Standards · Implementation Guide

NIST AI 600-1. The Generative AI Profile in practice for operators in 2026.

Q: What are the twelve GenAI risks named in NIST AI 600-1?

NIST AI 600-1 names twelve GenAI-specific risks: CBRN Information or Capabilities, Confabulation, Dangerous or Violent or Hateful Content, Data Privacy, Environmental Impacts, Harmful Bias and Homogenisation, Human-AI Configuration, Information Integrity, Information Security, Intellectual Property, Obscene or Degrading or Abusive Content, and Value Chain and Component Integration.

Q: Is NIST AI 600-1 mandatory?

No. NIST AI 600-1 is a voluntary guidance document. However, it is cited in US federal procurement requirements, Executive Order 14110, and state AI statutes including the Colorado AI Act's safe harbour provision. In European contexts, it is referenced by insurers and certification bodies as a baseline technical vocabulary, making practical alignment substantially more than optional for operators with US exposure or institutional counterparties.

Q: Does NIST AI 600-1 apply to foundation model providers or to deployers?

Both. NIST AI 600-1 explicitly addresses multiple AI actor types: foundation model developers and providers, application-level deployers, and end users. The suggested actions are tagged by applicability, and the profile notes that suggested actions relevant to developers may not be relevant to deployers. Operators should read the profile against their own position in the value chain and apply the subcategories that correspond to their role.

Q: How does NIST AI 600-1 relate to the EU AI Act?

NIST AI 600-1 is a US voluntary framework. It does not create compliance obligations under the EU AI Act. However, the risk taxonomy it provides, particularly for confabulation, human-AI configuration, information integrity, and value chain integration, maps directly onto EU AI Act obligations in Articles 9, 14, 15, and 26. Operators who have documented alignment with the GenAI Profile will find that much of the evidence their EU AI Act operator file requires already exists.

Q: What does NIST AI 600-1 say about autonomous agents specifically?

NIST AI 600-1 introduced agentic AI as an explicit scope item, addressing systems that operate with varying degrees of autonomy over extended tasks. The Human-AI Configuration risk category directly addresses the challenge of defining the boundary between autonomous action and human oversight. The profile uses the term 'AI actors' to describe the range of entities from developers to deployers to users, and it notes that the autonomy of a deployed system changes the risk profile relative to a system requiring explicit human instruction at each step.

Q: How does NIST AI 600-1 adapt the four RMF functions for generative AI?

The four functions (Govern, Map, Measure, Manage) are retained from AI RMF 1.0 but extended with GenAI-specific subcategories and suggested actions. Govern adds policies on acceptable GenAI use, red-teaming requirements, and incident disclosure protocols. Map adds context documentation for foundation model provenance and intended use boundaries. Measure adds evaluation of confabulation rates, bias assessments, content moderation performance, and environmental footprint. Manage adds response procedures for emergent harms and content provenance infrastructure.

Q: What is confabulation and why does NIST AI 600-1 treat it as a distinct risk?

Confabulation refers to the generation of plausible but factually incorrect outputs by a generative AI system, often with the same linguistic confidence as accurate outputs. NIST AI 600-1 treats it as a distinct named risk because it is a failure mode unique to probabilistic text generation systems and does not appear in the risk catalogues developed for classical ML or rule-based systems. In high-stakes domains including healthcare, legal research, and financial analysis, acting on a confabulated output can cause direct harm that a human reviewer could not have anticipated without prior knowledge of the system's limitation.

Q: How does NIST AI 600-1 map to ISO/IEC 42001?

NIST AI 600-1's Govern function maps most closely to ISO 42001 Clauses 5 and 6 (leadership and planning) and Annex A controls A.2 through A.4. Its Map function maps to ISO 42001 Clause 4 (context) and A.5 (impact assessment). Measure maps to Clause 9 (performance evaluation) and A.6 (lifecycle documentation). Manage maps to Clause 10 (improvement) and A.9 (AI system use). The GenAI Profile adds specificity to the risk categories that ISO 42001 leaves to the operator's discretion, making it a useful technical supplement to the management-layer standard.

Q: What does the Value Chain and Component Integration risk mean in practice?

Value Chain and Component Integration captures the risk that a deployer of a GenAI system cannot fully characterise the risks introduced by upstream components they did not build: the foundation model, the training data, third-party plugins, retrieval systems, and other integrated components. NIST AI 600-1 calls for operators to document their reliance on third-party components, conduct due diligence on provider risk management practices, and establish contractual or technical controls to contain risks introduced at the model or infrastructure level.

Published in July 2024 as a companion to AI RMF 1.0, NIST AI 600-1 names twelve GenAI-specific risks and provides more than 200 suggested actions across the four RMF functions. For operators of autonomous agents, the profile has become the closest thing to an accepted technical vocabulary in both US and international contexts. This guide explains what it says, what it asks, and how it fits alongside ISO/IEC 42001 and the EU AI Act.

By Future Proof Intelligence Published 25 April 2026 Reading time 16 minutes

Key takeaways

NIST AI 600-1 was published on 26 July 2024 as a companion profile to AI RMF 1.0 (NIST AI 100-1), adapting the four-function framework to the specific characteristics of generative AI systems and autonomous agents.
The profile names twelve distinct GenAI risk categories: CBRN Information or Capabilities, Confabulation, Dangerous or Violent or Hateful Content, Data Privacy, Environmental Impacts, Harmful Bias and Homogenisation, Human-AI Configuration, Information Integrity, Information Security, Intellectual Property, Obscene or Degrading or Abusive Content, and Value Chain and Component Integration.
More than 200 suggested voluntary actions are organised across the Govern, Map, Measure, and Manage functions, each tagged with applicability to specific AI actor types (developer, deployer, or user).
The profile is voluntary but cited in US federal procurement requirements, Colorado SB 24-205 safe harbour provisions, and Executive Order 14110, producing a de facto obligation for operators with US-facing exposure.
The profile applies explicitly to both foundation model providers and application-level deployers, with suggested actions differentiated by actor type and role in the value chain.
For European operators, alignment with NIST AI 600-1 produces most of the technical evidence that EU AI Act Articles 9, 14, 15, and 26 require at the system level, though the profile does not create compliance under EU law.
The profile has become a de facto underwriting reference: insurers treating AI risk in 2026 use its twelve risk categories as a baseline questionnaire structure, and operators who cannot demonstrate per-risk documented posture face coverage pricing difficulties.

What NIST AI 600-1 actually is

NIST AI 600-1, formally titled "Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile," was published by the National Institute of Standards and Technology on 26 July 2024, mandated by Executive Order 14110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. It is a companion document to NIST AI 100-1, the AI Risk Management Framework published in January 2023, not a replacement for it.¹

The distinction matters. AI RMF 1.0 is a horizontal framework applicable to any AI system, organised around four functions and approximately seventy subcategories. It is deliberately technology-agnostic. NIST AI 600-1 occupies a different register: it takes the same four-function structure and extends it with risk categories, suggested actions, and evaluation approaches specific to generative AI, including the large language models and autonomous agent systems that the 2023 core document did not address directly. The result is a framework that can be implemented alongside AI RMF 1.0 rather than in place of it, with the GenAI Profile filling the gap between the generic risk vocabulary and the operational characteristics of generative systems in production.

The profile was developed through a public comment process. An initial public draft was released in March 2024 and attracted comments from technology companies, healthcare organisations, civil society groups, and international standards bodies. The July 2024 final version incorporated those comments, producing a document with notably more precise language on agentic systems, value chain accountability, and the distinction between in-context and upstream mitigations than the initial draft contained.

NIST frames the profile as voluntary. The document is explicit that it is neither a regulation nor a certification programme and that adoption of suggested actions should be calibrated to organisational context. But the practical trajectory of voluntary standards in AI governance is clear: voluntary frameworks cited in executive orders, federal procurement, and state statutes acquire operational weight that the word "voluntary" does not fully convey. The AI RMF went through this process from 2023 onward. The GenAI Profile is following the same path.²

The twelve GenAI risks decoded

NIST AI 600-1 identifies twelve risk categories that are either unique to generative AI systems or significantly exacerbated by their probabilistic, generative, and often autonomous nature. Each is a named category with a definition, a discussion of how it manifests in practice, and suggested actions across the four RMF functions. The categories are listed in alphabetical order in the profile, which reflects a deliberate choice to avoid implying that any one risk is categorically more important than another.

CBRN Information or Capabilities

Generative systems can provide information or step-by-step guidance related to chemical, biological, radiological, or nuclear weapons and other dangerous materials, at a level of detail and accessibility that prior information systems did not enable. The risk is not only that the system contains such information but that it can synthesise, explain, and operationalise it on demand in response to natural language prompts. NIST addresses this through content moderation at training and inference, red-teaming specifically for CBRN uplift, and restricted deployment contexts for systems capable of technical depth in these areas.³

Confabulation

Confabulation, also referred to as hallucination, is the generation of plausible but factually incorrect content by a generative system, presented with the same linguistic confidence as accurate content. It is distinct from the known-error failure modes of classical systems because the system has no internal signal of its own inaccuracy. NIST treats confabulation as a distinct named risk because it is a failure mode with no equivalent in classical ML or rule-based systems, and because acting on a confabulated output in healthcare, legal research, financial analysis, or autonomous agent task execution can cause direct harm that a human reviewer could not have detected without prior independent verification.⁴

Dangerous, Violent, or Hateful Content

Generative systems can produce content that incites violence, radicalises users, facilitates illegal activities, or constitutes hate speech against protected groups. The risk is amplified relative to prior content moderation challenges because generative systems produce novel content rather than redistributing catalogued material, making detection harder. The profile calls for training-time filtering, inference-time classifiers, red-teaming for adversarial prompting, and documented policies on acceptable content categories for each deployment context.⁵

Data Privacy

Generative systems trained on large corpora may have memorised sensitive personal data, including biometric identifiers, health records, location data, and other personally identifiable information, and may reproduce it in outputs under certain prompting conditions. Retrieval-augmented systems introduce additional privacy surface by querying databases containing sensitive records at inference time. The risk includes both unintentional disclosure and deliberate extraction attacks. NIST connects this risk to differential privacy techniques, data minimisation at training, and runtime access controls for retrieval systems.⁶

Environmental Impacts

Training, evaluating, and operating large generative models is resource-intensive. The compute and energy requirements for foundation model training are orders of magnitude larger than those for classical ML, and inference at scale is a persistent operational cost. NIST names this as a standalone risk category, calling for transparency in reporting compute and energy use, consideration of model efficiency in procurement decisions, and lifecycle assessment of environmental footprint.⁷

Harmful Bias and Homogenisation

Generative systems trained on large corpora can perpetuate, amplify, or introduce unfair representations and associations related to protected characteristics. The homogenisation dimension captures a distinct concern: when large-scale deployment of a small number of foundation models reduces the diversity of outputs and perspectives across information ecosystems, eroding the variation that allows factual errors and biases to be detected and corrected through comparison. Operators are asked to evaluate bias across demographic dimensions before deployment and to monitor for distributional shift during operation.⁸

Human-AI Configuration

Human-AI configuration addresses the varying degrees of automation and human involvement across different deployment architectures, and the risks that arise from each configuration. An agent operating with minimal human-in-the-loop involvement has a fundamentally different risk profile than one requiring human confirmation at each step. NIST introduces this as a named risk category to capture the finding that the configuration itself is a risk variable, not merely a design choice, and that operators must explicitly define and document the autonomy envelope of each deployed system, including the conditions that trigger escalation and the mechanisms that allow revocation or rollback.⁹

Information Integrity

Information integrity captures the risk that generative systems contribute to the degradation of public information quality by producing plausible false content at scale, enabling the automated generation of disinformation, synthetic media, and misleading narratives. The risk operates at the level of the information ecosystem rather than the individual output. NIST calls for content provenance infrastructure, watermarking or labelling of AI-generated content, and transparency to users about the AI origin of outputs. This risk category is directly relevant to any operator whose deployed system interacts with public information surfaces or produces content distributed to third parties.¹⁰

Information Security

Generative systems introduce attack surfaces that classical systems do not present. Prompt injection allows an attacker to manipulate a system's behaviour by embedding adversarial instructions in input data. Data poisoning attacks can corrupt model outputs at training time. Model extraction and inversion attacks can expose proprietary model parameters or training data. Jailbreaking techniques attempt to bypass content policies at inference time. NIST addresses these through adversarial testing, secure development practices, and runtime monitoring for anomalous behaviour.¹¹

Intellectual Property

Training on copyrighted material without licence and reproducing protected content in outputs raises intellectual property risks for both providers and deployers. The legal landscape is actively contested in multiple jurisdictions as of 2026, with litigation and legislative action ongoing in the United States, European Union, and United Kingdom. NIST names intellectual property as a standalone risk and calls for transparency in training data sourcing, legal review of training data composition, and output filters for reproduction of recognisable copyrighted material.¹²

Obscene, Degrading, or Abusive Content

Generative systems can produce non-consensual intimate imagery, child sexual abuse material, and other categories of deeply harmful content if not controlled at training and inference. NIST treats this category as distinct from the broader dangerous content risk because of its severity and the specific regulatory and legal obligations it attracts. The profile calls for absolute content filters, regular red-teaming specifically for this risk category, and documented audit trails of filter performance.

Value Chain and Component Integration

A deployer who builds an application on a foundation model they did not train cannot fully characterise the risks embedded in that model's training data, fine-tuning, safety filtering, or alignment approach. Third-party plugins, retrieval systems, tool call endpoints, and other integrated components each introduce additional risk surface that the deployer may not have visibility into. NIST names this as a distinct risk category to establish that responsible deployment requires documented understanding of the full value chain, contractual or technical controls on third-party components, and ongoing monitoring that spans the full system rather than only the application layer the deployer controls.¹³

How the four functions adapt for generative AI

NIST AI 600-1 retains the four-function structure of AI RMF 1.0 without modification to the function definitions, but adds GenAI-specific subcategories and suggested actions within each function. The additions are cumulative, not substitutive: an operator implementing the GenAI Profile should treat AI RMF 1.0's approximately seventy outcomes as the baseline and the GenAI Profile's additions as a layer applied on top.

Govern

The Govern function in the base RMF establishes organisational culture, policies, processes, and accountability structures for AI risk management. In the GenAI Profile, Govern gains specific requirements for GenAI use policies that address permitted and prohibited use cases for generative systems, red-teaming requirements including periodic adversarial testing against the twelve named risk categories, and incident disclosure protocols specific to emergent GenAI harms. Govern also addresses the selection and oversight of foundation model providers, framing this as a governance decision with documented rationale rather than a procurement formality. The GenAI Govern function produces the policies and accountability structures within which all downstream risk management activity operates.¹⁴

Map

The Map function establishes context: who uses the system, what it is used for, what harms could arise, and what benefits are expected. The GenAI Profile extends Map with requirements for documenting the provenance and scope of the foundation model being used, including known limitations, training data characteristics, alignment approach, and the provider's own safety documentation. For agentic systems, Map must also document the autonomy configuration explicitly, specifying which actions the system may take without human confirmation, which trigger escalation, and under what conditions the system operates. The Map artefact for a GenAI deployment is materially more complex than for a classical ML system precisely because the system's behaviour cannot be fully specified in advance.¹⁵

Measure

The Measure function applies quantitative and qualitative evaluation to mapped risks and tracks them over time. The GenAI Profile adds specific measurement requirements that have no counterpart in classical AI evaluation: confabulation rate testing across topic domains, bias evaluation across demographic groups and output styles, content moderation classifier performance metrics, environmental footprint reporting, and adversarial robustness assessments covering the information security risk category. For autonomous agents, Measure must also include evaluation of the human-AI configuration against its documented autonomy envelope, confirming that the system actually escalates under the conditions specified in the Map artefact. The Measure function is where the twelve risks translate from named categories into testable claims about a specific deployed system.¹⁶

Manage

The Manage function prioritises risks, selects and implements responses, and monitors their effectiveness. The GenAI Profile adds specific Manage actions for GenAI: content provenance infrastructure that allows outputs to be traced to the system that produced them, incident response procedures for emergent harms including rapid content filter updates and communication to affected users, and mechanisms for users to report outputs they believe to be harmful or incorrect. For autonomous agents, Manage must include operational procedures for human takeover when the system operates outside its intended parameters, and documented rollback or revocation mechanisms. The Manage function closes the loop between identified risk and operational response, and its adequacy is what differentiates paper governance from functional governance under the profile.¹⁷

The five risks most operationally critical for autonomous agent operators

All twelve GenAI risks require attention. But for operators of autonomous agents specifically, five of the twelve represent the categories where inadequate documentation is most likely to create legal exposure, insurance coverage difficulty, or operational failure in production.

Confabulation is the first. An autonomous agent that confabulates in the course of a task produces downstream actions based on false premises. Unlike a human-facing chatbot, where the human can disagree with an incorrect output, an agent's confabulated intermediate reasoning propagates forward through subsequent steps without a human check. The operator who cannot demonstrate a confabulation rate measurement, a domain-specific evaluation, and a response procedure for confabulation-driven incidents is in a weak position when the downstream action produces a harm.

Human-AI configuration is the second. An autonomous agent by definition operates with reduced human oversight relative to a system requiring confirmation at each step. The autonomy envelope of the deployed agent, meaning the documented boundary between what it may do unilaterally and what requires human confirmation, is the primary control on operational risk for agentic systems. NIST AI 600-1 names human-AI configuration as a risk category precisely because the configuration itself is a governance decision, not merely a technical one, and because deployers often underspecify the boundary and overestimate the reliability of their exception logic.

Information integrity is the third. An agent that interacts with external information sources, produces outputs distributed to third parties, or operates in a context where its outputs influence decisions affecting real people is a participant in the information ecosystem that NIST's information integrity risk addresses. For enterprise agents that generate correspondence, analysis, or recommendations, the operator's documentation of content provenance and output labelling practices is the relevant evidence under this risk category.

Information security is the fourth. Prompt injection is the attack surface most specific to agentic systems. An agent that retrieves content from external sources, processes user inputs, or calls tools whose outputs it then reasons over is exposed to prompt injection attacks that can redirect its behaviour, exfiltrate data, or trigger unintended actions. NIST AI 600-1's suggested actions under information security include adversarial testing for prompt injection, input sanitisation procedures, and monitoring for anomalous task sequences. Operators who have not tested their deployed agents for prompt injection vulnerability are not aligned with the profile's Manage function on this risk.

Value chain and component integration is the fifth. Most enterprise agent deployments are not built on models the deployer trained. The deployer uses a foundation model, an orchestration framework, a retrieval system, and often third-party tool endpoints. Each introduces risk surface the deployer did not create and may not fully understand. The profile's call for documented understanding of the value chain, provider due diligence, and contractual controls on third-party components is the Manage-function response to this structural reality. Operators who cannot describe the safety and alignment properties of the foundation model they deploy are not positioned to demonstrate value chain integrity under the profile.

Suggested actions per risk: selected examples from NIST AI 600-1

NIST AI 600-1 provides more than 200 suggested actions organised by function and risk category. The following examples illustrate the practical register of the profile's recommendations and are drawn from the published document.¹⁸

Under Govern for confabulation: establish organisational policies specifying the use cases in which confabulation risk is acceptable and those in which it is not, with documented rationale. Ensure that users of GenAI outputs in high-stakes domains receive training on the possibility of confabulation and on verification procedures before acting on GenAI-generated information.

Under Map for human-AI configuration: document the intended autonomy level of each deployed agent, specifying which action categories may be taken without human confirmation, which require approval, and which are outside the agent's permitted scope regardless of the task. Map this documentation to the stakeholders affected by each action category.

Under Measure for information security: conduct red-teaming exercises specifically targeting prompt injection and jailbreaking vulnerabilities at least quarterly for externally accessible systems. Document the methodology, the prompts used, and the results. Track remediation of identified vulnerabilities against a defined timeline.

Under Manage for value chain and component integration: establish a third-party AI component register documenting each foundation model, plugin, and tool endpoint used in production systems, the provider's documented safety practices, and the deployer's assessment of residual risk. Review and update the register at defined intervals or when a component changes.

Under Govern for information integrity: implement content provenance mechanisms, including metadata or watermarking, for AI-generated content distributed to third parties or published externally. Ensure that human reviewers receiving AI-generated draft content are informed of its AI origin before review and use.

How NIST AI 600-1 maps to ISO/IEC 42001 and the EU AI Act

The three instruments address overlapping terrain from different angles. The mapping below is operational rather than theoretical: it describes where evidence produced for one instrument is directly usable for another, and where gaps remain.

NIST AI 600-1 area	ISO/IEC 42001 clause or control	EU AI Act article
Govern: GenAI use policy and role accountability	Clause 5 (Leadership), A.2 (AI policies), A.3 (Internal organisation)	Article 17 (Quality management), Article 26(2) (Oversight role assignment)
Govern: Red-teaming and risk tolerance documentation	Clause 6 (Planning), A.4 (AI risk management)	Article 9 (Risk management system)
Map: Foundation model provenance and limitation documentation	A.6 (AI system lifecycle), A.8 (Third party relationships)	Article 11 (Technical documentation), Annex IV
Map: Autonomy envelope documentation for agentic systems	A.3 (Internal organisation), A.9 (AI system use)	Article 14 (Human oversight)
Measure: Confabulation rate and bias evaluation	Clause 9 (Performance evaluation), A.6 (Lifecycle testing)	Article 15 (Accuracy, robustness, cybersecurity)
Measure: Adversarial testing (prompt injection, jailbreak)	A.4 (Risk management), A.6 (Lifecycle testing)	Article 15 (Cybersecurity), Article 9 (Risk management)
Manage: Incident response and emergent harm procedures	Clause 10 (Improvement), A.9 (AI system use)	Article 26(5) (Post-market monitoring), Article 73 (Serious incident reporting)
Manage: Value chain register and third-party controls	A.8 (Third party and customer relationships)	Article 26(1)(f) (Checking technical documentation), Article 28 (Obligations for distributors)
Data Privacy risk category	A.7 (Data for AI systems)	Article 10 (Data and data governance)
Information Integrity: content provenance	A.10 (Documentation and evidence)	Article 13 (Transparency to users)

Three gaps in the crosswalk are worth noting. First, NIST AI 600-1 does not produce a conformity assessment artefact. EU AI Act Articles 43 and 44 require conformity assessment procedures for high-risk systems that neither the GenAI Profile nor ISO 42001 alone satisfies. Second, the Environmental Impacts risk in the GenAI Profile has no current direct counterpart in ISO 42001 Annex A, though organisational environmental management systems may address it tangentially. Third, the Intellectual Property risk category addresses legal terrain that the EU AI Act's AI-specific articles do not cover directly, though the AI Act's interaction with copyright law (including the text and data mining provisions of Directive 2019/790) is separately relevant.

How insurers and certifiers read NIST AI 600-1 alignment

For an operator of an autonomous agent approaching an insurer or a certification body in 2026, the NIST AI 600-1 profile functions as an implicit questionnaire. The twelve risk categories are the twelve questions. The suggested actions are the control evidence the underwriter or assessor is looking for. An operator who can demonstrate documented attention to all twelve, with evidence mapped to function and actor role, presents a materially stronger risk profile than one who cannot.

In practice, insurers specialising in AI risk have structured their pre-bind questionnaires around the GenAI Profile's risk taxonomy, whether or not they cite it by name. The questions align: does the operator measure confabulation rates? Is the autonomy envelope of the deployed agent documented and tested? Is there a prompt injection adversarial testing programme? Is the third-party value chain documented? Can the operator show incident response procedures for emergent harms? These are GenAI Profile questions in everything but name.

The coverage implication is direct. An operator who has implemented the GenAI Profile's Govern and Manage functions in full, and who can produce the evidence those functions call for, is providing the insurer with a documented risk posture that allows the risk to be priced. An operator who cannot demonstrate this posture is asking the insurer to price an undocumented risk, which either produces a punitive premium or a decline. The voluntary nature of the profile does not change this dynamic.

For Agent Certified assessments, the GenAI Profile's twelve risk categories map directly onto the certification framework's seven dimensions, with particular weight on Trust and Safety (confabulation, dangerous content, information security), Context Integrity (information integrity, data privacy, value chain), the Autonomy Envelope (human-AI configuration), and Governance (the Govern function's policy and accountability requirements). An operator that has aligned with the GenAI Profile will find that the evidence it has produced is directly usable in a formal Agent Certified assessment. The assessment adds the agent-specific technical layer and the certification artefact; the GenAI Profile provides the risk vocabulary the assessment builds on.¹⁹

Implementation patterns for operators

Three patterns appear repeatedly in organisations that have successfully operationalised the GenAI Profile, and three failure modes appear in those that have not.

The first successful pattern is risk-first inventory. Before attempting to implement suggested actions, the operator conducts a mapping exercise across the twelve risk categories for each deployed or planned GenAI system. For each risk category, the operator asks: does this risk apply to our deployment context? At what level? What evidence currently exists about our exposure? The inventory output is a risk register per system, structured around the twelve categories, that becomes the anchor for all subsequent governance, measurement, and management work. This pattern produces a documented starting point that subsequent implementation can be assessed against.

The second successful pattern is actor-role-scoped action selection. The GenAI Profile's more than 200 suggested actions are not all applicable to every organisation. The profile differentiates by actor type: some actions apply to foundation model developers, others to deployers, others to end users. Operators who attempt to implement every suggested action without scoping to their actor role produce an unworkable compliance burden. Operators who first map their position in the value chain and then filter the suggested actions to those applicable to their role produce a tractable programme that can be resourced and tracked.

The third successful pattern is continuous measurement cadence. The GenAI Profile's Measure function is not a one-time exercise. Generative systems exhibit distributional shift: their behaviour in production diverges over time from their behaviour at evaluation, because inputs, context, and usage patterns evolve. Operators who establish a quarterly or more frequent measurement cadence, covering confabulation rate testing, bias evaluation, and adversarial testing, produce the longitudinal evidence that both insurers and regulators find credible. Operators who run a single evaluation at procurement and consider the Measure function satisfied are not implementing the profile; they are producing a static document that will contradict operational reality within months.

The first common failure mode is policy-without-artefact. An organisation adopts an AI use policy that references the GenAI Profile and updates its governance documentation, but does not produce the per-system artefacts the Map function requires, the evaluation records the Measure function requires, or the incident response procedures the Manage function requires. The policy looks defensible from the outside. It does not survive an evidence request.

The second failure mode is scope creep without resource. Organisations that attempt to implement the full GenAI Profile for all deployed AI systems simultaneously, without prioritising by risk exposure or actor role, consistently find the programme stalling after the initial governance layer. The recommended approach is to start with the highest-exposure deployment, implement the full profile against that system, and use the resulting artefact pattern as a template for subsequent systems.

The third failure mode is treating the profile as a one-time project with a completion date. The GenAI Profile is an operational programme, not a project. It requires a named owner, a recurring measurement schedule, a defined review frequency for the value chain register, and an incident response capability that is actually exercised rather than documented in theory. Organisations that treat it as a project discover at the next audit or underwriting conversation that their posture has decayed since the initial implementation.

Frequently asked questions

What is NIST AI 600-1?

NIST AI 600-1 is the Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile, published by NIST in July 2024. It is a companion to AI RMF 1.0 that adapts the four-function framework to generative AI systems and autonomous agents, naming twelve specific risk categories and providing more than 200 suggested voluntary actions.

What are the twelve GenAI risks named in NIST AI 600-1?

CBRN Information or Capabilities, Confabulation, Dangerous or Violent or Hateful Content, Data Privacy, Environmental Impacts, Harmful Bias and Homogenisation, Human-AI Configuration, Information Integrity, Information Security, Intellectual Property, Obscene or Degrading or Abusive Content, and Value Chain and Component Integration.

Is NIST AI 600-1 mandatory?

No. It is voluntary. But it is cited in US federal procurement requirements, Executive Order 14110, and the Colorado AI Act's safe harbour provision, producing a de facto obligation for operators with US-facing exposure. Insurers also use its twelve risk categories as a baseline underwriting structure.

Does NIST AI 600-1 apply to foundation model providers or to deployers?

Both. The profile addresses multiple AI actor types and tags suggested actions by applicability. Operators should identify their position in the value chain and apply the subcategories that correspond to their role as developer, deployer, or user.

How does NIST AI 600-1 relate to the EU AI Act?

The profile does not create compliance obligations under the EU AI Act. However, alignment with it produces much of the technical evidence that Articles 9, 14, 15, and 26 require at the system level. Operators who have documented alignment with the GenAI Profile will find their EU AI Act operator file substantially populated.

What does NIST AI 600-1 say about autonomous agents specifically?

It introduced agentic AI as an explicit scope item. The Human-AI Configuration risk category directly addresses the autonomy boundary problem. The profile uses the term "AI actors" across the value chain and notes that the autonomy level of a deployed system changes its risk profile materially relative to a system requiring explicit human instruction at each step.

How does NIST AI 600-1 adapt the four RMF functions for generative AI?

The four functions are retained but extended. Govern adds GenAI use policies and red-teaming requirements. Map adds foundation model provenance documentation and autonomy envelope specification. Measure adds confabulation rate testing, bias evaluation, and adversarial robustness assessment. Manage adds content provenance infrastructure and incident response procedures for emergent harms.

What is confabulation and why does NIST AI 600-1 treat it as a distinct risk?

Confabulation is the generation of plausible but factually incorrect outputs with the same linguistic confidence as accurate content. It is distinct from classical ML failure modes because the system has no internal signal of its own inaccuracy. In high-stakes contexts, acting on a confabulated output can cause harm that a human reviewer could not have detected without independent verification.

How does NIST AI 600-1 map to ISO/IEC 42001?

The Govern function maps to ISO 42001 Clauses 5 and 6 and Annex A controls A.2 through A.4. Map maps to Clause 4 and A.5. Measure maps to Clause 9 and A.6. Manage maps to Clause 10 and A.9. The GenAI Profile adds specificity to the risk categories that ISO 42001 leaves to the operator's discretion, making it a useful technical supplement to the management-layer standard.

What does the Value Chain and Component Integration risk mean in practice?

It means that a deployer using a foundation model they did not train, third-party plugins, retrieval systems, or tool endpoints must document, assess, and contractually or technically control the risks introduced by each component. The suggested actions call for a third-party AI component register, due diligence on provider risk management practices, and ongoing monitoring that spans the full system rather than only the application layer the deployer controls.

References

National Institute of Standards and Technology. Artificial Intelligence Risk Management Framework: Generative Artificial Intelligence Profile. NIST AI 600-1. Gaithersburg, 26 July 2024. Available at nvlpubs.nist.gov/nistpubs/ai/NIST.AI.600-1.pdf.
National Institute of Standards and Technology. AI Risk Management Framework 1.0. NIST AI 100-1. Gaithersburg, January 2023.
Executive Order 14110, Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence. Federal Register, 88 FR 75191, 30 October 2023.
Office of Management and Budget. Memorandum M-24-10, Advancing Governance, Innovation, and Risk Management for Agency Use of AI. Washington, March 2024.
Colorado General Assembly. Senate Bill 24-205, Concerning Consumer Protections in Interactions with Artificial Intelligence Systems (Colorado AI Act). Signed 17 May 2024. Amended by SB 25B-004 to extend operative dates to June 2026.
European Parliament and Council. Regulation (EU) 2024/1689, Artificial Intelligence Act. Official Journal of the European Union, 12 July 2024. Articles 9, 14, 15, 26.
International Organization for Standardization and International Electrotechnical Commission. ISO/IEC 42001:2023, Information technology, Artificial intelligence, Management system. Geneva, December 2023.
NIST AI 600-1, section on Confabulation risk. NIST defines confabulation as the generation of "false but plausible sounding content" and notes it "can be difficult to detect ... since it is presented with the same level of confidence as accurate information."
NIST AI 600-1, section on Human-AI Configuration risk. The profile notes that "varying levels of automation and human-AI interactions, with each setup contributing to risks for abuse, misuse, and unsafe repurposing."
NIST AI 600-1, section on Value Chain and Component Integration risk.
NIST AI 600-1, section on Information Integrity risk, addressing "the spectrum of information and associated patterns of its creation, exchange, and consumption."
NIST AI 600-1, section on Information Security risk, addressing prompt injection, model extraction, and adversarial attack surfaces.
NIST AI 600-1, section on Intellectual Property risk. The legal context includes litigation pending in US federal courts as of 2026 regarding training data copyright.
NIST AI 600-1, Govern function subcategories and suggested actions.
NIST AI 600-1, Map function subcategories and suggested actions.
NIST AI 600-1, Measure function subcategories and suggested actions.
NIST AI 600-1, Manage function subcategories and suggested actions.
NIST AI 600-1, suggested action examples drawn from published document. Actions are formatted as identifiers such as GV-1.1-001 through MG-2.6-xxx across the four functions.
Agent Certified. Methodology specification, April 2026 version. Published at agentcertified.eu/methodology-v2.html. The seven dimensions include Trust and Safety, Context Integrity, Access Control, Operational Reliability, Governance, System Integration, and Autonomy Envelope.