NIST AI Risk Management Framework
NIST AI RMF mapping is included on the Enterprise plan.
Scope
NIST AI RMF is the de facto reference framework for AI risk in the United States federal ecosystem. Behavry ships a mapping for 8 requirements across the four functions — GOVERN, MAP, MEASURE, MANAGE — that are directly instrumented by the product.
Source: backend/behavry/compliance/nistrmf.py. UI: Compliance → NIST AI RMF.
Covered requirements
| Function | Requirement | Behavry answer |
|---|---|---|
| GOVERN 1.1 | Policies are in place | Policy Engine + Policy Writer + Change Requests |
| GOVERN 1.5 | Roles and accountability | User roles, audit log user attribution |
| MAP 1.1 | Context is documented | AI Surface Mapping, Dependency & Lineage |
| MAP 5.1 | Risk is characterized | Behavioral Risk Framework (BRF) |
| MEASURE 1.1 | Measurement is plannable | Decision Trace + SIEM Connectors (evidence pipelines) |
| MEASURE 2.6 | Incidents are tracked | Alerts & Escalations, HITL queue |
| MANAGE 2.4 | Response and recovery | Global Kill Switch, Restricted Mode |
| MANAGE 4.1 | Continuous monitoring | Behavioral Monitor, Intent Drift, Cross-Session Trust Reset |
Continuous posture
Same live evidence pattern as SOC 2 / ISO. Each function gets a card showing its overall status and the per-requirement breakdown beneath it.
Export
GET /api/v1/compliance/nist-ai-rmf/export?format=pdf|csv|json
How to use this for a federal conversation
A typical federal AI risk review wants three things for each requirement:
- A description of what you do to address it
- Evidence that you do it continuously, not just once
- A responsible party — who owns the control
Behavry provides (1) and (2) automatically; the export includes both. Add (3) via the optional "owner" field in the export and the PDF will pick it up.