Skip to main content
You are aligning an AI agent to the NIST AI Risk Management Framework and your reviewer wants to see the Govern / Map / Measure / Manage functions backed by something that actually runs — not a spreadsheet of intentions. The NIST AI RMF pack maps the framework’s risk functions to real gateway guardrails, materializes them into your workspace in one call, and lets you run them in observe mode before anything enforces. This page is the NIST-AI-RMF-specific landing on top of the shared compliance flow. For the mechanics every pack has in common — observe-first, plan gating, the signed report — start at the compliance overview.

1. What nist ai rmf alignment covers on the gateway

The nist_ai_rmf pack (NIST AI Risk Management Framework 1.0, jurisdiction US) maps three framework functions to content-plane guardrails. Each is a real, editable rule built from the same preset library you can author against by hand — open it, read it, tune it like any other guardrail.
Detects and flags prompt-injection attempts on the request. Built from the Prompt-Injection Basics preset — a keyword rule that annotates common jailbreak phrases (ignore previous instructions, reveal your system prompt) at the input stage for review, without blocking the user. This is the pack’s recommended control.
Flags self-harm / unsafe content. Built from the Self-Harm Keywords preset, which blocks input-stage prompts asking how to self-harm. Pair it with your own escalation workflow so a blocked request surfaces to a human reviewer with helpline information.
Records guardrail decisions as governance evidence. Built from the Compliance Logger (observe-only) preset — it logs PII occurrences and policy decisions across input and output without blocking or modifying traffic.
These are the risk-function obligations the gateway can carry: detection on inputs, a safety block, and a decision record. The framework also asks for organizational work the gateway can’t perform — your GOVERN 1.1 policies and accountability structure — which the pack carries as an Organizational: true row for you to evidence outside the gateway. See shared responsibility.

2. One concrete example: install, observe, go live

Pack work uses your console session (UserAuth) — not a relay sk-orca-… key. Browsing the catalog and checking readiness are free for any workspace Member; installing is a workspace Admin action on a paid plan, enforced server-side so a direct API call can’t bypass the gate.
1

Browse and check readiness (Member, free)

Open Compliance → Frameworks and select NIST AI RMF. Readiness shows how the three controls map to your current policies before you commit to anything.
2

Install the pack (Admin, paid)

Installing from the console issues POST /api/compliance/packs/nist_ai_rmf/install. One call materializes the controls into a real, editable guardrail tagged with the pack’s provenance — created in observe mode, so it flags instead of blocking and you collect “would-have-blocked” evidence on live traffic without affecting it.
POST /api/compliance/packs/nist_ai_rmf/install
3

Watch the matches

Review what the MANAGE and MEASURE controls would catch in the Guardrails matches feed (GET /api/guardrail/match, Member). Tune any rule in the console — it’s a standard guardrail, so every edit, version, and revert path works unchanged.
4

Take it live and attach

Flip the guardrail out of observe mode when the evidence looks right, then attach it to the keys your agents use by setting guardrail_id on the key (or make it the workspace default). Now the MEASURE 2.6 self-harm block enforces on the request before metering.
Never hand a relay sk-orca-… key to a configuration route. The /api/compliance/* and /api/guardrail/* routes authenticate with your console session, not the relay key — only /v1/* model calls use sk-orca-…. Installing, going live, reporting, and setting residency are the gated Admin actions.
A guardrail_blocked result from the MEASURE 2.6 control is an HTTP 400 that costs no quota — an input-stage block is caught pre-metering, and it’s marked skip-retry, so a blocked unsafe prompt never burns spend or loops.

3. Ship a signed, verifiable report

When you’re enforcing, generate the compliance report: an Ed25519-signed, SHA-256-stamped artifact you can export as CSV, JSON, or PDF and hand to a reviewer. Anyone can verify it without an account.
Each control row carries its status — covered, observe, gap, or attested — and how many times it actually fired over the period. A MANAGE 2.1 control that flagged 2,000 injection attempts reads differently to a reviewer than one with zero matches, and the report shows both.
Every materialized control records its control_id (e.g. nistai.injection), the verbatim clause (NIST AI RMF MANAGE 2.1), the plane, and the id of the live guardrail enforcing it — so a reviewer walks function → control → enforcing policy → matches with no inferred step.
Fetch the signing public key at GET /api/public/compliance/pubkey, submit the report to POST /api/public/compliance/verify, or open a scoped reviewer share link at GET /api/public/compliance/share/:token. No account required.
See the signed report for the full cover-to-footer layout and Verify a report for the verification walkthrough.

4. Region-stamp your NIST AI RMF evidence

Reports are stamped and stored under your declared data-residency region (us / eu / uk / ap / cn / global); a report is only served under a matching region, and cross-region reads are withheld. A workspace Admin sets it via PUT /api/compliance/residency.
Residency is the region of the compliance report artifact, not geo-pinning of where inference runs. It controls where your signed evidence lives and who can read it, not where model traffic is routed. See data residency and cross-region.
Request logs default to a 30-day retention (server-clamped to a 180-day hard max), and a user deletion runs a 30-day grace window then a PII scrub — both relevant when a reviewer asks about your retention posture. See Retention and Right to erasure.

5. NIST AI RMF alongside the rest of your program

The AI RMF rarely lands alone. The same install flow covers the adjacent AI-governance and LLM-security frameworks, each materializing its own editable controls:
PackFramework
iso_42001ISO/IEC 42001 AI management system
eu_ai_actEU Artificial Intelligence Act
owasp_llmOWASP Top 10 for LLM Applications

ISO 42001

AI management-system evidence.

EU AI Act

Prohibited-practice, transparency, record-keeping.

OWASP LLM Top 10

The high-signal LLM security risks as a pack.
The MANAGE 2.1 prompt-injection control is the gateway’s defense against the same threat your security policies already track. If you want to harden it independently of the compliance pack, the guardrail reference goes deeper.

6. Where to go next

Install a pack

The full install mechanics, shared across every framework.

Observe vs enforce

How observe mode turns into live enforcement, deliberately.

Guardrails reference

The content-plane controls the NIST AI RMF pack is built from.

Prompt injection

The threat the MANAGE 2.1 control defends against.
Install in observe mode, watch what the Map/Measure/Manage controls would catch, take them live on your agents’ keys, then ship a signed report. That’s nist ai rmf alignment as a configuration, not a project.