NIST released AI RMF 1.1 with a significant addition: a generative AI profile that maps the core framework functions (Govern, Map, Measure, Manage) to the specific risk categories that generative AI systems introduce. This is the most actionable official US guidance on AI risk management for enterprise use cases.
The generative AI profile adds specificity on twelve risk categories: confabulation (the framework uses this term instead of hallucination), data privacy, data poisoning, homogenization, human-AI configuration issues, information integrity, intellectual property, obscene content, value chain complexity, and others. For each category, the profile provides risk context, impact descriptions, and suggested practices.
What’s useful for enterprise compliance teams: the framework is voluntary but is being adopted by federal contractors and appears in procurement requirements from several large enterprises. If your AI compliance program is being built from scratch, the NIST RMF provides a structure that aligns with how procurement committees and regulators are increasingly thinking about AI risk.
What the framework does not provide: quantitative thresholds, specific testing methodologies, or certification processes. It is a governance and organizational framework, not a technical specification. Teams that need specific evaluation approaches for fairness, robustness, or accuracy have to supplement it with technical standards from other sources (IEEE, ISO/IEC 42001, OWASP for LLM applications).
The enterprise compliance implication: organizations that have built an AI governance program around the original RMF 1.0 should review the generative AI profile additions and assess whether their governance coverage maps to the new risk categories. Most v1.0-era programs will need material updates for generative AI deployments.