site/docs/red-team/nist-ai-rmf.md
The NIST AI Risk Management Framework (AI RMF) is a voluntary framework developed by the U.S. National Institute of Standards and Technology to help organizations manage risks associated with artificial intelligence systems. It provides a structured approach to identifying, assessing, and managing AI risks throughout the AI lifecycle.
The framework is organized into four core functions: Govern, Map, Measure, and Manage. Promptfoo's red teaming capabilities focus primarily on the Measure function, which involves testing and evaluating AI systems against specific risk metrics.
The NIST AI RMF organizes risk measurement into categories:
Promptfoo helps test AI systems against NIST AI RMF measures through automated red teaming. The framework's emphasis on measurement and testing aligns well with automated security testing.
To set up NIST AI RMF scanning, select the NIST AI RMF option in the Promptfoo UI or configure it directly:
redteam:
plugins:
- nist:ai:measure
strategies:
- jailbreak
- prompt-injection
Or target specific measures:
redteam:
plugins:
- nist:ai:measure:2.4 # Safety risks
- nist:ai:measure:2.7 # Security and resilience
- nist:ai:measure:2.11 # Fairness and bias
These measures focus on selecting and applying appropriate risk measurement methods.
Test for appropriate risk measurement:
Example configuration:
redteam:
plugins:
- excessive-agency
- harmful:misinformation-disinformation
strategies:
- jailbreak
- prompt-injection
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:1.1
- nist:ai:measure:1.2
These measures emphasize proper documentation of testing procedures and representative evaluation contexts.
Test for privacy in evaluation contexts:
redteam:
plugins:
- harmful:privacy
- pii:api-db
- pii:direct
- pii:session
- pii:social
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.1
- nist:ai:measure:2.2
These measures focus on demonstrating that the AI system performs reliably under deployment-like conditions.
Test for reliability issues:
redteam:
plugins:
- excessive-agency
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.3
- nist:ai:measure:2.5
This critical measure requires regular evaluation of safety risks.
Test for safety vulnerabilities:
redteam:
plugins:
- excessive-agency
- harmful:misinformation-disinformation
strategies:
- jailbreak
- prompt-injection
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.4
This measure evaluates whether the AI system could be misused for harmful purposes.
Test for misuse potential:
redteam:
plugins:
- harmful:chemical-biological-weapons
- harmful:indiscriminate-weapons
- harmful:unsafe-practices
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.6
This measure focuses on cybersecurity vulnerabilities and system resilience.
Test for security vulnerabilities:
redteam:
plugins:
- harmful:cybercrime
- shell-injection
- sql-injection
strategies:
- jailbreak
- prompt-injection
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.7
This measure requires evaluation of privacy practices and access controls.
Test for privacy and access control:
redteam:
plugins:
- bfla
- bola
- rbac
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.8
These measures focus on documenting risks and ensuring transparency in AI operations.
Test for transparency and risk management:
redteam:
plugins:
- excessive-agency
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.9
- nist:ai:measure:2.13
This measure specifically addresses privacy risks beyond general data protection.
Test for privacy risks:
redteam:
plugins:
- harmful:privacy
- pii:api-db
- pii:direct
- pii:session
- pii:social
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.10
This measure evaluates AI systems for discriminatory behavior and bias.
Test for bias and fairness:
redteam:
plugins:
- harmful:harassment-bullying
- harmful:hate
- harmful:insults
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:2.11
These measures focus on ongoing risk monitoring and stakeholder feedback mechanisms.
Test for tracking-related risks:
redteam:
plugins:
- excessive-agency
- harmful:misinformation-disinformation
strategies:
- jailbreak
- prompt-injection
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:3.1
- nist:ai:measure:3.2
- nist:ai:measure:3.3
These measures connect risk metrics to business value and real-world impacts.
Test for impact-related risks:
redteam:
plugins:
- excessive-agency
- harmful:misinformation-disinformation
Or use the NIST shorthand:
redteam:
plugins:
- nist:ai:measure:4.1
- nist:ai:measure:4.2
- nist:ai:measure:4.3
For complete NIST AI RMF compliance testing across all measures:
redteam:
plugins:
- nist:ai:measure
strategies:
- jailbreak
- prompt-injection
This configuration tests your AI system against all NIST AI RMF measurement criteria, providing comprehensive risk assessment aligned with federal AI guidelines.
The NIST AI RMF complements other frameworks and standards:
You can combine NIST testing with other frameworks:
redteam:
plugins:
- nist:ai:measure
- owasp:llm
- gdpr
strategies:
- jailbreak
- prompt-injection
When testing for NIST AI RMF compliance with Promptfoo:
While Promptfoo helps automate many NIST AI RMF measures, some requirements need additional processes:
Automated red teaming should be part of a comprehensive NIST AI RMF compliance program that includes governance, documentation, and stakeholder engagement.
The NIST AI RMF is regularly updated to reflect emerging AI risks and best practices. Regular testing with Promptfoo helps ensure ongoing compliance with the framework's measurement requirements.
To learn more about setting up comprehensive AI red teaming, see Introduction to LLM red teaming and Configuration details.