Overview & purpose

This Operational Playbook turns the NIST AI Risk Management Framework into practical workflows embedded in day-to-day AI lifecycle operations. It defines how teams govern responsibly, map context and risk, measure trustworthiness, and manage continuous improvement. All four functions are aligned to ISO/IEC 42001 AIMS clauses and EU AI Act compliance duties.

GOVERN function

• Establish AI governance charter approved by Leadership and the AI Governance Board.
• Define roles and responsibilities — Model Owner, Oversight Officer, Compliance Lead.
• Integrate AI policies (Master Policy, Ethical Charter, Data Governance) into AIMS document control.
• Track risk appetite, tolerances, and KPIs in quarterly Management Review.
• Maintain an AI Governance Dashboard showing policy status, training, risk and audit coverage.

MAP function

• Contextualise each AI system — purpose, users, stakeholders, intended use and limitations.
• Identify ethical, safety, legal and operational risks per use case.
• Develop AI Risk Profiles with impact matrices and harms taxonomy.
• Link to EU AI Act risk classification (Annex III categories).
• Store profiles in AIMS Risk Register for traceability and audit.

MEASURE function

• Define trustworthiness metrics for each model: accuracy, fairness, robustness, explainability, security, privacy.
• Quantitative KPIs (monitored via dashboards): Bias ≤ 2%, Model Drift ≤ 5%, Availability ≥ 99%.
• Run periodic testing and validation scripts during CI/CD builds.
• Document results and feed into Management Review and CAPA logs.

MANAGE function

• Implement risk treatments and CAPAs identified in the MAP/MEASURE stages.
• Automate incident alerts, risk threshold breaches, and oversight escalations.
• Conduct post-incident reviews and feed lessons into continuous improvement cycle (§10).
• Update AIMS documents and evidence register after each control change.

Integration with ISO 42001 & EU AI Act

• GOVERN ↔ ISO §5/6 (Leadership & Planning) · EU AI Act Art 9 – Risk Management System.
• MAP ↔ ISO §8 (Operational Controls) · EU AI Act Annex III – Classification.
• MEASURE ↔ ISO §9 (Performance Evaluation) · EU AI Act Art 61 – Monitoring.
• MANAGE ↔ ISO §10 (Improvement) · EU AI Act Art 62 – Corrective actions.

Tooling & automation examples

• Integrate CI/CD pipelines with compliance checks (MLflow, Azure ML, Vertex AI, etc.).
• Automate evidence uploads to AIMS repository using APIs or Make.com workflows.
• Use dashboards (Google Looker / Power BI) for live risk & metric tracking.

Metrics & reporting

• Monthly Trustworthiness Score = (weighted average of accuracy, bias, robustness).
• Quarterly AI Risk Exposure Index aggregates open risks and residual severity.
• KPIs reported to AI Governance Board and included in Management Review.

Common pitfalls & best practice

• Static frameworks: Operationalise RMF via automation and real-time monitoring.
• No link to AIMS: Map each RMF activity to ISO 42001 clause for audit traceability.
• Missing metrics: Always quantify bias, robustness, explainability KPIs.
• Over-documentation: Use dashboards and version-controlled evidence instead of manual spreadsheets.

Implementation checklist

• NIST AI RMF Operational Playbook approved and communicated.
• Roles & responsibilities mapped to AIMS controls.
• Dashboards & metrics live for Govern/Map/Measure/Manage.
• Quarterly report submitted to AI Governance Board.

© Zen AI Governance UK Ltd • Regulatory Knowledge • v1 11 Nov 2025 • This page is general guidance, not legal advice.