The explicit inclusion of agentic systems — single and multi-agent — is a signal of where NIST expects the security risk to concentrate next. The first annotated outline (a discussion draft), covering "Using and Fine-Tuning Predictive AI," was released on 8 January 2026 ahead of a Cyber AI Profile workshop on 14 January, with initial feedback invited by 13 February 2026.

Two further 2026 developments round out the picture. On 7 April 2026 NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, aimed at operators weighing AI-enabled capabilities in sectors where failure is least tolerable. And the foundational framework itself is no longer static: NIST states that AI RMF 1.0 is being revised, the first revision since 2023.

Why a voluntary framework still binds in practice

"Voluntary" understates the framework's reach. Three mechanisms give it force without a statute. First, procurement: US federal agencies and their contractors lean on NIST guidance, and SP 800-53 conformity is already a condition of doing business with the government — so an AI overlay on that catalogue inherits real leverage. Second, supply-chain due diligence: when a frontier developer publishes the safety framework that California's SB 53 and New York's RAISE Act now require, it describes how it "incorporates national and international standards" — and NIST is the national standard it means. Third, convergence: the framework is the operational layer that the EU's GPAI regime and the harmonised standards process quietly rely on, because no one is writing the measurement methods twice.

What it means beyond the United States

For a European or other non-US organisation, the practical reading is that the American "voluntary" track is becoming an operational baseline it will encounter through its suppliers, not its statute book. A vendor that maps its controls to the COSAiS overlays is making a claim a buyer can test; an agentic-AI provider that cannot point to the multi-agent overlay is making an omission a buyer can notice. This is the same pattern traced in our analysis of international AI governance: the AI Act supplies the binding obligation, while NIST and ISO supply the method — and in 2026 the method is being written down in far more detail than the year before.