Free reference · v1.2 · CC BY 4.0

NIST AI RMF → Agent Controls Mapping

A control reference for tool-using LLM agents and MCP-based deployments.

The NIST AI RMF tells you the outcome to aim for. It doesn't tell you the control. This mapping closes that gap — it pairs all 72 subcategories with concrete controls for AI agents that call tools, reach MCP servers, and act in production, plus the evidence a security reviewer will actually ask for.

Why this exists

The framework is deliberately technology-agnostic — that's its strength, and it's also why it goes quiet exactly where agents are loudest. MEASURE 2.7 says "security and resilience are evaluated and documented," but says nothing about an agent following instructions buried in a web page it just read. GOVERN 6.1 says address third-party software risk, without a word about the MCP server you connected last week.This document fills that in. For each subcategory it states the framework outcome, a concrete control written in the language of agentic systems, and an example of the evidence an auditor or enterprise buyer would expect to see.

What's inside

  • All four functions — Govern, Map, Measure, Manage — across 72 subcategories, each with an agent-specific control rather than a generic restatement.

  • Concrete controls for what agents actually do: treating tool output as untrusted, least-privilege scoped credentials, human approval for high-impact actions, kill switches.

  • A residual-risk register template you can use per agent — because MANAGE 1.4 expects someone to actually sign off on accepted risk.

  • Example evidence formats: a tool-call audit log, a prompt-injection test case, and a high-impact approval record.

  • A crosswalk to NIST's Generative AI Profile (AI 600-1).

Get the mapping

Free under a Creative Commons CC BY 4.0 licence — use it, adapt it, build on it. Just credit the source.

Feedback and what's next

This is a v1. If you spot something wrong, thin, or missing, the fastest way to flag it is to open an issue on GitHub — that's where the next version will be shaped. Coming next: an ISO/IEC 42001 and EU AI Act crosswalk, and a companion threat-model write-up for a reference agent.

By João Coelho

Security architect focused on AI governance and GRC. More work and contact details at

Subcategory statements are paraphrased from NIST AI 100-1 (January 2023) and reference the Generative AI Profile (NIST AI 600-1, July 2024). The authoritative text is the NIST source. Independent work; not affiliated with or endorsed by NIST. Licensed under CC BY 4.0. This page does not constitute legal advice.

© 2026 Joao Coelho. Personal site — views are my own.