nist-ai-rmf

GitHub

应用NIST AI风险管理框架(AI RMF)及生成式AI配置文件,提供咨询、治理计划制定和全面影响评估三种模式。严格引用官方子类别和行动ID,区分核心框架与GenAI叠加层,适用于AI系统治理与合规审查。

skills/nist-ai-rmf-rafal-fryc/SKILL.md lawve-ai/awesome-legal-skills

Trigger Scenarios

提及AI RMF或NIST RMF 询问NIST AI 100-1或600-1标准 涉及信任AI特性或GenAI风险 请求AI系统治理计划或影响评估

Install

npx skills add lawve-ai/awesome-legal-skills --skill nist-ai-rmf -g -y
More Options

Use without installing

npx skills use lawve-ai/awesome-legal-skills@nist-ai-rmf

指定 Agent (Claude Code)

npx skills add lawve-ai/awesome-legal-skills --skill nist-ai-rmf -a claude-code -g -y

安装 repo 全部 skill

npx skills add lawve-ai/awesome-legal-skills --all -g -y

预览 repo 内 skill

npx skills add lawve-ai/awesome-legal-skills --list

SKILL.md

Frontmatter
{
    "name": "nist-ai-rmf",
    "owner": "standalone-skill distribution; source of truth is NIST AI 100-1 and NIST AI 600-1",
    "version": "1.0.1",
    "audience": "AI governance leads, in-house counsel, privacy and compliance officers, and AI risk\/policy professionals who need to apply the NIST AI RMF rigorously to a specific system or program without re-reading the full publications each time.\n",
    "description": "Apply the NIST AI Risk Management Framework (NIST AI 100-1 + the NIST AI 600-1 Generative AI Profile) to a specific AI system, governance question, or impact assessment. Three modes — consult, governance plan, full assessment — all cite Subcategories (`GOVERN 1.1`) and Profile Action IDs (`GV-1.2-001`) verbatim. Use when the user mentions the AI RMF, NIST RMF, NIST AI 100-1, NIST AI 600-1, GenAI Profile, the four functions (Govern \/ Map \/ Measure \/ Manage), the trustworthy AI characteristics, the 12 GAI risks (confabulation, harmful bias, information integrity, CBRN, data privacy, etc.), or asks \"what does NIST say about X\" for an AI system.\n",
    "last_verified": 1779148800,
    "freshness_window": "12 months",
    "verified_against": [
        "https:\/\/www.nist.gov\/itl\/ai-risk-management-framework",
        "https:\/\/nvlpubs.nist.gov\/nistpubs\/ai\/NIST.AI.100-1.pdf",
        "https:\/\/nvlpubs.nist.gov\/nistpubs\/ai\/NIST.AI.600-1.pdf"
    ],
    "freshness_category": "regulatory-guidance",
    "verification_notes": "2026-05-19 re-verification: compared every Subcategory ID and Suggested Action ID in references\/core\/ and references\/gai-profile\/ against the current NIST AI 100-1 (Jan 2023) and NIST AI 600-1 (Jul 2024) publications at the URLs above. All 211 GAI Profile Action IDs and all Core Subcategory IDs are present and verbatim. NIST has not issued a revision to either publication as of this date. Re-verify on or before 2027-05-19, or sooner if NIST announces an update."
}

NIST AI Risk Management Framework

What this skill does

Applies the NIST AI RMF — by name, by Subcategory, by Action ID — to whatever AI use case, governance question, or assessment the user brings. Three modes; pick one based on the user's question, default to consult if unsure.

  1. Consult — fast lookup. "What should I do per the AI RMF for X?" Returns applicable risks (for GenAI) and the relevant Suggested Actions / Subcategories, quoted verbatim. Best for quick gut-check questions.
  2. Governance plan — structured plan. "What should our governance plan include per the AI RMF?" Organized around the GOVERN function's Subcategories, with GenAI-specific actions layered in where applicable. Best for standing up or auditing an AI governance program.
  3. Assessment — full impact assessment. "Run a NIST AI RMF impact assessment for X." Walks all four functions for one specific system. Best when the user wants a documented artifact.

All three modes share the same source-of-truth: verbatim NIST text in references/. Quote the files; don't invent or paraphrase.

Source and scope

Two NIST publications underlie the skill. The verbatim extracted markdown ships in references/; the raw source HTMLs and maintainer-only re-extraction tooling live outside this distribution.

  • NIST AI 100-1 (AI RMF 1.0, January 2023) — the Core framework. Applies to any AI system. Defines Govern, Map, Measure, Manage; their Categories and Subcategories; and seven Trustworthy AI characteristics. Extracted into references/core/.
  • NIST AI 600-1 (Generative AI Profile, July 2024) — the GenAI-specific overlay. 12 enumerated GAI risks and 211 Suggested Actions coded GV-X.Y-NNN etc., each mapped to a Core Subcategory. Extracted into references/gai-profile/.

The Core applies to any AI system. The Profile is an overlay on top of the Core for generative systems. So:

  • Non-GenAI system → Core only. Don't pull GAI Profile actions; many won't apply.
  • GenAI system → Core for the framework + Profile for GenAI-specific risks and actions.
  • Mixed pipeline → split per component.

Other NIST AI Profiles exist; they aren't loaded here. If the user asks about one, say so plainly.

Provenance and decline pathways

This skill ships as a standalone skill. The provenance of every claim must be unambiguous to a reader who never saw the conversation.

The skill will:

  • Cite verbatim every Subcategory ID and Action ID from references/. The wording in the output must match the file.
  • Mark model judgment inline. Applicability calls ("this risk applies here"), operational glosses ("in practice this means…"), role-ownership recommendations, and the final assessment recommendation are model inferences, not NIST statements. Tag the first instance of each kind with [model judgment — verify against system specifics] (or the more specific variants in the templates).
  • Distinguish Core vs Profile. Non-GenAI systems never pull GV-/MP-/MS-/MG- action IDs.

The skill will decline to:

  • Invent IDs. If a Subcategory or Action ID doesn't appear in references/, it does not exist in NIST's framework. Say so plainly rather than fabricating one.
  • Paraphrase NIST text. The framework's authority is the publication. Rewording strips the citation value.
  • Assess without input. If the user's system description lacks the detail to assess a Subcategory, list it as an Open item — don't guess.
  • Substitute for counsel. NIST is non-binding voluntary guidance. Mandatory regimes (EU AI Act, state AI laws, sector rules) impose actual obligations that may or may not track NIST. Flag the divergence, don't paper over it.

Workflow

In order, every invocation:

  1. Read references/README.md first. It's the routing index — it tells you which reference files to load for which question. Don't load files greedily.
  2. Gather the question. Identify the AI use case, system, or governance question. If the user's prompt is vague ("what does NIST say about AI?"), ask one clarifying question before drafting — what system, what context, what decision.
  3. Decide the mode. Consult / governance plan / assessment. Most queries are consult unless the user explicitly asks for a plan or an assessment.
  4. Decide GenAI or not. Foundation models, LLMs, image/audio/video/text generators, RAG over a generative core — GenAI. Classifiers, regressors, recommenders, anomaly detectors, traditional ML — not GenAI (use Core only).
  5. Load only the reference files the question needs, per references/README.md.
  6. Load the relevant output template from references/templates/<mode>.md when drafting output.
  7. Produce output per the template with verbatim citations and the provenance markers described above.

Mode 1 — Consult

When to use: the user is asking "what should we do?" or "what does NIST say about?" with a specific system or scenario in mind. Fast turnaround. Not a deliverable artifact.

Procedure:

  1. From the system description, identify:
    • System type (GenAI? non-GenAI? mixed?).
    • For GenAI: which of the 12 GAI risks plausibly apply. Use gai-profile/risks.md + crosswalk.md. Be honest — if a risk obviously doesn't apply (e.g., CBRN for a customer-service chatbot), say so and exclude it. Don't pad.
    • For any system: which of the Core Subcategories most directly apply. Usually 4–10, not all of them.
  2. Pull the relevant Suggested Actions (GenAI) or Subcategory statements (non-GenAI) into a table. Group by function.
  3. Surface 2–4 follow-up questions the user can't answer from the framework alone (e.g., "What's your incident response capacity?"). The framework points; the user fills in.

Output template: references/templates/consult.md — load when drafting.

Mode 2 — Governance plan

When to use: the user is building or auditing an AI governance program, not assessing one specific system. They want structure, not a system-specific deep dive.

Procedure:

  1. Bias toward the GOVERN function in the Core. Walk every Category (GOVERN 1–6). For each Category, list the Subcategories with one-sentence "in practice" annotations (operational glosses, marked accordingly per template).
  2. Add MAP / MEASURE / MANAGE Subcategories that have clear governance-program implications (e.g., MAP 1.5 "Organizational risk tolerances are determined and documented" — governance owns the tolerance definitions even though it's a MAP Subcategory).
  3. If the org uses or plans to use GenAI, layer in the GAI Profile GOVERN actions per Subcategory.
  4. Cross-reference the seven Trustworthy AI characteristics — most policies should commit to each by name.

Output template: references/templates/governance-plan.md — load when drafting.

Mode 3 — Assessment

When to use: the user wants a documented artifact assessing one specific system end-to-end. Heavier than a consult. The output should be self-contained — a reader who never saw the conversation should understand it.

Procedure:

  1. Confirm the scope: one system, one version, one deployment context. If the user is vague, ask before drafting.
  2. Walk all four functions. For each function, identify the applicable Subcategories and (for GenAI) Action IDs. Cite verbatim.
  3. For each Subcategory / action, write a one-paragraph assessment of what we found about this system against this Subcategory. Honest, specific. If you don't have the input to assess something, say so and list it as an open item — don't bluff.
  4. Conclude with a recommendation: deploy / deploy with conditions / do not deploy. Conditions, if any, must reference specific Subcategories so they're verifiable.

Output template: references/templates/assessment.md — load when drafting.

Output formatting

Work-product header. Default to CONFIDENTIAL — Internal Use at the top of every output. If the user is operating in a legal context and asks for an attorney-work-product header, switch to ATTORNEY WORK PRODUCT. PRIVILEGED AND CONFIDENTIAL. for that output.

Markdown to stdout. Don't write files. The output is markdown for the user to copy, edit, route, or save themselves.

Citations. Always include the Subcategory or Action ID as a clear citation (e.g., **GOVERN 1.1** or `GV-1.2-001`). The verbatim NIST statement goes right after. Never bury the citation in a footnote.

What this skill is and isn't

It is: a way to apply the NIST AI RMF rigorously, with verbatim citations, to specific questions and systems. It saves a lawyer or governance professional from re-reading the full PDF every time.

It isn't:

  • A substitute for legal counsel. NIST is non-binding. Mandatory regulatory regimes (EU AI Act, state AI laws, sector rules) impose actual obligations that may track to NIST or may not. Flag the divergence; don't replace the analysis.
  • A compliance certification. Citing the framework is not the same as meeting it. The conditions in a Mode 3 recommendation should be auditable — but auditing is not what this skill does.
  • A complete library of NIST AI publications. Only AI 100-1 and AI 600-1 are loaded. If the user asks about other Profiles, NIST AI Safety Institute publications, or NIST cybersecurity / privacy frameworks, say so.

Limitations

  • Source dates. AI 100-1 is from January 2023; AI 600-1 is from July 2024. The framework is intended as a living document; later revisions may exist. Treat the skill's content as a frozen snapshot.
  • Non-binding. Suggested Actions and Subcategories are voluntary guidance. They become "what we did" only when the organization adopts them.
  • GenAI scope. The Profile assumes generative AI. Applying its actions to a non-generative system creates noise — don't do it.
  • Verbatim citations only. If a Subcategory or Action ID doesn't appear in references/, it doesn't exist (in NIST's framework). Don't invent.

Version History

  • 7f58aaf Current 2026-07-05 11:52

Same Skill Collection

skills/assignation-refere-recouvrement-creance-selim-brihi/SKILL.md
skills/canned-responses-anthropic/SKILL.md
skills/compliance-anthropic/SKILL.md
skills/contract-review-anthropic/SKILL.md
skills/contract-risk-analyzer-sneha-ganapavarapu/SKILL.md
skills/docx-processing-lawvable/SKILL.md
skills/docx-processing-openai/SKILL.md
skills/docx-processing-superdoc/SKILL.md
skills/dpdpa-gdpr-review-parth-desai/SKILL.md
skills/dpia-sentinel-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-report-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-roles-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-triage-oliver-schmidt-prietz/SKILL.md
skills/french-text-proofreading-christophe-quezel-ambrunaz/SKILL.md
skills/icelandic-company-formation-magnus-smari-smarason/SKILL.md
skills/icelandic-contract-review-magnus-smari-smarason/SKILL.md
skills/icelandic-court-case-finder-magnus-smarason/SKILL.md
skills/icelandic-eea-gap-analysis-magnus-smari-smarason/SKILL.md
skills/icelandic-labour-law-magnus-smari-smarason/SKILL.md
skills/icelandic-legal-terminology-magnus-smari-smarason/SKILL.md
skills/icelandic-privacy-review-magnus-smari-smarason/SKILL.md
skills/legal-data-hunter-zacharie-laik/SKILL.md
skills/legal-risk-assessment-anthropic/SKILL.md
skills/lgpd-sentinel-rafael-mastronardi/SKILL.md
skills/mcq-generator-christophe-quezel-ambrunaz/SKILL.md
skills/meeting-briefing-anthropic/SKILL.md
skills/nda-review-jamie-tso/SKILL.md
skills/nda-triage-anthropic/SKILL.md
skills/notification-licenciement-selim-brihi/SKILL.md
skills/outlook-emails-lawvable/SKILL.md
skills/outside-counsel-billing-and-performance-reviewer-carl-ditzler/SKILL.md
skills/pdf-processing-anthropic/SKILL.md
skills/pdf-processing-openai/SKILL.md
skills/politique-confidentialite-malik-taiar/SKILL.md
skills/politique-cookies-malik-taiar/SKILL.md
skills/politique-lanceur-alerte-malik-taiar/SKILL.md
skills/privilege-sentinel-emily-cabrera/SKILL.md
skills/requete-cph-licenciement-faute-grave-selim-brihi/SKILL.md
skills/security-review-openai/SKILL.md
skills/skill-creator-anthropic/SKILL.md
skills/skill-creator-openai/SKILL.md
skills/skill-optimizer-lawvable/SKILL.md
skills/swiss-legal-source-authority-triage-enrique-g-zbinden/SKILL.md
skills/tabular-review-lawvable/SKILL.md
skills/tech-contract-review-parth-desai/SKILL.md
skills/vscode-extension-builder-lawvable/SKILL.md
skills/xlsx-processing-manus/SKILL.md
skills/xlsx-processing-openai/SKILL.md
skills/ai-governance-reviewer-carl-ditzler/SKILL.md
skills/analyse-rgpd-dpa-fournisseur-hugo-salard/SKILL.md
skills/assignation-refere-communication-associe-selim-brihi/SKILL.md
skills/audit-de-conformite-rgpd-site-internet-hugo-salard/SKILL.md
skills/bacen-compliance-sentinel-rafael-mastronardi/SKILL.md
skills/billable-time-stephane-boghossian/SKILL.md
skills/billing-cycle-manager-scott-margetts/SKILL.md
skills/budget-and-fee-manager-scott-margetts/SKILL.md
skills/climate-aligned-contracts-tclp/SKILL.md
skills/collaboration-platform-advisor-scott-margetts/SKILL.md
skills/continuous-improvement-engine-scott-margetts/SKILL.md
skills/customs-trade-law-onur-kafkas/SKILL.md
skills/divorce-ct-stephane-boghossian/SKILL.md
skills/doctrinal-research-allison-fiorentino/SKILL.md
skills/document-approval-tracker-scott-margetts/SKILL.md
skills/docx-processing-anthropic/SKILL.md
skills/employment-law-research-yue-deng-wu/SKILL.md
skills/en-us-legal-translation-wouter-van-den-berg/SKILL.md
skills/engagement-terms-billing-guidelines-scott-margetts/SKILL.md
skills/eu-ai-act-classification-oliver-schmidt-prietz/SKILL.md
skills/eu-ai-act-high-risk-implementation-readiness-werner-plutat/SKILL.md
skills/eu-ai-act-obligations-oliver-schmidt-prietz/SKILL.md
skills/eu-data-act-compliance-assessment-werner-plutat/SKILL.md
skills/eu-data-act-ryan-malek/SKILL.md
skills/fee-arrangement-structuring-scott-margetts/SKILL.md
skills/flash-case-law-research-giovanna-panucci/SKILL.md
skills/fria-eu-ai-act-article-27-werner-plutat/SKILL.md
skills/gdpr-breach-sentinel-oliver-schmidt-prietz/SKILL.md
skills/gdpr-privacy-notice-eu-oliver-schmidt-prietz/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro-2/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro-3/SKILL.md
skills/https-www-lawvable-com-en-author-patrick-munro/SKILL.md
skills/indian-foreign-investment-approval-assessment-siddhi-kudalkar/SKILL.md
skills/invoice-review-compliance-scott-margetts/SKILL.md
skills/judicial-first-impression-larissa-meredith-flister/SKILL.md
skills/jurisrank-argentine-supreme-court-analysis-adrian-lerer/SKILL.md
skills/lawyerscrib-garry-haas/SKILL.md
skills/legal-assistant-christophe-quezel-ambrunaz/SKILL.md
skills/legal-document-drafting-formatting-alessandro-dardano/SKILL.md
skills/legal-guidance-vault-michael-cremata/SKILL.md
skills/legal-risk-assessment-zacharie-laik/SKILL.md
skills/legal-simulation-patrick-munro/SKILL.md
skills/legal-translation-uk-english-wouter-van-den-berg/SKILL.md
skills/legitimate-interest-oliver-schmidt-prietz/SKILL.md
skills/litigation-deadline-calendar-dave-marcus/SKILL.md
skills/local-counsel-manager-scott-margetts/SKILL.md
skills/mandarinat-christophe-quezel-ambrunaz/SKILL.md
skills/mandatory-verification-larissa-meredith-flister/SKILL.md
skills/matter-allocation-instruction-scott-margetts/SKILL.md
skills/matter-intake-scoping-scott-margetts/SKILL.md
skills/matter-plan-builder-scott-margetts/SKILL.md
skills/mediation-dispute-analysis-jinzhe-tan/SKILL.md
skills/new-designation-screening-test-amir-fadavi/SKILL.md
skills/nil-contract-analysis-samir-patel/SKILL.md
skills/nis2-navigator-oliver-schmidt-prietz/SKILL.md
skills/opposing-counsel-review-larissa-meredith-flister/SKILL.md
skills/oral-argument-stephane-boghossian/SKILL.md
skills/originality-in-european-copyright-joris-deene/SKILL.md
skills/panel-design-selection-scott-margetts/SKILL.md
skills/panel-review-rationalisation-scott-margetts/SKILL.md
skills/performance-scorecard-scott-margetts/SKILL.md
skills/persuasive-legal-writing-larissa-meredith-flister/SKILL.md
skills/pptx-processing-anthropic/SKILL.md
skills/raisonnement-juridique-amaury-fouret/SKILL.md
skills/recherche-theses-allison-fiorentino/SKILL.md
skills/red-team-verifier-patrick-munro/SKILL.md
skills/resource-planner-scott-margetts/SKILL.md
skills/rfp-pitch-management-scott-margetts/SKILL.md
skills/risk-and-issues-manager-scott-margetts/SKILL.md
skills/sanctions-screening-gillan-saleh/SKILL.md
skills/sanctions-screening-legal-analysis-skill-english-gillan-saleh/SKILL.md
skills/scope-change-controller-scott-margetts/SKILL.md
skills/screening-alert-adjudication-amir-fadavi/SKILL.md
skills/skill-injection-defense-ignacio-adrian-lerer/SKILL.md
skills/skill-security-auditor-antoine-louis/SKILL.md
skills/source-locked-verification-larissa-meredith-flister/SKILL.md
skills/stakeholder-comms-planner-scott-margetts/SKILL.md
skills/status-report-drafter-scott-margetts/SKILL.md
skills/statute-analysis-rafal-fryc/SKILL.md
skills/tech-contract-negotiation-patrick-munro/SKILL.md
skills/timeline-generator-scott-margetts/SKILL.md
skills/vendor-due-diligence-patrick-munro/SKILL.md
skills/victor-wang-yc-saas-drafter/SKILL.md
skills/xlsx-processing-anthropic/SKILL.md

Metadata

Files
0
Version
7f58aaf
Hash
6f81b593
Indexed
2026-07-05 11:52

Accueil - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 20:54
浙ICP备14020137号-1 $Carte des visiteurs$