NIST AI RMF Generative Profile: Mapping Controls to Your LLM Stack
NIST's generative-AI profile updated the AI Risk Management Framework. How to map its controls to a real LLM stack in 2026.
The Framework
NIST's AI Risk Management Framework (AI RMF 1.0, 2023) gave organizations a structured way to identify, measure, manage, and govern AI risks. The Generative AI Profile (NIST AI 600-1, July 2024 with 2025 updates) specialized the framework for generative AI risks.
By 2026, US federal contracts and many enterprise procurement RFPs reference RMF compliance. This piece maps the high-level controls to the parts of a real LLM stack.
The Four Functions
flowchart TB
Govern[GOVERN<br/>policies, accountability, culture] --> Map
Map[MAP<br/>context, risks, intended use] --> Measure
Measure[MEASURE<br/>tests, metrics, evaluation] --> Manage
Manage[MANAGE<br/>treat, monitor, incidents] --> Govern
The functions cycle. Each one is a section of the framework with measurable subcategories. The Generative Profile adds GenAI-specific risks and controls under each.
The 12 Generative-AI-Specific Risks
The Profile identifies risks that are heightened or unique to generative systems:
- CBRN information / capabilities
- Confabulation (hallucination)
- Dangerous, violent, or hateful content
- Data privacy
- Environmental impacts
- Harmful bias / homogenization
- Human-AI configuration (over-reliance, automation bias)
- Information integrity (misinfo, deepfakes)
- Information security
- Intellectual property
- Obscene, degrading, abusive sexual content
- Value chain / component integration
Most production LLM applications care most about confabulation, data privacy, harmful bias, IP, and security.
See AI Voice Agents Handle Real Calls
Book a free demo or calculate how much you can save with AI voice automation.
Mapping Controls to a Real Stack
flowchart LR
Stack[LLM Stack] --> L1[Data Layer]
Stack --> L2[Model Layer]
Stack --> L3[Prompt + Tool Layer]
Stack --> L4[Application Layer]
L1 --> C1[Privacy controls,<br/>data classification]
L2 --> C2[Provider attestations,<br/>model cards]
L3 --> C3[Prompt guards,<br/>tool permissions]
L4 --> C4[Human oversight,<br/>logging, eval]
Data Layer
- Classify training and inference data by sensitivity
- Document provenance and licensing
- Enforce data minimization in prompts (no PII unless required)
- Logging captures only what is necessary
Model Layer
- Use providers that publish model cards and safety evaluations
- For fine-tuned models, maintain your own model card
- Pin model versions; document version changes
- For self-hosted models, run the standard safety eval suite
Prompt + Tool Layer
- Input guards (prompt injection detection)
- Output guards (PII redaction, content moderation)
- Tool permission scopes (least privilege)
- Audit log of every tool call
Application Layer
- Human review for high-stakes outputs
- Clear AI disclosure to end users
- Feedback channels for users to report errors
- Continuous evaluation against measured outcomes
A Compliance Document Template
Most teams pursuing RMF alignment produce three documents:
flowchart TB
Doc1[System Description<br/>scope, context, users] --> Pkg
Doc2[Risk Assessment<br/>identified risks, controls] --> Pkg
Doc3[Evaluation Results<br/>measurements, metrics] --> Pkg[Compliance Package]
These map cleanly to the GOVERN, MAP, MEASURE functions. MANAGE is operationalized in the controls themselves and in incident-response runbooks.
What Tools Help
By 2026 several open-source and commercial tools map directly to RMF controls:
- Garak (NVIDIA, open-source) — automated LLM vulnerability scanning
- Promptfoo — prompt evals with safety dimensions
- Inspect AI — UK AI Safety Institute's eval framework
- HiddenLayer and Robust Intelligence — commercial AI red-teaming and monitoring
- AWS Bedrock Guardrails / Azure Content Safety / Vertex AI Safety — cloud-native input/output guards
Common Gaps in Practice
What teams typically miss when first attempting RMF alignment:
- Eval cadence: one-time evaluations are not enough; the framework expects continuous measurement
- Incident reporting: most teams have no defined process for AI-specific incidents
- Provenance: data and model provenance is often undocumented
- Decommissioning: the framework includes managed retirement of models; rarely planned for
RMF and Other Frameworks
In 2026 the Generative AI Profile aligns reasonably with:
- ISO/IEC 42001 (AI management systems standard)
- EU AI Act high-risk requirements
- HIPAA Privacy Rule (when applied to PHI in AI)
- SOC 2 (when AI processes customer data)
A single internal compliance program can typically satisfy multiple frameworks.
What This Means for Builders
If you sell to enterprises or US federal customers in 2026, RMF alignment is increasingly a procurement requirement. The cost is real but bounded — typically a few months of focused work to set up, then ongoing measurement effort. Done well, the same investment supports EU AI Act, ISO 42001, and most enterprise risk reviews.
Sources
- NIST AI Risk Management Framework — https://www.nist.gov/itl/ai-risk-management-framework
- NIST AI 600-1 Generative AI Profile — https://nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf
- ISO/IEC 42001 — https://www.iso.org
- Garak LLM scanner — https://github.com/NVIDIA/garak
- "Mapping AI risks to controls" CSA — https://cloudsecurityalliance.org
Try CallSphere AI Voice Agents
See how AI voice agents work for your industry. Live demo available -- no signup required.