NIST AI Risk Management Framework: Mapping to Colorado SB 24-205

The NIST AI Risk Management Framework isn't just a nice-to-have — it's explicitly referenced in Colorado SB 24-205 as a qualifying framework for the affirmative defense. Organizations that demonstrate good-faith alignment with NIST AI RMF receive a rebuttable presumption of compliance.

Released in January 2023 by the National Institute of Standards and Technology, the AI RMF 1.0 provides a structured, voluntary approach to managing AI risks. It's technology-agnostic, scalable from startups to enterprises, and designed to be integrated into existing risk management processes.

The GOVERN function establishes organizational AI governance: policies, roles, accountability, and culture.

SB 24-205 mapping:

• GV.1 (Policies) → Your documented, public-facing risk management policy. Must describe how AI risks are identified, assessed, and mitigated.
• GV.2 (Accountability) → Clear ownership of AI compliance. Who is responsible for bias audits? Impact assessments? AG notification?
• GV.3 (Workforce) → Training records for staff involved in AI governance. SB 24-205 requires competent oversight.
• GV.4 (Culture) → Organizational commitment to responsible AI. Internal communications, training, and leadership engagement.

The MAP function is about understanding context: what AI systems exist, what they do, and who they affect.

SB 24-205 mapping:

• MP.1 (Context) → Inventory of all AI systems with their purposes, intended uses, and affected populations
• MP.2 (Impact) → Classification of which systems make "consequential decisions" under the statute
• MP.3 (Stakeholders) → Identification of affected consumers and communities
• MP.4 (Risks) → Known risks of algorithmic discrimination for each system, including data bias and proxy variable issues

CO-AIMS implements MAP through its system registry — you register each AI tool, classify its risk level, document its decision scope, and identify affected populations.

MEASURE is about quantifying AI risks through testing, evaluation, and monitoring.

SB 24-205 mapping:

• MS.1 (Testing) → Regular bias audits using statistical methodologies (disparate impact ratio, significance testing, demographic parity)
• MS.2 (Evaluation) → Annual impact assessments documenting system purposes, risks, data sources, and oversight mechanisms
• MS.3 (Monitoring) → Continuous monitoring for algorithmic discrimination, not just point-in-time audits
• MS.4 (Metrics) → Defined thresholds and alerting criteria for bias detection

MANAGE covers risk treatment: what you do when issues are found.

SB 24-205 mapping:

• MG.1 (Response) → Incident response procedures for algorithmic discrimination, including 90-day AG notification
• MG.2 (Remediation) → Cure procedures: identify the cause, implement the fix, verify effectiveness
• MG.3 (Communication) → Consumer disclosure mechanisms and appeal/human review processes
• MG.4 (Documentation) → Three-year record retention of all audits, assessments, incidents, and remediations

CO-AIMS ties all four NIST functions into a single platform. Your GOVERN dashboard shows policy status and training completion. MAP is your system registry. MEASURE runs automated bias audits and generates impact assessments. MANAGE handles incident tracking, remediation, and evidence bundle generation.