NIST AI RMF Guide for AI Agents

How to apply NIST AI RMF to AI agents using Govern, Map, Measure, and Manage with practical evidence and controls.

Published 2026-04-19.

Updated 2026-05-22.

The NIST AI Risk Management Framework (AI RMF) is the most widely referenced framework for managing AI risk in practice. It provides four core functions — Govern, Map, Measure, and Manage — that help organizations structure accountability, identify risks, monitor AI behavior, and enforce controls across the system lifecycle.

For AI agents that use tools, call APIs, and access enterprise systems, the AI RMF is especially relevant. Agents introduce operational risk that does not end at deployment: they encounter new prompts, new data, new users, and new business contexts while running. The framework provides structure for controlling what agents can do, who is accountable, and what evidence proves risk was managed.

The AI RMF asks organizations to manage AI risk continuously. For AI agents, that means controlling actions, credentials, and tool access throughout the agent lifecycle — not only before launch.

Why runtime authorization belongs in AI RMF programs

Pre-deployment testing is necessary, but it is not enough for agentic systems. An AI agent can encounter new prompts, new documents, new users, new tools, and new business contexts after deployment. Its risk profile changes as it runs.

That creates operational questions the AI RMF can help structure:

Which AI agents exist in the organization?
What tools and data can each agent access?
Who is accountable for agent permissions?
Which actions require approval?
How are denied actions measured?
How quickly can unsafe access be revoked?
What evidence proves the organization controlled agent behavior?

Runtime authorization turns those governance questions into enforceable decisions.

AI RMF functions mapped to runtime authorization

The AI RMF is organized around four core functions: Govern, Map, Measure, and Manage. Runtime authorization contributes to each one.

_NIST AI RMF functions mapped to runtime authorization questions and evidence._

AI RMF function	Runtime authorization question	Evidence to collect
Govern	Who owns policy for agent actions, credentials, approvals, and exceptions?	Policy owners, approval rules, agent inventory, risk acceptance records.
Map	What tools, data, users, models, and downstream systems can each agent touch?	Tool catalog, data classification, action inventory, integration map.
Measure	How often are risky actions attempted, denied, approved, or escalated?	Decision logs, denial rates, approval latency, anomalous tool-use metrics.
Manage	How are unsafe actions blocked, scoped down, revoked, and reviewed?	Runtime denials, scoped credentials, incident response records, policy updates.

Govern: assign accountability for agent actions

The Govern function is about policies, processes, accountability, and organizational structures. For runtime authorization, governance starts with recognizing AI agents as operational actors.

An agent that can query data, send messages, update systems, or call APIs is not just a model. It is a non-human actor with delegated access. Governance should answer:

Who owns the policy for this agent?
Which users can delegate access to it?
Which systems can it reach?
Which actions are prohibited?
Which actions require approval?
Who can grant exceptions?
Who reviews access and audit logs?

Useful governance artifacts include:

an inventory of AI agents and agentic applications
policy owners for each agent or agent class
approval matrices for high-impact actions
exception and risk acceptance records
credential ownership records
retention policy for runtime authorization logs

Without this governance layer, runtime controls tend to become scattered checks in application code. That makes it hard to prove consistency, review decisions, or respond to incidents.

Map: understand the agent action surface

The Map function is about understanding context, intended use, affected parties, and risks. For AI agents, mapping should include the full action surface, not only the model and data.

A useful runtime authorization map includes:

agent identity and owner
model or agent runtime
users and organizations the agent can act for
connected tools and MCP servers
SaaS integrations and OAuth scopes
internal APIs and databases
files, repositories, tickets, and customer records in scope
sensitive actions such as delete, export, send, merge, invite, refund, or permission change
expected task intents
downstream systems affected by agent actions

This mapping is where many AI risk programs are currently too shallow. They document model use cases but do not document what the agent can actually do. A chatbot that answers questions and an agent that can send email with user credentials are different risk classes.

Measure: observe runtime behavior and policy outcomes

The Measure function is about analysis, testing, monitoring, and metrics. Runtime authorization gives AI risk teams measurable evidence because every decision can be logged.

Useful metrics include:

number of tool calls by agent, user, and organization
allow, deny, and approval-required rates
most common denial reasons
high-risk action attempts
bulk export attempts
external destination attempts
policy exceptions
credential issuance volume
average credential lifetime
approval latency
repeated denied attempts in a session

These metrics help teams answer whether the risk controls are working. If denial rates are high, policies may be too strict or agents may be attempting unsafe workflows. If approvals are too frequent, the workflow may be unusable. If no actions are ever denied, the policies may be too broad to matter.

Runtime authorization also helps with testing. Red teams can attempt prompt injection, excessive agency, data exfiltration, and tool misuse scenarios. The question is not only whether the model follows the malicious instruction, but whether the runtime policy blocks the resulting action.

Manage: enforce, reduce, and respond to risk

The Manage function is about prioritizing, responding to, and reducing AI risk. Runtime authorization provides concrete response mechanisms:

deny unsafe tool calls
issue narrower credentials
require human approval
redact sensitive fields
block untrusted destinations
rate-limit high-volume access
revoke sessions
disable tools
update policy based on incidents

For example, suppose a support agent attempts to export all customer records after reading a malicious email. A runtime authorization system can deny the export, log the decision, alert security, and revoke the agent session. That is risk management at the moment of action.

This is stronger than relying only on post-incident detection. Detection still matters, but the goal is to prevent the agent from completing the unsafe action in the first place.

Example: AI RMF evidence for an agent runtime authorization control

A practical control statement might look like this:

AI agents that access enterprise systems must receive scoped credentials at runtime. Every sensitive tool call must be evaluated against centrally managed policy using agent identity, delegated user identity, tool, resource, action, parameters, task context, and risk signals. Decisions must be logged with policy version and outcome.

Evidence for that control could include:

agent inventory showing covered agents
policy repository or policy management screenshots
sample decision logs
approval records for high-impact actions
credential TTL configuration
denied action examples
incident response runbook for agent misuse
periodic access review records

This evidence is valuable because it ties governance intent to technical enforcement. It shows not only that the organization wrote a policy, but that the policy is applied when agents act.

Relationship to excessive agency

The OWASP Top 10 for LLM Applications identifies excessive agency as a major risk. Runtime authorization is one of the clearest controls for that risk.

Excessive agency happens when agents have too much functionality, too many permissions, or too much autonomy. Runtime authorization limits all three:

Functionality: policy can hide or deny tools outside the task.
Permissions: credentials can be scoped to one action, resource, user, or session.
Autonomy: high-impact actions can require approval.

This is where AI RMF governance and technical authorization meet. The governance program defines acceptable risk and accountability. Runtime authorization enforces that policy in production.

Relationship to zero trust

Runtime authorization also aligns with zero trust principles. NIST SP 800-207 frames zero trust around continuous evaluation rather than implicit trust. AI agents need the same treatment.

An authenticated agent should not be trusted for every future action. A valid token should not automatically authorize every API call. A user consent grant should not mean an agent can use that access for any purpose.

Runtime authorization applies zero trust to agent actions:

verify every sensitive action
use least privilege
reduce standing access
monitor continuously
revoke quickly
log decisions for audit

Implementation checklist

Organizations applying the AI RMF to runtime authorization should:

Inventory AI agents and agentic applications.
Catalog every tool, API, data store, and credential each agent can use.
Classify actions by risk: read, write, delete, export, send, merge, invite, pay, and permission change.
Define policy owners and approval requirements.
Replace standing credentials with runtime credential issuance where possible.
Enforce policy before sensitive tool calls.
Require approvals for high-impact actions.
Log every decision with agent, user, tool, resource, parameters, outcome, and policy version.
Monitor denial and approval patterns.
Review and update policies after incidents, red-team exercises, and product changes.

FAQ

Does the NIST AI RMF require runtime authorization?

The NIST AI RMF is voluntary and does not prescribe a single runtime authorization product or architecture. But runtime authorization is a practical technical control for implementing continuous AI risk management, especially for AI agents that can use tools or access enterprise systems.

Which AI RMF functions relate to runtime authorization?

All four core functions relate to runtime authorization. Govern defines accountability and policy. Map identifies agents, tools, data, and actions. Measure monitors policy decisions and behavior. Manage blocks, scopes, escalates, and revokes risky actions.

What evidence should teams collect?

Useful evidence includes agent inventories, tool catalogs, policy versions, decision logs, credential scopes, approval records, denial reasons, exception records, and incident response actions.

How does runtime authorization reduce AI risk?

It reduces AI risk by enforcing least privilege at execution time. Instead of giving an agent broad standing access, the system checks each sensitive action and can deny, scope, approve, or log it before impact.

Is this only relevant for regulated industries?

No. Regulated industries may have stronger evidence requirements, but any organization deploying AI agents benefits from knowing what agents can do, controlling risky actions, and proving how access was governed.

NIST AI RMF for AI Agents