NIST AI RMF + SpecMarket: Automating the MANAGE Pillar

By Chief Wiggum

The NIST AI RMF Opportunity

NIST released the AI Risk Management Framework (AI RMF) in 2023. In 2025-2026, it’s becoming the de facto standard for enterprise AI governance.

The problem: NIST defines WHAT to manage, not HOW to manage it.

This is where SpecMarket fits perfectly.

NIST AI RMF: The Four Pillars

NIST’s framework has four core functions:

MAP

Goal: Understand your AI systems Activities: Inventory what AI you have, understand capabilities/risks Outcome: Knowledge of what you’re deploying

MEASURE

Goal: Monitor performance and risk Activities: Track metrics, measure decision quality, identify drift Outcome: Visibility into how AI is performing

MANAGE

Goal: Enforce governance controls Activities: THIS IS WHERE EXECUTION VERIFICATION HAPPENS Outcome: Proof that AI systems behave as intended

MONITOR

Goal: Continuous oversight Activities: Ongoing surveillance, alert on anomalies Outcome: Long-term compliance assurance

The MANAGE Pillar: What It Actually Requires

NIST defines MANAGE as “implementing procedures, processes, and resources for ongoing governance of AI systems.”

But what does “implementing procedures” look like?

Here’s what regulators are actually asking for:

  1. Policy Definition → Describe what you expect
  2. Behavior Control → Force systems to comply
  3. Verification → Prove systems complied
  4. Audit Trail → Document everything
  5. Escalation → Handle non-compliant decisions

NIST doesn’t explain HOW to do this. That’s the implementation gap.

The Gap: Policy Without Enforcement

Many enterprises read NIST AI RMF and think:

“OK, we’ll write policies for AI systems. That covers MANAGE.”

But policies alone don’t MANAGE anything. Policies are aspirational. They describe what SHOULD happen.

The real MANAGE function requires ENFORCEMENT.

You need:

  • Policies that are mechanically enforceable (not just documented)
  • Systems that CANNOT violate the policies
  • Automatic verification when they execute
  • Audit trails that prove compliance

Real Example: Insurance Claims Processing

Let’s walk through how NIST AI RMF MANAGE works with executable specifications.

Context: NAIC Insurance Pilot

The NAIC (National Association of Insurance Commissioners) is running an AI pilot with 10 insurers across 12 states. One of those insurers, Big State Insurance, is using AI to process claims.

The Challenge:

  • 5,000 claims per month
  • Policy requires fraud detection on all claims
  • Policy requires deductible application
  • Policy requires state-specific rule compliance
  • Audit deadline: Every claim must have proof of compliance

The MANAGE Implementation

Phase 1: MAP

What Big State Insurance discovers:

Inventory:
- Claims processing agent (deployed in production)
- Processes 167 claims/day
- Handles property damage, liability, bodily injury
- Integrated with fraud detection API
- State regulations: TX, CA, FL, NY (4 states)

Phase 2: MEASURE

Metrics they establish:

KPIs:
- % of claims approved within 2 hours
- % of claims with fraud detection run
- % of claims with deductible applied correctly
- % of claims following state-specific rules
- Average claim processing time

Phase 3: MANAGE (EXECUTION VERIFICATION)

This is where SpecMarket fits.

Big State Insurance defines an executable specification:

Insurance Claims Specification
├─ Rule 1: Coverage must be verified
├─ Rule 2: Fraud detection must be executed (risk < 0.5)
├─ Rule 3: Deductible correctly calculated
├─ Rule 4: State regulations complied with
├─ Rule 5: Decision timestamped
└─ Result: Agent CANNOT approve claim if any rule fails

Key insight: The specification is ENFORCED, not just documented.

When the agent processes a claim:

Claim received: $3,000 property damage in TX

Step 1: OPA Authorization Check (who is allowed?)
  Agent role: claims_agent ✓
  Claim type: property damage ✓
  Claim amount: $3,000 (< $5,000 threshold) ✓
  → AUTHORIZED to proceed

Step 2: Execute Specification Rules (did they do it correctly?)
  Rule 1 - Coverage verified: ✓
  Rule 2 - Fraud detection executed (risk 0.15): ✓
  Rule 3 - Deductible correct ($3,000 - $500 = $2,500): ✓
  Rule 4 - TX state rules met: ✓
  Rule 5 - Decision timestamped: ✓
  → ALL RULES PASSED

Step 3: MANAGE Decision (approve or escalate?)
  Is agent authorized? YES (OPA)
  Did agent follow process? YES (specs)
  → APPROVE CLAIM + AUDIT TRAIL

Audit Trail:
  Claim ID: CLM-2026-000834
  Decision: APPROVED for $2,500
  Timestamp: 2026-03-01T14:26:30Z
  OPA Status: AUTHORIZED
  Specification Verification: ALL RULES PASSED
  Evidence:
    ├─ Coverage verified: 2026-03-01T14:25:15Z
    ├─ Fraud detection: risk=0.15, passed 14:25:45Z
    ├─ Deductible: 3000 - 500 = 2500, correct 14:26:00Z
    └─ State rules: TX compliance verified 14:26:00Z

What if a step fails?

Claim received: $3,000 property damage in TX

Step 2: Execute Specification Rules
  Rule 1 - Coverage verified: ✓
  Rule 2 - Fraud detection: FAILED (risk 0.75 > 0.5 threshold)
  → ESCALATE TO HUMAN

Audit Trail:
  Claim ID: CLM-2026-000835
  Decision: ESCALATE
  Reason: "Fraud risk too high (0.75). Manual review required."
  Timestamp: 2026-03-01T14:27:00Z
  Evidence: Fraud detection risk score 0.75 logged
  → HUMAN REVIEWS CLAIM

Phase 4: MONITOR

Ongoing oversight:

Monthly Report (Big State Insurance):
- Total claims processed: 4,837
- Claims fully auto-approved: 4,562 (94%)
- Claims escalated for review: 275 (6%)
  ├─ Reason: Fraud risk too high (182)
  ├─ Reason: State rule violation (47)
  ├─ Reason: Missing documentation (46)

Specification Compliance:
- Claims with full audit trail: 4,837 (100%)
- Claims where all rules passed: 4,562 (94%)
- Claims with verification failure: 275 (6%)

Regulatory Readiness:
- NAIC requests random audit of 100 claims
- 100% of claims have complete audit trail
- 100% of auto-approved claims show all rules passed
- 100% of escalated claims have documented reason
- → COMPLIANCE VERIFIED ✓

Why This Matters: The NIST MANAGE Gap

Before specifications, enterprises tried to operationalize MANAGE like this:

Policy Document: "Claims agents must verify coverage"
↓
Implementation: Developers add code to check coverage
↓
Problem: You can't verify the code runs (or runs correctly)
↓
Regulatory Question: "How do you prove every claim had coverage verified?"
↓
Answer: "It's in our code... (we think)"
↓
Result: COMPLIANCE FAILURE (no systematic proof)

With executable specifications:

Specification: "Rule: coverage_verified [coverage_check_status == PASSED]"
↓
Enforcement: System CANNOT approve without this rule passing
↓
Verification: Every claim produces proof of rule evaluation
↓
Regulatory Question: "How do you prove every claim had coverage verified?"
↓
Answer: "Here's the audit trail showing the rule passed for all 4,837 claims"
↓
Result: COMPLIANCE SUCCESS (systematic proof)

The NIST AI RMF MANAGE Operationalization Pattern

Here’s the template for any enterprise using NIST AI RMF:

Step 1: Define MANAGE Policies

Policies describe what SHOULD happen
Examples:
- "Loan agents must verify income before approval"
- "Treatment agents must check drug interactions"
- "Claims agents must run fraud detection"

Step 2: Translate to Executable Specifications

Specifications describe how to ENFORCE policies
Examples:
- Rule: income_verified [income_check_status == PASSED]
- Rule: drug_interaction_checked [drug_db.check(medications) == PASSED]
- Rule: fraud_detected_run [fraud_risk_score <= 0.5]

Step 3: Implement Enforcement

Enforcement happens automatically
Examples:
- Loan cannot be approved if income_verified fails
- Treatment cannot be recommended if drug_interaction_checked fails
- Claim cannot be auto-approved if fraud_detected_run fails

Step 4: Collect Evidence

Every execution produces proof
Examples:
- Income verification timestamp, status, evidence
- Drug database check timestamp, results, interactions found
- Fraud detection timestamp, risk score, checks run

Step 5: Generate Audit Trail

Proof is collected in immutable audit trail
Example:
{
  "claim_id": "CLM-000834",
  "decision": "APPROVED",
  "timestamp": "2026-03-01T14:26:30Z",
  "opa_authorization": {
    "status": "PASSED",
    "policy": "claims_agent_can_approve_property_damage_under_5k"
  },
  "specification_verification": {
    "coverage_verified": "PASSED",
    "fraud_detected": "PASSED",
    "deductible_applied": "PASSED",
    "state_rules_met": "PASSED"
  },
  "audit_trail": [
    {"event": "coverage_check", "timestamp": "14:25:15Z", "result": "PASSED"},
    {"event": "fraud_detection", "timestamp": "14:25:45Z", "score": 0.15},
    {"event": "deductible_calc", "timestamp": "14:26:00Z", "amount": 2500},
    {"event": "state_rule_check", "timestamp": "14:26:00Z", "state": "TX", "result": "PASSED"}
  ]
}

Step 6: Regulatory Reporting

Report proves MANAGE function is implemented
Example report to NAIC:
"100% of processed claims (4,837) have complete audit trail.
100% of auto-approved claims (4,562) passed all specification rules.
6% of claims (275) escalated due to specification rule failures.
MANAGE pillar is operationalized: policies → enforcement → verification → audit."

The Regulatory Context: Why This Matters in 2026

NIST AI RMF 1.1 (Rolling out Q2 2026)

NIST is expected to release updated guidance on MANAGE function operationalization. The enterprises that have implemented systematic enforcement (specs) will have competitive advantage:

  • Automatic compliance with new NIST guidance
  • Shorter audit cycles (proven implementation, not ad-hoc)
  • Lower regulatory friction

NAIC Insurance Pilot (Q1-Q3 2026)

The NAIC is testing agentic AI in insurance. Pilot participants that can show MANAGE function implementation will:

  • Get earlier approval for expanded use
  • Avoid regulatory scrutiny (we can prove compliance)
  • Serve as reference cases for peer companies

EU AI Act (Enforcement: Aug 2, 2026)

The EU AI Act requires high-risk AI systems to have “documented procedures” for enforcement. Enterprises with specifications have:

  • Machine-readable procedures (specs)
  • Automatic enforcement (rules are mechanically enforceable)
  • Audit trail (proof of compliance)

State Regulations (Effective 2026)

Arizona HB 2175, Florida HB 527, and similar state laws require agent “audit trails of decision steps.” Specifications provide:

  • Structured audit trails (not just logs)
  • Systematic verification (not manual review)
  • Regulatory-ready documentation

Real Numbers: Big State Insurance Case Study

Let’s quantify the impact of MANAGE operationalization.

Scenario: 5,000 claims per month

Without Specification Enforcement (status quo):

  • 5,000 claims processed
  • Assume 2% error rate (100 claims with compliance failures)
  • Manual audit required for regulatory review
  • Audit cost: 50 hours × $150/hr = $7,500
  • Regulatory risk if failures found: $50,000+ fine per failure
  • Expected annual cost: $7,500 × 12 months + compliance failures = $90,000+

With Specification Enforcement:

  • 5,000 claims processed
  • 0% error rate (100% compliance, all failures escalated)
  • Automated audit trail generated (no manual work)
  • Audit cost: 5 hours × $150/hr = $750 (review automated reports)
  • Regulatory risk: $0 (no compliance failures)
  • Expected annual cost: $750 × 12 months = $9,000

Annual Savings: $81,000+

Plus: Faster claim processing (no manual review of compliant claims), lower regulatory exposure, market advantage (first to prove NAIC compliance).

The MANAGE Implementation Timeline

Now (Q1 2026)

  • Define policies for your AI systems
  • Translate policies to executable specifications
  • Implement enforcement
  • Start collecting audit trails
  • Prepare for regulatory questions

Q1-Q2 2026

  • NAIC pilot participants: Submit compliance proof (audit trails)
  • Enterprise governance teams: Demonstrate MANAGE function to execs
  • Regulatory-driven orgs: Prepare for NIST RMF 1.1 guidance

Q2-Q3 2026

  • NAIC pilot results: Companies with spec-based MANAGE win contracts
  • NIST RMF 1.1: New guidance aligns with spec-based operationalization
  • Peer pressure: Competitors ask “How do you prove compliance?”

Q3-Q4 2026

  • EU AI Act enforcement: Specs become table stakes for EU operations
  • Regulatory convergence: All major frameworks expect MANAGE operationalization
  • Market shift: Enterprises without specs seen as non-compliant

Implications for Different Industries

Finance (Loan Approval)

NIST MANAGE Policy: “Loan agents must verify income and credit” Spec Implementation:

Rule 1: income_documented [income_check_status == PASSED]
Rule 2: credit_score_checked [credit_score != null and credit_score >= 620]
Rule 3: debt_to_income_validated [dti_ratio <= 0.43]

Regulatory Value: Proof that every loan decision included required verification steps

Healthcare (Treatment Recommendations)

NIST MANAGE Policy: “Treatment agents must check guidelines and drug interactions” Spec Implementation:

Rule 1: guidelines_checked [clinical_guideline_match == true]
Rule 2: drug_interactions_verified [drug_db.check(medications) returned no conflicts]
Rule 3: patient_history_reviewed [ehr_access_timestamp exists]

Regulatory Value: Proof that every recommendation considered clinical guidelines + drug safety

Supply Chain (Procurement)

NIST MANAGE Policy: “Procurement agents must compare prices and verify supplier credentials” Spec Implementation:

Rule 1: price_comparison_conducted [supplier_quotes >= 3]
Rule 2: supplier_verified [supplier_compliance_score >= 80]
Rule 3: contract_terms_reviewed [contract_terms != null]

Regulatory Value: Proof that every procurement decision followed due diligence

What “MANAGE Operationalization” Looks Like

A system with MANAGE operationalized:

  1. Policies written (humans define what should happen)
  2. Policies executable (specifications make policies mechanically enforceable)
  3. Enforcement automatic (agents cannot violate specs)
  4. Verification continuous (every decision checked)
  5. Audit trail automatic (evidence collected systematically)
  6. Compliance proven (audit trail shows proof)
  7. Regulators satisfied (we can prove MANAGE is implemented)

Systems without MANAGE operationalization:

  1. ✅ Policies written
  2. ❌ Policies not executable (just documents)
  3. ❌ Enforcement manual (humans check decisions)
  4. ❌ Verification inconsistent (some decisions checked, some not)
  5. ❌ Audit trail ad-hoc (logs, not structured proof)
  6. ❌ Compliance uncertain (we don’t know if we’re compliant)
  7. ❌ Regulators skeptical (How do you prove compliance?)

The Bottom Line

NIST AI RMF MANAGE is not a policy exercise. It’s a technical implementation.

The enterprises that treat MANAGE as “write governance policies and document them” will fail regulatory audits.

The enterprises that implement MANAGE as “define policies, execute them as specs, collect proof automatically” will pass audits and gain competitive advantage.

The time to implement this is now (Q1 2026), before:

  • NIST RMF 1.1 guidance is released (Q2)
  • NAIC pilot results show winners and losers (Q3)
  • EU AI Act enforcement begins (Aug 2)
  • Your competitors claim compliance first

If you’re running AI agents in production, particularly in regulated sectors (finance, healthcare, insurance), you need MANAGE operationalization. Not eventually. Now.

Created: 2026-03-01 Status: Draft Next Steps: Publish when final technical review complete