| Scope boundary | A directly applicable EU Regulation with binding obligations for covered operators, AI systems, and general-purpose AI model providers. | A voluntary risk-management framework referenced in grounding material as intended to improve trustworthiness considerations in AI design, development, use, and evaluation. | Treat AI Act compliance as the legal baseline. Use NIST AI RMF to organise risk work, but do not present RMF adoption as proof that AI Act duties are met. |
|---|
| Covered actors | Allocates duties by legal role, including provider, deployer, importer, distributor, authorised representative, product manufacturer, and GPAI model provider. | Helps assign governance, risk, technical, operational, and assurance responsibilities, but those owners do not replace AI Act operator roles. | Maintain a role matrix that shows both columns: legal operator status for the AI Act and internal RMF control owner for risk-management execution. |
|---|
| Trigger | Triggered by AI Act scope facts: placing on the EU market, putting into service, use in the Union, outputs used in the Union, operator role, AI system risk tier, or GPAI model status. | Triggered by an organisation's decision to use the RMF for AI risk management across products, services, systems, suppliers, or governance processes. | Run the AI Act scope test first. An RMF-covered system can still be minimal risk under the AI Act, and an AI Act-covered system can require legal duties even if no RMF program exists. |
|---|
| Core obligations | Requires high-risk provider and deployer work such as risk management, dataset governance, logging, technical documentation, information for deployers, human oversight, robustness, accuracy, cybersecurity, monitoring, and serious-incident processes. | Can support those duties by defining control objectives, test plans, evaluations, risk acceptance decisions, monitoring metrics, and governance reviews. | Use RMF evidence to explain the risk method, but check completion against AI Act artifacts and procedures required for the specific high-risk system and role. |
|---|
| Evidence record | May require technical documentation, conformity assessment, EU database registration, EU declaration of conformity, CE marking, post-market monitoring, and authority-facing records depending on the system and role. | Produces useful risk and assurance artifacts, but RMF artifacts are not the same as AI Act conformity assessment, declaration, registration, or CE marking. | Keep an evidence crosswalk: one column for AI Act required artifacts and one column for RMF artifacts that support the rationale, test results, and monitoring record. |
|---|
| Risk classification and RMF lifecycle use | Classifies legal risk categories such as prohibited practices, high-risk systems, transparency-risk systems, minimal-risk systems, GPAI models, and GPAI models with systemic risk. | Structures risk management around identifying context, mapping risks, measuring risks, managing risks, and governing the AI lifecycle. | Do not translate RMF risk severity into AI Act high-risk status. High-risk status depends on AI Act criteria, intended purpose, annex coverage, and legal role. |
|---|
| Enforcement | Enforced through AI Act governance, market-surveillance, national competent authority, AI Office, and Commission routes depending on the duty and actor, including GPAI supervision by the Commission. | Assurance depends on voluntary adoption, internal policy, customer commitments, contract terms, procurement requirements, or regulator expectations outside the RMF itself. | Escalate AI Act gaps as legal compliance gaps. Escalate RMF gaps as risk-governance or assurance gaps unless a contract or policy makes them mandatory. |
|---|
| Overlap and reuse | AI Act evidence must prove the applicable legal duty: role classification, risk classification, high-risk requirements, GPAI duties, Article 50 disclosures, conformity evidence, and monitoring. | RMF evidence can support the same evidence pack by documenting context, risks, controls, tests, residual risk, monitoring, and governance decisions. | Reuse evidence only when the record names both the AI Act obligation and the RMF function it supports. If the AI Act requires a specific artifact, produce that artifact. |
|---|
| Practical decision rule | Creates GPAI model-provider obligations, including technical documentation, downstream information, copyright-policy duties, public training-content summaries, and added systemic-risk duties for qualifying models. | Can help model teams record model context, evaluations, risk treatment, downstream-use assumptions, and monitoring, but does not decide GPAI provider status or systemic-risk classification. | Keep GPAI model evidence separate from application-level RMF evidence, especially where downstream providers need information to comply with the AI Act. |
|---|