The Manage Function is the fourth and final core component of the NIST AI RMF, focused on the tactical execution of risk responses. It involves prioritizing, implementing, documenting, and overseeing the specific actions and controls needed to treat the risks identified and measured in the previous functions.

This function is where risk management plans become operational reality. It encompasses the allocation of resources, the deployment of technical and procedural safeguards, and the ongoing administration of controls. Management actions can include mitigating risks to bring them within tolerance, accepting unavoidable risks, transferring risk (e.g., via insurance), or, in extreme cases, avoiding risk by discontinuing a project. Crucially, this function is not a one-time event but a continuous cycle of implementing controls, monitoring their effectiveness, and adjusting as the system and context evolve.

The Manage Function operationalizes risk responses through a structured process:

Risk Treatment Planning: Developing specific action plans to address prioritized risks, detailing the chosen controls (e.g., implementing a bias mitigation algorithm, adding a human review step, deploying encryption), assigning owners, and setting timelines.

Control Implementation & Integration: Executing the planned actions by embedding new technical features, updating procedures, modifying system designs, and training personnel on new protocols.

Documentation & Traceability: Meticulously recording all risk treatment decisions, implemented controls, and their rationale in the risk register and system documentation to maintain an audit trail.

Ongoing Control Monitoring: Continuously tracking the performance and effectiveness of implemented controls as part of post-market monitoring, ensuring they reduce risk as intended and identifying when they need adjustment.

Regulatory Context: The Manage function is the enactment of compliance. It directly corresponds to implementing the mandatory risk mitigation measures required by the EU AI Act's risk management system (Article 9) and the corrective/preventive actions from its incident management process. It also fulfills the "operation" and "improvement" clauses (Clauses 8 & 10) of ISO/IEC 42001.

Closing the Risk Management Loop: The Manage function is where accountability is realized. It ensures that identified risks are not merely documented but are actively addressed. By effectively managing risks, organizations directly reduce the likelihood and impact of harmful AI outcomes, protect stakeholders, and maintain the ongoing compliance and business viability of their AI systems.