AI Governance

AI governance for risk, legal, and product teams

AI governance is the discipline of registering, classifying, controlling, and monitoring AI systems against a coherent framework. This page shows the lifecycle as a BPMN 2.0 process map, aligned to the EU AI Act risk tiers, the NIST AI Risk Management Framework, and ISO/IEC 42001 - the three standards every modern AI governance programme references.

By Jack Finnegan · Updated 21 May 2026

Map your AI governance flow EU AI Act deep-dive

What it is

What AI governance actually is

AI governance is the structured discipline of inventorying AI systems, classifying their risk, applying proportionate controls, and monitoring them in production. The three standards every credible programme references are: the EU AI Act (Regulation 2024/1689, in force from 1 August 2024 with staged application dates running through 2027), which introduces the four-tier risk classification (unacceptable, high, limited, minimal); the US NIST AI Risk Management Framework 1.0 (January 2023), which structures the work around four functions (govern, map, measure, manage); and ISO/IEC 42001:2023, the first AI management system standard, which provides the certifiable management-system shape.

Mature programmes do not treat the three as alternatives - they fold the NIST functions and ISO 42001 controls into a single management system, then map the EU AI Act obligations onto the same controls. The result is one process, multiple regulatory readings.

The problem today

AI governance is currently a PowerPoint deck

In most firms, AI governance is a 30-slide deck the AI ethics committee approved last quarter and a Confluence page nobody updates. Use cases enter the firm through procurement, through engineering, and through marketing experiments - none of those paths are connected to the inventory. Risk classification happens at the legal review step (if at all), based on a one-pager the business filled out, with no link to the controls applied downstream. Post-market monitoring is whatever the model owner happens to remember at the next review.

The fix is treating governance as a process. Every AI use case enters the lifecycle through the same front door; every classification is recorded against the same taxonomy; every control is traceable from regulator obligation to implementation evidence. That is what a working management system looks like, and it is what an ISO 42001 audit will ask to see.

Four pillars

Four pillars of an AI governance programme

AI inventory

A single register of every AI use case the firm runs - in-house, vendor-provided, embedded in third-party products. Without this, every other pillar floats.

Risk classification

Classify each use case against the EU AI Act tiers (Article 6 and Annex III for high-risk) and the NIST AI RMF Map function. The classification dictates the control depth - high-risk systems get the full Chapter III obligations (data governance, technical documentation per Annex IV, human oversight, accuracy/robustness/cybersecurity, conformity assessment, post-market monitoring); limited-risk get transparency obligations.

Controls and documentation

Implement the proportionate control set: data governance, technical documentation, human oversight, accuracy/robustness/cybersecurity. ISO/IEC 42001 Annex A is the canonical control library.

Post-market monitoring

Track model performance, incident reports, drift, and serious-incident reporting against the EU AI Act timelines. The monitoring data feeds the annual AI committee report and any required regulator notifications.

Process Map

AI governance as a process map

The end-to-end governance lifecycle - register, classify, route to the proportionate control set, monitor in production, report.

Open in editor

An AI governance programme as a process map

A working AI governance programme rendered as a BPMN 2.0 process. The flow registers each AI use case, classifies its risk category (EU AI Act unacceptable / high / limited / minimal), routes the system through the proportionate control set (NIST AI RMF govern / map / measure / manage functions and ISO/IEC 42001 Annex A controls layered on top), and feeds ongoing post-market monitoring.

A new AI use case is identified - by a business unit, a procurement request, or a discovery scan.
Register the use case in the AI inventory and assign an owner.
Classify the risk category - unacceptable, high, limited, or minimal under the EU AI Act, with NIST AI RMF and ISO/IEC 42001 controls layered on top.
If the classification is unacceptable, prohibit and document the rationale.
High-risk systems run a full risk-management cycle: data governance, technical documentation (Annex IV), human oversight, accuracy/robustness/cybersecurity controls, conformity assessment.
Limited-risk systems implement transparency obligations (e.g. disclose that the user is interacting with an AI).
All deployed systems enter post-market monitoring and feed an annual report to the AI governance committee.

What this diagram shows: The lifecycle starts when a new AI use case is identified - via a business unit, a procurement request, or a discovery scan. Registration assigns ownership; classification applies the EU AI Act tier (unacceptable / high / limited or minimal). The risk-tier gateway routes unacceptable use cases to prohibition, high-risk through the full Chapter III obligation set (including Annex IV technical documentation), and limited-risk through lightweight transparency obligations. Deployed systems converge on post-market monitoring, which feeds the annual AI committee report and ongoing governance.

FAQ

Frequently asked questions

What is AI governance?

AI governance is the discipline of inventorying AI systems, classifying their risk, applying proportionate controls, monitoring them in production, and reporting on outcomes. The three reference frameworks are the EU AI Act (Regulation 2024/1689), the NIST AI Risk Management Framework 1.0, and ISO/IEC 42001:2023 (the AI management system standard). Modern programmes fold all three into a single working management system.

What is the EU AI Act risk classification?

The EU AI Act introduces four risk tiers. Unacceptable risk: prohibited (social scoring, real-time biometric identification in public spaces with narrow exceptions, etc.). High risk: subject to the full obligations - data governance, technical documentation per Annex IV, human oversight, accuracy/robustness/cybersecurity, conformity assessment, post-market monitoring. Limited risk: transparency obligations (e.g. users must know they are interacting with an AI). Minimal risk: no specific obligations under the Act but encouraged voluntary codes of conduct.

What is the NIST AI Risk Management Framework?

NIST AI RMF 1.0 (January 2023) is the US National Institute of Standards and Technology's voluntary framework for managing AI risk. It is structured around four functions: govern (cultivate a risk-management culture), map (frame the AI system and its context), measure (assess and benchmark identified risks), manage (allocate risk-treatment resources). The framework is voluntary at federal level but increasingly required by state laws and sector regulators.

What is ISO/IEC 42001?

ISO/IEC 42001:2023 is the first internationally certifiable AI management system standard, published December 2023. Like ISO 9001 (quality) and ISO 27001 (information security), it provides a Plan-Do-Check-Act management system structure with a control set (Annex A) that organisations can be audited against. Many large enterprises pursue ISO 42001 certification both to demonstrate governance maturity and to satisfy procurement-led AI-vendor questionnaires.

How do the EU AI Act, NIST AI RMF, and ISO 42001 relate?

They overlap considerably but serve different purposes. The EU AI Act is binding law in the EU. NIST AI RMF is a voluntary US framework that informs federal procurement and is increasingly cited by US state laws. ISO 42001 is a certifiable management-system standard usable globally. A pragmatic programme builds the management system around ISO 42001, uses NIST AI RMF as the risk-process methodology, and maps both onto EU AI Act obligations where the firm is in scope.

Does BA Copilot replace our AI governance platform?

No. BA Copilot is the modelling layer that produces the BPMN process maps for the governance workflow itself and for each high-risk AI use case (the Annex IV technical documentation maps, the human-oversight workflow, the post-market monitoring flow). It does not own the AI inventory, the risk classification, or the compliance evidence repository. It integrates with the platforms that do (Credo AI, Holistic AI, Trustible, ServiceNow IRM AI modules).

Jack Finnegan, Founder & CEO, BA Copilot

From the founder

14 Years in BPMN

I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.

BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.

Jack Finnegan on LinkedIn

Sources

Sources and verification

Last verified 21 May 2026 by Jack Finnegan.

References cited on this page:

EU AI Act (Reg. 2024/1689)
NIST AI RMF 1.0
ISO/IEC 42001:2023

Make AI governance an actual process

Open the AI governance lifecycle template, route your existing use cases through it, and produce the BPMN evidence an ISO 42001 audit will ask for.