NIST AI RMF defines the process.
ATR makes it detectable.
Every one of GOVERN / MAP / MEASURE / MANAGE has ATR rules wired into it (per-subcategory distribution below).
AI RMF is a governance framework — it tells you which risks to GOVERN, MAP, MEASURE, and MANAGE, but it detects nothing on its own. ATR writes compliance.nist_ai_rmf metadata into the rules themselves: each rule declares which subcategory it serves, so every function in the framework has detection that actually fires beneath it. First shipped 2026-05-09 with v2.1.0, when all 330 rules then in the corpus carried the mapping; as the corpus grew to 655 rules, the mapping expanded to cover most of them.
The mapping is not an “aligned with NIST” claim. Each one cites the detection element the rule actually relies on (regex / token / signature), accountable to the YAML line by line — downloadable, auditable, and refutable by any auditor.
The framework itself is prose. For a machine to consume it, someone has to transcribe it into a structured format. The ATR maintainers transcribed NIST AI RMF into an OSCAL-format community catalog (72 controls + 176 cross-reference links), published under CC0 at Agent-Threat-Rule/ai-rmf-oscal-catalog. This catalog is a community contribution, NOT a NIST publication.
That content was further submitted to NIST's official usnistgov/oscal-content repository. The submission (PR #338) is in review, contributed onto NIST's own collaboration branch, where the NIST OSCAL maintainer has responded on the thread to align on the content. The maintainers have emailed [email protected] asking for direction and are awaiting a response. This is the path an open standard is supposed to take — contribute upstream, collaborate in the open, and leave the decision to adopt where it belongs: with the standards body itself.
The NIST AI Risk Management Framework (AI RMF 1.0 + GenAI Profile) is the de-facto standard adopted by US federal AI agencies, and the measurement foundation NIST CAISI is using for the COSAiS Single-Agent / Multi-Agent overlay work. It splits AI risk management into four functions — GOVERN / MAP / MEASURE / MANAGE. That is the language of governance: it tells you what to manage, but not how to catch the risk inside a single SKILL.md file or one MCP tool description.
That gap is exactly where most AI security products are sloppiest. They claim “NIST AI RMF alignment,” but in practice the alignment is a closed document, a marketing line, or a single-framework crosswalk — with no auditable per-rule mappings. The framework gets cited; nothing that fires on a real artifact is wired beneath it.
ATR wires that layer in as MIT-licensed, open-source, reproducible per-rule metadata. The AI RMF turns from a governance framework into a verifiable detection layer: any government, any SOC, any auditor can download the YAML and inspect, rule by rule, which subcategory each maps to, why, and which detection element justifies it.
The mappings land across 16 subcategories, and none of the four functions — GOVERN / MAP / MEASURE / MANAGE — is left empty: every stretch of the governance process has firing rules wired beneath it. A single rule can map to several subcategories (primary + secondary strength); the per-subcategory counts are listed below.
MG.2.3 dominates (442 mappings) because most detection rules link into the “containment / disengage” response path — detection itself is the condition that triggers the isolation mechanism.
The mapping lives in the rule, not on a slide. Every rule's NIST mapping states which subcategory it serves and why. Below is the actual metadata from ATR-2026-00118 (Approval Fatigue Exploitation):
compliance:
nist_ai_rmf:
- subcategory: GV.6.1
context: Approval fatigue exploitation manipulates
human-in-the-loop oversight by overwhelming operators
with rapid permission requests or minimizing
dangerous actions; GV.6.1 requires data and oversight
governance policies that preserve meaningful human
review rather than enabling bulk auto-approval of
risky tool calls.
strength: primaryThe context field specifies why this rule belongs to GV.6.1 — not as generic “governance,” but as the specific attack path through which approval-fatigue violates oversight policy. Every rule is documented this way.
The mapping pipeline has three stages: LLM-assisted batch generation, per-rule QA, atomic patch. Fully open-source and reproducible.
- InputThe 330 ATR rule YAMLs that existed in v2.1.0 (detection patterns, test cases, existing metadata), NIST AI RMF 1.0 reference, GenAI Profile, hand-written 5-shot examples. Mappings for new rules added to the corpus since v2.1.0 use the same batch pipeline.
- Batch generator
scripts/expand-nist-mapping.ts— Claude Opus + 5-shot prompt + structured output. Each rule produces ≥1 primary plus 0–3 secondary subcategory mappings, each with its own context field. Subcategory IDs validated strictly against the RMF reference — zero hallucination. - Atomic patcher
scripts/apply-nist-mapping.ts— Reads each proposal YAML, patches the compliance.nist_ai_rmf block in the corresponding rule YAML, atomic write (tmp + rename), patched YAML still parses (0 / 261 failures). Human-curated mappings already in place are never overwritten. - Cost & timeUSD 24.98 (estimated USD 34) · wall-clock ~52 minutes · 261 new mappings layered on top of v0.1's 69, mapping all 330 rules then in the v2.1.0 corpus.
- ProvenanceEvery rule's proposal YAML is preserved under proposals/nist/. Anyone can re-run the pipeline, compare outputs, and audit the mapping rationale.
ATR is designed to serve as a reference implementation for NIST CAISI’s COSAiS Single-Agent and Multi-Agent overlay work, and responds to RFI NIST-2025-0035 on that basis. This is ATR’s own submission, not a selection by NIST.
The “measurement-science-first” framing CAISI uses in its Research Blog is the foundation this mapping is built on: a claim to serve a subcategory should not be an assertion but a reproducible measurement (garak in-the-wild benchmark, SKILL.md FP corpus, publicly-released test corpora). What can be measured gets a number; what cannot is not claimed — the same discipline CAISI asks for when it puts measurement first.
- →RFI docket: NIST-2025-0035 (CAISI Issues Request for Information About Securing AI Agent Systems)
- →Sister project: NCCoE AI Agent Identity & Authorization — ATR's detection layer naturally sits above the identity layer
- →Performance benchmarks: 98.0% recall on NVIDIA garak's in-the-wild jailbreak set (650 samples) and 38.5% across the full 23-probe garak suite (3,475 samples) · 0.20% FP rate on 498 labeled benign SKILL.md samples · DOI 10.5281/zenodo.19178002
The mapping is open metadata, not a closed spec you can only read. Every rule's RMF mapping is publicly readable as YAML on GitHub — fork it, challenge it, open a PR to refine strength or context. A mapping that can't be refuted isn't a standard.
Broader context: Sovereign AI Defense — Open Call