NIST AI Risk Management Framework as a working process
The NIST AI Risk Management Framework 1.0 (January 2023) is the US National Institute of Standards and Technology's voluntary framework for AI risk. It is structured around four functions: govern, map, measure, manage. This page shows the framework as a BPMN 2.0 process - the artefact most NIST RMF programmes lack.
By Jack Finnegan · Updated 21 May 2026
What the NIST AI RMF actually is
Most NIST AI RMF programmes implement Govern, document Map, and skip Measure entirely
The four NIST AI RMF functions
Govern
Cultivate a risk-management culture, set policies, assign accountabilities, allocate resources. Govern is cross-cutting - it touches and structures the other three.
Map
Frame the AI system: intended purpose, context of use, stakeholders, data sources, performance metrics, known limitations. Map is where most programmes already have decent material - the inventory just needs structuring.
Measure
Assess and benchmark risks against the measurement categories: validity and reliability, safety, security and resilience, accountability and transparency, explainability and interpretability, privacy, fairness with management of harmful bias.
Manage
Allocate risk-treatment resources, apply controls, and respond to incidents. Manage closes the loop back to Govern with lessons learned.
The NIST AI RMF as a process map
The four functions in the canonical sequence, with the Manage→Map feedback loop that lets the framework track context change.
The NIST AI RMF four functions as a process map
The NIST AI Risk Management Framework 1.0 rendered as a BPMN 2.0 process. Govern, Map, Measure, Manage - the four functions executed in the canonical sequence with the Manage→Map feedback loop that lets the framework track context change.
- Govern - cultivate a risk-management culture, set policies, assign accountabilities.
- Map - frame the AI system, its context, and its stakeholders.
- Measure - assess and benchmark identified risks against the measurement categories in the RMF.
- Manage - allocate risk-treatment resources and apply controls.
- If context changes (new use case, new data source, new regulation), loop back to Map.
- Otherwise the system enters continuous monitoring under the Govern function.
Frequently asked questions
What is the NIST AI Risk Management Framework?
The NIST AI Risk Management Framework 1.0, published January 2023, is the US National Institute of Standards and Technology's voluntary framework for managing risks associated with AI systems. It is structured around four functions - govern, map, measure, manage - and was developed under the National AI Initiative Act of 2020. The framework is voluntary at federal level but increasingly referenced by US state laws and federal procurement requirements.
Is NIST AI RMF compliance mandatory?
At federal level it is voluntary. However, several jurisdictions are making it operationally mandatory: federal procurement increasingly requires NIST AI RMF alignment for AI products; several US states (notably Colorado) have incorporated parts of the framework into law; and major enterprise procurement processes routinely ask vendors to demonstrate NIST AI RMF practices. For US-facing firms the answer is increasingly: voluntary in theory, mandatory in practice.
How does NIST AI RMF relate to the EU AI Act?
The two frameworks share intellectual heritage and significant overlap but serve different purposes. The EU AI Act is binding law with explicit prohibitions and conformity-assessment requirements. NIST AI RMF is a voluntary framework that does not prohibit specific uses or require external certification. Pragmatic programmes use NIST AI RMF as the operational methodology and map onto EU AI Act obligations where the firm is in EU scope.
How does NIST AI RMF relate to ISO/IEC 42001?
ISO/IEC 42001 is a certifiable management-system standard (published December 2023). NIST AI RMF is a voluntary framework. The two are highly complementary: ISO 42001 provides the certifiable management-system shape (Plan-Do-Check-Act, control library in Annex A); NIST AI RMF provides the risk-process methodology. Many firms build the management system around ISO 42001 and use NIST AI RMF as the operational risk-process methodology inside it.
How does process mapping fit into NIST AI RMF?
Each of the four functions is fundamentally a process. Govern has policy publication and exception-handling workflows; Map has system-onboarding and stakeholder-engagement workflows; Measure has the assessment workflow itself; Manage has incident response and treatment-allocation workflows. A BPMN process map of each function makes the workflow auditable and lets the framework move from documentation to practice.
Does BA Copilot replace our AI governance platform?
No. BA Copilot is the modelling layer - it produces the BPMN process maps for each of the four functions and for the AI use cases themselves. Dedicated AI governance platforms (Credo AI, Holistic AI, Trustible) own the inventory, risk classification, and evidence repository. BA Copilot integrates by exporting BPMN that the governance platform can attach to use cases.
14 Years in BPMN
I'm Jack Finnegan. I've spent fourteen years working hands-on with BPMN, as an analyst, an engineer, and a product director, where I felt every sharp edge of legacy business process platforms.
BA Copilot is the platform I wanted on every one of these projects: AI-first process management, which treats BPMN as a first-class output rather than an export afterthought.
Sources and verification
Last verified 21 May 2026 by Jack Finnegan.
Verified against: NIST AI Risk Management Framework (official)
References cited on this page:
- NIST AI Risk Management Framework 1.0 (January 2023)
Turn the NIST AI RMF into a working process
Open the NIST AI RMF lifecycle template, model each of the four functions as a working workflow, and produce the BPMN evidence regulators and procurement reviewers can audit.