Manage
NIST AI RMF 1.0 · MANAGE function
Treat identified risks: mitigation, controls, incident response, lifecycle.
What this function means
MANAGE is the operational function — actually treating identified risks through controls, mitigations, and incident response. Vendor compliance posture, breach history, and dependency-chain controls dominate this function for buyers evaluating procurement.
How TrustAtlas dimensions support it
Regulatory compliance covers attestations that signal control-management maturity (SOC 2 Type II, ISO 27001, ISO 42001); security covers active controls; dependency chain covers risk transfer to upstream providers; business stability covers continuity of mitigation programmes.
See methodology for how each dimension is scored across the catalog.
Example NIST categories under Manage
- MANAGE 1: Risks are prioritised and acted on based on assessment
- MANAGE 2: Strategies to maximize benefits and minimise harms are planned
- MANAGE 4: Risk treatments are documented and informed by stakeholder feedback
Drawn from NIST AI RMF 1.0; the catalog evidence below maps onto these categories at the vendor-evaluation layer.
Questions to ask vendors
Use as part of your procurement diligence or as a structured profile-review aid alongside the vendor's TrustAtlas page.
- Provide a current attestations list: SOC 2 Type II, ISO 27001, ISO 42001, HIPAA BAA availability, FedRAMP status, and any in-progress audits with target dates.
- What is your incident-response SLA — initial customer notification, root-cause analysis, and remediation timelines?
- How do you flow risk-mitigation requirements down to your sub-processors, and how is that compliance evidenced?
- What financial runway and acquisition-risk profile underpins your stated continuity commitments?
Related
- Back to the full NIST AI RMF cross-walk
- OWASP LLM Top 10 cross-walk — the application-security companion framework
- Vendors that claim NIST AI RMF alignment
- TrustAtlas methodology — how the 8 risk dimensions are scored