What does the NIST AI RMF Govern function require?

The NIST AI RMF Govern function requires organizations to establish a culture, policies, accountability, and oversight structure for managing AI risks. This includes integrating characteristics of trustworthy AI into organizational practices and ensuring clear roles and responsibilities for AI risk management.

Specific controls and requirements under the Govern function include:

• Legal & policy requirements mapped (NIST-GOVERN-1.1): Organizations must understand, manage, and document legal and regulatory requirements related to AI, maintaining an acceptable-use policy for AI/agent systems.
• Risk-management culture & trustworthiness goals (NIST-GOVERN-1.2): A risk-management culture should be in place, integrating characteristics of trustworthy AI such as validity, reliability, safety, security, resilience, accountability, transparency, explainability, privacy-enhancement, and fairness into organizational practices.
• Roles, responsibilities & accountability (NIST-GOVERN-2.1): Roles, responsibilities, and communication lines for AI risk must be documented and clear, with a named risk owner / accountable executive for each deployed AI/agent system.
• Oversight of human-AI configurations (NIST-GOVERN-3.2): Policies should define how humans oversee AI, including override authority and the boundary of agent autonomy, which links to OWASP LLM06/LLM08 (Excessive Agency).
• Risk-aware engineering practices (NIST-GOVERN-4.1): Organizational practices should treat AI risks as first-class engineering concerns, incorporating secure-by-design principles, threat modeling, and change control.
• Third-party / supply-chain risk policy (NIST-GOVERN-6.1): Policies must address risks from third-party models, datasets, and tools, tracking provenance, licensing, and model-update risks. This cross-maps to OWASP LLM03/LLM05 (Supply Chain Vulnerabilities).