The NIST AI Risk Management Framework (AI RMF 1.0), released in January 2023, is the practical counterpart to the EU AI Act. The AI Act tells you what the law requires; the AI RMF gives you a voluntary, vendor-neutral method to actually build and operate trustworthy AI. For Belgian organisations, running the two together is powerful: use the RMF as your operating manual, and it produces much of the evidence the AI Act expects.
TL;DR
- Four functions: Govern, Map, Measure, Manage — Govern runs across all three others.
- Anchored in seven trustworthy-AI characteristics (valid, safe, secure, accountable, explainable, privacy-enhanced, fair).
- The Generative AI Profile (NIST AI 600-1, July 2024) adds 12 GenAI-specific risks.
- It is voluntary — but maps directly onto AI Act risk-management duties.
- Best used as the how-to beneath your AI Act and GDPR obligations.
The four functions
| Function | What you do |
|---|---|
| Govern | Build the culture, policies, roles and accountability for AI risk. Cuts across the other three functions. |
| Map | Establish context: the system’s purpose, stakeholders, intended use and potential harms. Frame the risk before measuring it. |
| Measure | Assess, test and track risks with quantitative and qualitative methods — bias, robustness, security, drift. |
| Manage | Prioritise, treat and monitor risks over the lifecycle; allocate resources; respond when things change. |
The seven characteristics of trustworthy AI
The framework defines trustworthiness through concrete properties an AI system should have: valid and reliable (the foundation), safe, secure and resilient, accountable and transparent, explainable and interpretable, privacy-enhanced, and fair with harmful bias managed. These are deliberately the same concerns the AI Act encodes for high-risk systems — accuracy, robustness, transparency, human oversight, non-discrimination — which is why an RMF-built system is largely speaking the AI Act’s language already.
The Generative AI Profile
Because generative AI raises distinct risks, NIST published the Generative AI Profile (NIST AI 600-1)in July 2024. It identifies twelve risk categories specific to or amplified by GenAI — among them confabulation (“hallucination”), data-privacy degradation, harmful bias, information integrity, information security, intellectual-property exposure, and value-chain/component-integration risk — and maps suggested actions back to Govern/Map/Measure/Manage. If you deploy RAG or LLM systems, this profile is the most practical risk checklist available.
How it complements the EU AI Act
| Dimension | EU AI Act | NIST AI RMF |
|---|---|---|
| Nature | Binding law (EU) | Voluntary framework (global) |
| Question answered | What must I comply with? | How do I operationally manage AI risk? |
| Risk management | Mandatory for high-risk systems | Map / Measure / Manage method |
| Governance | Provider/deployer duties | Govern function |
| GenAI | GPAI obligations | Generative AI Profile (600-1) |
Neither replaces the other. The pragmatic move for a Belgian organisation is to adopt the RMF as the engine and treat the AI Act as the destination: govern, map, measure and manage your AI, and you will have built most of the documentation, oversight and risk evidence the law requires — while also reassuring customers far beyond the EU.
Getting started
- Govern first: assign AI-risk ownership and a lightweight policy — reuse your existing security governance.
- Map each AI use case: purpose, stakeholders, data, potential harms.
- Measure with proportionate tests — bias checks, red-teaming, security and robustness evaluation.
- Manage on a cycle, prioritising the highest-impact risks; for GenAI, work through the 600-1 categories.
- Cross-reference outputs to your AI Act and GDPR obligations so one effort serves all three.
General information, not legal advice. ICTLAB helps Belgian organisations operationalise AI risk management with the NIST AI RMF alongside the AI Act — see our AI & LLM services, the EU AI deployment checklist, or talk to our team.