A year ago, when I first learned about the NIST AI Risk Management Framework in graduate school, I saw it as a useful and timely structure for thinking about AI risk in healthcare.
I still see it that way.
I wrote about that earlier in a healthcare-specific context in Managing AI Risk in Healthcare: Security, Privacy, and Governance with the NIST AI RMF, where the framework shows up less as theory and more as a practical way to structure security, privacy, compliance, model reliability, and trust.
But I think it matters even more now than it did then.
The reason is simple: AI is no longer living mostly in pilots, isolated proofs of concept, or experimental tools. It is moving into workflows. It is showing up in copilots, internal assistants, analytics pipelines, decision support systems, customer-facing experiences, and increasingly, agentic systems that are designed to act rather than simply respond.
That changes the governance challenge.
The NIST AI RMF still gives us the same four core functions: Govern, Map, Measure, and Manage.
What has changed is the environment in which those functions now have to operate.
The Framework Matters More Because Execution Matters More
When AI is mostly experimental, governance is often easier to talk about than enforce.
Policies can be written. Committees can be formed. Principles can be published.
But once AI starts affecting real work, governance becomes operational.
That is where many organizations struggle.
It is one thing to say you care about trustworthy AI. It is another to answer questions like:
- Where exactly is AI being used?
- What data is it touching?
- What risks does it introduce?
- Who owns the output?
- What controls are in place?
- How is performance measured?
- What happens when it fails?
- Who is accountable when it causes harm, confusion, or drift?
This is where the NIST AI RMF remains useful.
Not because it gives easy answers, but because it forces organizations to ask the right questions before AI becomes deeply embedded into business operations.
The Four Functions Feel More Operational Now
Govern
This is where many organizations start, but also where many stop.
They define policies, principles, and governance structures, which is important. But governance that only exists in documentation is weak governance.
The real test is whether those policies show up in approvals, architecture decisions, role definitions, escalation paths, and controls that people actually use.
Map
This may be one of the hardest functions in practice.
Do you really know where AI is being used? In what workflows? With what dependencies? With what stakeholders? Under what business context?
Mapping AI risk gets harder as AI becomes more distributed and more embedded in everyday work.
Measure
Measurement is where good intentions often run into reality.
It is not enough to say a system is useful or safe. Organizations need meaningful ways to evaluate performance, bias, drift, reliability, explainability, and operational impact.
If you cannot measure it, you cannot govern it well.
Manage
This is where governance becomes action.
How are risks prioritized? How are mitigations implemented? How is monitoring handled?
What happens when something breaks? How quickly can the organization respond? This is especially important as AI systems move from passive assistance to more agentic forms of execution.
The Rise of AI Agents Raises the Stakes
I think this is one of the biggest reasons the NIST AI RMF feels even more relevant today.
As organizations experiment with AI agents, governance is no longer just about model behavior. It becomes about workflow behavior.
Now the questions expand:
- What tools can the agent access?
- What permissions does it have?
- When does a human need to review output?
- What actions can it take on its own?
- How are failures detected?
- How are decisions logged?
- Who owns the result?
In that environment, governance is not abstract.
It is deeply tied to execution.
Governance is not what is defined. It is what is enforced at execution.
My Takeaway
The NIST AI RMF is still one of the most useful ways to structure thinking around AI risk.
But I think its value is more obvious now than it was a year ago.
As AI moves into real workflows, the gap between policy and execution becomes much more visible. And that gap is where trust can be lost.
The organizations that do well with AI over the next few years will not just be the ones that adopt quickly.
They will be the ones that can answer the hard questions clearly: where AI is used, what risks it creates, how it is measured, how it is controlled, and who is responsible.
That is why the framework still matters.
Not as a box to check.
As a way to build discipline around real-world AI use.
Related reading
Managing AI Risk in Healthcare: Security, Privacy, and Governance with the NIST AI RMF
A healthcare-focused look at using the NIST AI Risk Management Framework to structure AI security, privacy, compliance, model reliability, and trust.
AI Agents Need Managers Too
Why project management, agile delivery, and operating discipline become more important as AI agents enter real workflows.
AI Agents Are Getting More Capable, But Can We Trust Them?
NVIDIA OpenShell points to the bigger agentic AI question: not just what agents can do, but whether they can operate with containment, policy, privacy, and accountability.
Don't Start With Agents. Start With the Simplest Architecture That Works.
A practical Microsoft AI stack decision framework for engineers: use code, RAG, SaaS agents, or custom agents based on the real requirements, not the hype.