NIST AI RMF

AI Risk Management Framework overview

A plain-language guide to the NIST AI RMF: what it is, who it is for, why it matters, and how to use it to ship a safer Medicare AI agent. This is the method we apply inside the Feasibility & Viability rubric — not a standalone framework choice.

In plain English

What is the AI RMF?

The AI Risk Management Framework (AI RMF) is a free, voluntary guide published by the U.S. National Institute of Standards and Technology (NIST). It helps organizations build and run AI systems that are trustworthy, safe, and explainable. It does not dictate a single checklist. Instead, it gives a common lifecycle to follow: set the rules, understand the system, prove it works, and keep it safe over time.

For Crinkle Health, the AI RMF is a useful spine because it gives our leadership, legal, compliance, and engineering teams a shared language for deciding what is ready for production and what still needs work.

Who is it for?

Any team building or deploying AI that affects real people. For us, that means Product, Engineering, Legal, Compliance, Model Risk, Member Experience, and Operations.

Why use it?

It helps you catch risks early, prove you are taking responsibility, and speak the same language as regulators and enterprise partners. It also turns vague worry into concrete questions and evidence.

How do you use it?

Work through the four stages in order, but keep cycling back. Decide what good looks like, map the real system, measure against your standards, and keep managing the AI after launch.

Why this matters for the Crinkle Health AI agent

Our AI agent helps members choose Medicare coverage, which touches health information, regulated benefits, and real money. If the AI gives wrong or confusing advice, the impact is serious. The AI RMF helps us show that we have thought through the risks, tested the system, and put people and processes in place to keep it safe as we scale.

Govern

Decide the rules before the AI goes live

Govern is where you decide what 'safe' looks like for your AI. You name who is responsible, write the policies, and set the limits the AI must stay inside. Think of it as the operating agreement for the team and the technology before anything is released to members.

What you do

  • Decide how risky this AI is based on who uses it and what decisions it influences
  • Assign clear owners: Legal, Compliance, Product, Engineering, and Operations
  • Write down the rules for voice, privacy, accessibility, human oversight, and incident response
  • Set acceptable error limits and require approval before changing the AI

Key questions

  • Q.Who is accountable when the AI gives bad advice?
  • Q.What error rate is acceptable for a member-facing recommendation?
  • Q.Which decisions require a human in the loop?

Map

Understand exactly what the AI will and won't do

Map is where you draw the picture of how the AI fits into the real world. Who will talk to it? What data does it use? Which other systems does it call? Most importantly, where do you draw the line and say the AI should not answer that question?

What you do

  • Write down what the AI is allowed to help with and what it must refuse
  • Map the member and caregiver journey, including where a human should take over
  • List every system the AI connects to and what data it exchanges
  • Mark where personal information, consent, and regulated content appear

Key questions

  • Q.Where does the AI's answer come from?
  • Q.What must the AI refuse to answer?
  • Q.What happens when an upstream system is down or stale?

Measure

Prove the AI works safely before and after launch

Measure is where the rules from Govern become proof. You run tests, talk to real users, and check that the AI meets the standards you set. It is not one test; it is a continuous way of showing the AI is accurate, fair, fast enough, and compliant.

What you do

  • Test recommendations against known correct answers and check for made-up information
  • Run comprehension and accessibility research with real members and caregivers
  • Test integrations, failure modes, and response-time commitments
  • Validate compliance checkpoints such as marketing review, consent, and audit logs

Key questions

  • Q.How do we know the answer is correct?
  • Q.Do members understand what the AI is recommending?
  • Q.Have we tested the worst-case scenarios, not just the happy path?

Manage

Keep watching and fixing the AI after it is live

Manage is the ongoing work of keeping the AI inside its safe boundaries. You monitor performance, listen to complaints, and have a plan for when something goes wrong. As the product, data, and regulations change, the AI is kept up to date or retired if it no longer meets the standard.

What you do

  • Watch for changes in behavior, error rates, and member complaints in production
  • Keep human handoff, escalation, and override paths working and documented
  • Review every prompt, model, or policy change before it goes live
  • Keep audit trails and runbooks for incidents and model replacement

Key questions

  • Q.How do we detect when behavior degrades?
  • Q.What is the path from a member complaint to a model fix?
  • Q.When and how do we retire or swap a model?

How to use this framework in practice

The AI RMF is not a one-and-done audit. It is a loop. Here is how a team like ours can put it to work.

1

Start with Govern

Decide what 'safe' means, name the owners, and publish the rules before you build or release anything.

2

Map the system

Draw the real member journey, data flows, and integrations. Be explicit about what the AI should not do.

3

Measure against your rules

Run tests, talk to users, and collect evidence. Use the rubric to track what is validated and what is still blocked.

4

Manage after launch

Monitor, respond to incidents, and review changes. When the model or product changes, cycle back through the loop.

NIST resources

These are the official sources for everything above. If you want to go deeper, start with the AIRC hub.