NIST AI RMF 1.0 Alignment Published — 12/19 Fully Addressed, 7 Partial, 0 Gaps

[imran-siddique]

We have published a comprehensive NIST AI Risk Management Framework (AI RMF 1.0) alignment assessment.

Document: https://github.com/microsoft/agent-governance-toolkit/blob/main/docs/compliance/nist-ai-rmf-alignment.md

Results: 12 fully addressed, 7 partially addressed, 0 gaps across all 19 RMF subcategories (GOVERN, MAP, MEASURE, MANAGE).

This joins ATF (25/25), OWASP (10/10), EU AI Act, SOC 2, and ISO 42001 mappings. We plan to reference this in our NIST RFI response (Docket 2026-00206).

[musaabhasan]

The alignment table is useful, but for NIST AI RMF the strongest version is evidence-oriented rather than only category-oriented. The framework is lifecycle-based, so each “fully addressed” or “partially addressed” claim should ideally point to a repeatable evidence object.

For each subcategory, I would include:

• implemented control or design feature;
• evidence artifact: policy, test, trace, audit record, review log, or runtime metric;
• owner responsible for maintaining it;
• verification method;
• residual risk;
• last reviewed date;
• example trace or scenario showing the control working.

The partial items are especially important. A partial alignment should have a remediation path, acceptance criteria, and an explicit reason it is not a full gap. That makes the mapping useful for engineering prioritization, not only compliance communication.

I would also distinguish framework conformance from deployment conformance. The toolkit may support a control, but a specific deployed agent system still needs evidence that the control is configured, active, monitored, and tested in that environment.