NIST AI RMF to ISO/IEC FDIS 42001 AI Management system Crosswalk

AI RMF ISO/IEC FDIS 42001

Govern 1.1 Legal and regulatory requirements 4.1 Understanding the organization and its context
involving AI are understood,
managed, and documented.
6.2 AI objectives and planning to achieve them
B.2.2 AI policy
B.2.4 Review of the AI policy
Govern 1.2 The characteristics of trustworthy AI B.9.3 Objectives for responsible use of AI system
are integrated into organizational
policies, processes, procedures, and
practices.
B.6.1.2 Objectives for responsible development of AI
system
B.6.1.3 Processes for responsible design and
development of AI systems
B.10.3 Suppliers
B.2.2 AI policy
4.4 AI management system
5.2 AI Policy
Govern 1.3 Processes, procedures, and practices 6.1.2 AI risk assessment
are in place to determine the needed
level of risk management activities
based on the organization’s risk
tolerance.
6.1.1 General
6.1.3 AI risk treatment
Govern 1.4 The risk management process and its 6.1.2 AI risk assessment
outcomes are established through
transparent policies, procedures, and
other controls based on
organizational risk priorities.

6.1.3 AI risk treatment

8.3 AI risk treatment
Govern 1.5 Ongoing monitoring and periodic 8.2 AI risk assessment
review of the risk management
process and its outcomes are planned
and organizational roles and
responsibilities clearly defined,
including determining the frequency
of periodic review.
8.3 AI risk treatment
8.4 AI system impact assessment
Govern 1.6 Mechanisms are in place to inventory B.4.5 System and computing resources
AI systems and are resourced
according to organizational risk
priorities.
B.4.3 Data resources
B.4.4 Tooling resources
B.4.6 Human resources
B.4.2 Resource documentation
Govern 1.7 Processes and procedures are in place B.6.2.6 AI system operation and monitoring
for decommissioning and phasing out
AI systems safely and in a manner that
does not increase risks or decrease
the organization’s trustworthiness.

Govern 2.1 Roles and responsibilities and lines of 9.1 Monitoring, measurement, analysis and
communication related to mapping, evaluation
measuring, and managing AI risks are
documented and are clear to
individuals and teams throughout the
organization.
5.3 Roles, responsibilities and authorities
7.1 Resources
7..2 Competence
7.3 Awareness
7.4 Communication
B.3.2 AI roles and responsibilities
Govern 2.2 The organization’s personnel and 7.2 Competence
partners receive AI risk management
training to enable them to perform
their duties and responsibilities
consistent with related policies,
procedures, and agreements.

Govern 2.3 Executive leadership of the 5.1 Leadership and commitment

organization takes responsibility for
decisions about risks associated with
AI system development and
deployment.
9.3.1 General
9.3.2 Management review inputs
9.3.3 Management review results
5.2 AI Policy
Govern 3.1 Decision-making related to mapping, B.4.6 Human resources
measuring, and managing AI risks
throughout the lifecycle is informed
by a diverse team (e.g., diversity of
demographics, disciplines, experience,
expertise, and backgrounds).

B.5.4 Assessing AI system impact on individuals and

groups of individuals
Govern 3.2 Policies and procedures are in place to B.6.1.3 Processes for responsible design and
define and differentiate roles and development of AI systems
responsibilities for human-AI
configurations and oversight of AI
systems.
B.9.3 Objectives for responsible use of AI system
B.4.6 Human resources
B.5.3 Documentation of AI system impact
assessments
7.2 Competence
B.3.2 Management review inputs
Govern 4.1 Organizational policies and practices B.5.2 AI system impact assessment process
are in place to foster a critical thinking
and safety-first mindset in the design,
development, deployment, and uses
of AI systems to minimize potential
negative impacts.

B.6.1.2 Objectives for responsible development of AI

system
B.6.1.3 Processes for responsible design and
development of AI systems
B.9.2 Processes for responsible use of AI
B.9.3 Objectives for responsible use of AI system
B.10.3 Suppliers
B.5.4 Assessing AI system impact on individuals and
groups of individuals
Govern 4.2 Organizational teams document the B.5.4 Assessing AI system impact on individuals and
risks and potential impacts of the AI groups of individuals
technology they design, develop,
deploy, evaluate, and use, and they
communicate about the impacts more
broadly.
B.8.5 Information for interested parties
7.4 Communication
6.1.4 AI system impact assessment
B.5.5 Assessing societal impacts of AI systems
Govern 4.3 Organizational practices are in place B.6.2.4 AI system verification and validation
to enable AI testing, identification of
incidents, and information sharing.
B.6.2.6 AI system operation and monitoring
B.6.2.7 AI system technical documentation
B.8.2 System documentation and information for
users
B.8.3 External reporting
B.8.4 Communication of incidents
B.8.5 Information for interested parties
B.6.1.2 Objectives for responsible development of AI
system
B.6.1.3 Processes for responsible design and
development of AI systems
Govern 5.1 Organizational policies and practices B.10.4 Customers
are in place to collect, consider,
prioritize, and integrate feedback
from those external to the team that
developed or deployed the AI system
regarding the potential individual and
societal impacts related to AI risks.

B.5.3 Documentation of AI system impact

assessments
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.8.3 External reporting
Govern 5.2 Mechanisms are established to enable B.8.3 External reporting
the team that developed or deployed
AI systems to regularly incorporate
adjudicated feedback from relevant AI
actors into system design and
implementation.
B.10.4 Customers
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
B.6.1.3 Processes for responsible design and
development of AI systems
Govern 5.2 Mechanisms are established to enable B.6.2.6 AI system operation and monitoring
the team that developed or deployed
AI systems to regularly incorporate
adjudicated feedback from relevant AI
actors into system design and
implementation.
Govern 6.1 Policies and procedures are in place B.10.2 Allocating responsibilities
that address AI risks associated with
third-party entities, including risks of
infringement of a third-party’s
intellectual property or other rights.
B.10.3 Suppliers
Govern 6.2 Contingency processes are in place to B.10.2 Allocating responsibilities
handle failures or incidents in third-
party data or AI systems deemed to
be high-risk.
B.10.3 Suppliers
Map 1.1 Intended purposes, potentially 6.1.4 AI system impact assessment
beneficial uses, context specific laws,
norms and expectations, and
prospective settings in which the AI
system will be deployed are
understood and documented.
Considerations include: the specific
set or types of users along with their
expectations; potential positive and
negative impacts of system uses to
individuals, communities,
organizations, society, and the planet;
assumptions and related limitations
about AI system purposes, uses, and
risks across the development or
product AI lifecycle; and related TEVV
and system metrics.

B.5.2 AI system impact assessment process

B.5.3 Documentation of AI system impact
assessments
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
Map 1.2 Interdisciplinary AI actors, B.4.6 Human resources
competencies, skills, and capacities
for establishing context reflect
demographic diversity and broad
domain and user experience
expertise, and their participation is
documented. Opportunities for
interdisciplinary collaboration are
prioritized.
7.2 Competence
Map 1.3 The organization’s mission and 4.1 Understanding the organization and its context
relevant goals for AI technology are
understood and documented
5.2 AI Policy
6.2 AI objectives and planning to achieve them
7.5.3 Control of documented information
7.3 Awareness
7.4 Communication
Map 1.4 The business value or context of 5.1 Leadership and commitment
business use has been clearly defined
or – in the case of assessing existing AI
systems – re-evaluated.
4.1 Understanding the organization and its context

B.2.2 Customers
B.5.2 AI system impact assessment process
B.9.4 Intended use of the AI system
B.6.2.2 AI system requirements and specification
Map 1.5 Organizational risk tolerances are 6.1.1 Objective
determined and documented.
Map 1.6 System requirements (e.g., “the B.6.2.2 AI system requirements and specification
system shall respect the privacy of its
users”) are elicited from and
understood by relevant AI actors.
Design decisions take socio-technical
implications into account to address
AI risks.
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
Map 2.1 The specific tasks and methods used B.6.2.3 Documentation of AI system design and
to implement the tasks that the AI development
system will support are defined (e.g.,
classifiers, generative models,
recommenders).
B.4.2 Resource documentation
B.4.3 Data resources
B.4.4 Tooling resources
B.4.5 System and computing resources
B.4.6 Human resources
Map 2.2 Information about the AI system’s B.6.2.7 AI system technical documentation
knowledge limits and how system
output may be utilized and overseen
by humans is documented.
Documentation provides sufficient
information to assist relevant AI
actors when making decisions and
taking subsequent actions

B.9.3 Objectives for responsible use of AI system

B.8.2 System documentation and information for
users
Map 2.3 Scientific integrity and TEVV B.6.1.3 Processes for responsible design and
considerations are identified and development of AI systems
documented, including those related
to experimental design, data
collection and selection (e.g.,
availability, representativeness,
suitability), system trustworthiness,
and construct validation.
B.6.2.7 AI system technical documentation
B.7.2 Data for development and enhancement of AI
system
B.7.3 Acquisition of data
B.7.4 Quality of data for AI systems
B.7.5 Data provenance
B.7.6 Data preparation
B.6.2.4 AI system verification and validation
Map 3.1 Potential benefits of intended AI B.5.2 AI system impact assessment process
system functionality and performance
are examined and documented.

B.5.3 Documentation of AI system impact

assessments
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
Map 3.2 Potential costs, including non- B.5.2 AI system impact assessment process
monetary costs, which result from
expected or realized AI errors or
system functionality and
trustworthiness – as connected to
organizational risk tolerance – are
examined and documented
B.5.3 Documentation of AI system impact
assessments
 B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
8.2 AI risk assessment
8.3 AI risk treatment
8.4 AI system impact assessment
Map 3.3 Targeted application scope is specified 4.3 Determining the scope of the AI management
and documented based on the system
system’s capability, established
context, and AI system categorization.

B.5.2 AI system impact assessment process

B.5.3 Documentation of AI system impact
assessments
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
Map 3.4 Processes for operator and 7.2 Competence
practitioner proficiency with AI
system performance and
trustworthiness – and relevant
technical standards and certifications
– are defined, assessed, and
documented.
B.4.6 Human resources
Map 3.5 Processes for human oversight are B.6.1.3 Processes for responsible design and
defined, assessed, and documented in development of AI systems
accordance with organizational
policies from the GOVERN function.
B.6.2.7 AI system technical documentation
B.8.2 System documentation and information for
users
Map 4.1 Approaches for mapping AI 4.1 Understanding the organization and its context
technology and legal risks of its
components – including the use of
third-party data or software – are in
place, followed, and documented, as
are risks of infringement of a third
party’s intellectual property or other
rights.
B.2.2 AI policy
B.9.2 Processes for responsible use of AI systems
B.9.4 Intended use of the AI system
Map 4.2 Internal risk controls for components B.6.2.7 AI system technical documentation
of the AI system, including third-party
AI technologies, are identified and
documented.

B.8.2 System documentation and information for

users
B.10.3 Suppliers
Map 5.1 Likelihood and magnitude of each 6.1.2 AI risk assessment
identified impact (both potentially
beneficial and harmful) based on
expected use, past uses of AI systems
in similar contexts, public incident
reports, feedback from those external
to the team that developed or
deployed the AI system, or other data
are identified and documented.

B.5.2 AI system impact assessment process

Map 5.2 Practices and personnel for B.6.1.3 Processes for responsible design and
supporting regular engagement with development of AI systems
relevant AI actors and integrating
feedback about positive, negative,
and unanticipated impacts are in
place and documented.
B.6.2.6 AI system operation and monitoring
B.8.3 External reporting
Measure 1.1 Approaches and metrics for 6.1.1 General
measurement of AI risks enumerated
during the MAP function are selected
for implementation starting with the
most significant AI risks. The risks or
trustworthiness characteristics that
will not – or cannot – be measured
are properly documented.

6.1.2 AI risk assessment

Measure 1.2 Appropriateness of AI metrics and B.6.2.4 AI system verification and validation
effectiveness of existing controls are
regularly assessed and updated,
including reports of errors and
potential impacts on affected
communities.
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.2 AI system impact assessment process
B.5.5 Assessing societal impacts of AI systems
Measure 1.3 Internal experts who did not serve as 6.1.2 AI risk assessment
front-line developers for the system
and/or independent assessors are
involved in regular assessments and
updates. Domain experts, users, AI
actors external to the team that
developed or deployed the AI system,
and affected communities are
consulted in support of assessments
as necessary per organizational risk
tolerance.

9.2.2 Internal audit programme

B.5.2 AI system impact assessment process
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
Measure 2.1 Test sets, metrics, and details about B.8.4 Communication of incidents
the tools used during TEVV are
documented.
B.6.2.4 AI system verification and validation
B.6.2.7 AI system technical documentation
B.4.2 Resource documentation
Measure 2.2 Evaluations involving human subjects B.6.2.4 AI system verification and validation
meet applicable requirements
(including human subject protection)
and are representative of the relevant
population

Measure 2.3 AI system performance or assurance B.7.4 Quality of data for AI systems
criteria are measured qualitatively or
quantitatively and demonstrated for
conditions similar to deployment
setting(s). Measures are documented.

B.6.2.6 AI system operation and monitoring

Measure 2.4 The functionality and behavior of the 9.1 Monitoring, measurement, analysis, and
AI system and its components – as evaluation
identified in the MAP function – are
monitored when in production.
B.6.2.6 AI system operation and monitoring
B.6.2.8 AI system recording of event logs
Measure 2.5 The AI system to be deployed is B.6.2.4 AI system verification and validation
demonstrated to be valid and reliable.
Limitations of the generalizability
beyond the conditions under which
the technology was developed are
documented.

B.6.2.5 AI system deployment

B.6.2.7 AI system technical documentation
B.8.2 System documentation and information for
users
Measure 2.6 The AI system is evaluated regularly B.6.2.8 AI system recording of event logs
for safety risks – as identified in the
MAP function. The AI system to be
deployed is demonstrated to be safe,
its residual negative risk does not
exceed the risk tolerance, and it can
fail safely, particularly if made to
operate beyond its knowledge limits.
Safety metrics reflect system
reliability and robustness, real-time
monitoring, and response times for AI
system failures.
B.6.2.6 AI system operation and monitoring
B.6.2.4 AI system verification and validation
8.2 AI risk assessment
Measure 2.7 AI system security and resilience – as B.7.2 Data for development and enhancement of AI
identified in the MAP function – are system
evaluated and documented.
B.3.2 AI roles and responsibilities
B.2.3 Alignment with other organizational policies
B.5.2 AI system impact assessment process
B.6.1.2 Objectives for responsible development of AI
system
B.6.2.3 Documentation of AI system design and
development
B.9.3 Objectives for responsible use of AI system
Measure 2.8 Risks associated with transparency B.7.2 Data for development and enhancement of AI
and accountability – as identified in system
the MAP function – are examined and
documented.
B.5.4 Assessing AI system impact on individuals and
groups of individuals
B.5.5 Assessing societal impacts of AI systems
B.6.1.2 Objectives for responsible development of AI
system
B.9.3 Objectives for responsible use of AI system
 6.1.2 AI risk assessment
Measure 2.9 The AI model is explained, validated, B.7.5 Data provenance
and documented, and AI system
output is interpreted within its
context – as identified in the MAP
function – to inform responsible use
and governance.
B.6.2.5 AI system deployment
B.6.2.7 AI system technical documentation
B.8.2 System documentation and information for
users
Measure 2.10 Privacy risk of the AI system – as B.5.2 AI system impact assessment process
identified in the MAP function – is
examined and documented.
B.7.2 Data for development and enhancement of AI
system
B.7.3 Acquisition of data
B.2.3 Alignment with other organizational policies
Measure 2.11 Fairness and bias – as identified in the B.5.5 Assessing societal impacts of AI systems
MAP function – are evaluated and
results are documented.
B.5.4 Assessing AI system impact on individuals and
groups of individuals
Measure 2.12 Environmental impact and B.5.5 Assessing societal impacts of AI systems
sustainability of AI model training and
management activities – as identified
in the MAP function – are assessed
and documented.
B.4.5 System and computing resources
Measure 2.13 Effectiveness of the employed TEVV B.6.2.4 AI system verification and validation
metrics and processes in the
MEASURE function are evaluated and
documented.
B.6.2.6 AI system operation and monitoring
Measure 3.1 Approaches, personnel, and 8.2 AI risk assessment
documentation are in place to
regularly identify and track existing,
unanticipated, and emergent AI risks
based on factors such as intended and
actual performance in deployed
contexts.
4.4 AI management system
8.4 AI system impact assessment
Measure 3.2 Risk tracking approaches are B.6.2.8 AI system recording of event logs
considered for settings where AI risks
are difficult to assess using currently
available measurement techniques or
where metrics are not yet available.

B.6.2.6 AI system operation and monitoring

10.1 Continual improvement
Measure 3.3 Feedback processes for end users and B.8.2 System documentation and information for
impacted communities to report users
problems and appeal system
outcomes are established and
integrated into AI system evaluation
metrics.
B.8.4 Communication of incidents
B.8.3 External reporting
Measure 4.1 Measurement approaches for B.6.2.4 AI system verification and validation
identifying AI risks are connected to
deployment context(s) and informed
through consultation with domain
experts and other end users.
Approaches are documented.

B.5.4 Assessing AI system impact on individuals and

groups of individuals
B.5.5 Assessing societal impacts of AI systems
9.1 Monitoring, measurement, analysis, and
evaluation
Measure 4.2 Measurement results regarding AI 9.1 Monitoring, measurement, analysis, and
system trustworthiness in deployment evaluation
context(s) and across the AI lifecycle
are informed by input from domain
experts and relevant AI actors to
validate whether the system is
performing consistently as intended.
Results are documented.

B.8.2 System documentation and information for

users
9.2.1 General
B.8.3 External reporting
Measure 4.3 Measurable performance 9.3.1 General
improvements or declines based on
consultations with relevant AI actors,
including affected communities, and
field data about context relevant risks
and trustworthiness characteristics
are identified and documented.

B.6.2.6 AI system operation and monitoring

B.6.2.7 AI system technical documentation
Manage 1.1 A determination is made as to B.9.3 Objectives for responsible use of AI system
whether the AI system achieves its
intended purposes and stated
objectives and whether its
development or deployment should
proceed.
B.9.2 Processes for responsible use of AI systems
B.9.4 Intended use of the AI system
B.6.1.3 Processes for responsible design and
development of AI systems
B.6.2.4 AI system verification and validation
B.6.2.4 AI system verification and validation
Manage 1.2 Treatment of documented AI risks is 9.3.3 Management review results
prioritized based on impact,
likelihood, and available resources or
methods.
6.1.2 AI risk assessment
6.1.3 AI risk treatment
6.1.4 AI system impact assessment
Manage 1.3 Responses to the AI risks deemed high 6.1.1 General
priority, as identified by the MAP
function, are developed, planned, and
documented. Risk response options
can include mitigating, transferring,
avoiding, or accepting.

6.1.2 AI risk assessment

6.1.3 AI risk treatment
6.1.4 AI system impact assessment
Manage 1.4 Negative residual risks (defined as the B.5.3 Documentation of AI system impact
sum of all unmitigated risks) to both assessments
downstream acquirers of AI systems
and end users are documented.

B.5.4 Assessing AI system impact on individuals and

groups of individuals
B.6.2.7 AI system technical documentation
 B.8.2 System documentation and information for
users
Manage 2.1 Resources required to manage AI risks B.4.2 Resource documentation
are taken into account – along with
viable non-AI alternative systems,
approaches, or methods – to reduce
the magnitude or likelihood of
potential impacts.
7.1 Resources
Manage 2.2 Mechanisms are in place and applied B.3.3 Reporting of concerns
to sustain the value of deployed AI
systems.
B.6.1.2 Objectives for responsible development of AI
system
B.6.1.3 Processes for responsible design and
development of AI systems
B.6.2.4 AI system verification and validation
B.6.2.6 AI system operation and monitoring
B.7.2 Data for development and enhancement of AI
system
7.1 Resources
10.1 Continual improvement
Manage 2.3 Procedures are followed to respond 10.2 Nonconformity and corrective action
to and recover from a previously
unknown risk when it is identified.
6.1.1 General
6.1.2 AI risk assessment
6.1.3 AI risk treatment
Manage 2.4 Mechanisms are in place and applied, B.9.4 Intended use of the AI system
and responsibilities are assigned and
understood, to supersede, disengage,
or deactivate AI systems that
demonstrate performance or
outcomes inconsistent with intended
use.
B.8.2 System documentation and information for
users
B.6.2.7 AI system technical documentation
B.6.1.3 Processes for responsible design and
development of AI systems
Manage 3.1 AI risks and benefits from third-party B.10.3 Suppliers
resources are regularly monitored,
and risk controls are applied and
documented.
B.10.2 Allocating responsibilities
Manage 3.2 Pre-trained models which are used for B.4.4 Tooling resources
development are monitored as part of
AI system regular monitoring and
maintenance.
B.6.2.6 AI system operation and monitoring
Manage 4.1 Post-deployment AI system 9.2.1 General
monitoring plans are implemented,
including mechanisms for capturing
and evaluating input from users and
other relevant AI actors, appeal and
override, decommissioning, incident
response, recovery, and change
management.
B.6.2.6 AI system operation and monitoring
B.8.3 External reporting
B.10.4 Customers
Manage 4.2 Measurable activities for continual 9.3.3 Management review results
improvements are integrated into AI
system updates and include regular
engagement with interested parties,
including relevant AI actors.
B.6.2.4 AI system verification and validation
B.6.2.6 AI system operation and monitoring
Manage 4.3 Incidents and errors are 9.3.2 Management review inputs
communicated to relevant AI actors,
including affected communities.
Processes for tracking, responding to,
and recovering from incidents and
errors are followed and documented.

B.8.5 Information for interested parties

B.6.2.6 AI system operation and monitoring