Skip to content
shadowiq
Regulation · NIST AI RMF 1.0 + AI 600-1

NIST AI RMF, operationalized.

The NIST AI RMF is voluntary, but federal contracts, insurance underwriters, and boards treat it as table stakes. ShadowIQ maps every function, category, and subcategory to a live control.

Get a NIST AI RMF readiness planPlatform overview
What this is

Summary

The NIST AI Risk Management Framework (AI RMF 1.0) and Generative AI Profile (NIST AI 600-1) provide voluntary guidance for AI risk management organized into four functions: Govern, Map, Measure, and Manage. ShadowIQ pre-maps every subcategory to operational controls with cryptographic evidence.

How it fits · explainer

The crosswalk: article → control → signed evidence.

NIST AI RMF · ARTICLEREQUIREMENTSHADOWIQ CONTROLSIGNED EVIDENCEGOVERN 1.2Accountability structureRegistry ownership + RBACSigned ownership recordsMAP 2.3Categorize AI systemRegistry classificationSigned categorizationMEASURE 2.7AI system evaluatedContinuous evaluation engineSigned eval runsMEASURE 2.8Risks / impacts documentedRisk register · liveSigned risk delta recordsMANAGE 2.2Risk mitigation in deploymentGateway policy enforcementSigned decision ledgerCROSSWALK · 5 SHOWN · FULL MAP IN /DOCS/COMPLIANCE · SIGNED ED25519
Where it hurts

You've heard this one before.

  • RMF adoption stalled because 'Govern' requires org-wide policy no one has time to write.
  • MEASURE subcategories expect quantitative data that isn't collected.
  • Incident playbooks exist in Confluence but not in production.
  • Federal contract RFPs demand RMF evidence you don't have.
What we do about it

Three moves.

  1. 1
    GOVERN: policies with receipts.

    Policy-as-code that's reviewed, versioned, and signed on approval. GOVERN 1-6 evidence flows automatically.

  2. 2
    MAP: registry + context.

    Every AI system has stakeholders, context, intended use, and risk tolerances recorded. Joined with discovery signals.

  3. 3
    MEASURE + MANAGE: operational.

    Continuous evaluations produce MEASURE evidence. Gateway enforcement produces MANAGE evidence. Every data point is signed.

Outcomes

Numbers, not adjectives.

100%
RMF category coverage
Gen AI 600-1
profile supported
OSCAL
export compatible
Full crosswalk

NIST AI RMF article → ShadowIQ control → signed evidence.

Article
Requirement
ShadowIQ control
Signed evidence
GOVERN 1.2
Accountability structure
Registry ownership + RBAC
Signed ownership records
MAP 2.3
Categorize AI system
Registry classification
Signed categorization
MEASURE 2.7
AI system evaluated
Continuous evaluation engine
Signed eval runs
MEASURE 2.8
Risks / impacts documented
Risk register · live
Signed risk delta records
MANAGE 2.2
Risk mitigation in deployment
Gateway policy enforcement
Signed decision ledger
MANAGE 4.1
Incident recovery & learning
Forensic timeline + postmortem
Signed incident record
Frequently asked

Asked, answered, sourced.

It is voluntary guidance, but federal contracts (via executive orders and agency guidance), cyber insurance underwriters, and many state AI procurement rules explicitly reference it. Practically, it is the default US risk language.

NIST AI 600-1 adds actions specific to generative systems (CBRN misuse, content provenance, harmful bias). ShadowIQ supports all 12 action categories with pre-built controls.

Many NIST AI RMF categories have direct analogs in EU AI Act articles. Our crosswalk lets one control satisfy both: e.g., MEASURE 2.7 ↔ EU AI Act Article 15 ↔ the same signed eval record.

Related

Keep going.

Regulation
EU AI Act
Regulation
ISO 42001
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing