AI Governance Frameworks: NIST AI RMF vs EU AI Act vs ISO 42001
Reviewed: June 4, 2026
As AI regulation accelerates globally, organizations deploying AI systems face a complex landscape of governance frameworks. Three frameworks have emerged as the most influential: the NIST AI Risk Management Framework (AI RMF 1.0), the EU AI Act, and ISO/IEC 42001:2023. Understanding their differences, overlaps, and compliance requirements is essential for any organization building or deploying AI.
This guide provides a detailed comparison, practical compliance checklists, and an implementation roadmap for each framework.
Table of Contents
- Framework Overview
- NIST AI Risk Management Framework
- EU AI Act
- ISO/IEC 42001:2023
- Head-to-Head Comparison
- Compliance Checklists
- Implementation Roadmap
- Conclusion
1. Framework Overview
| NIST AI RMF | EU AI Act | ISO 42001 | |
|---|---|---|---|
| Type | Voluntary framework | Binding regulation | Certifiable standard |
| Issuer | US National Institute of Standards and Technology | European Union | International Organization for Standardization |
| Status | Published Jan 2023 | In force Aug 2024, phased enforcement | Published Dec 2023 |
| Scope | All AI systems (US-focused) | AI systems placed on EU market or affecting EU persons | All organizations (global) |
| Enforcement | None (voluntary) | Fines up to €35M or 7% of global revenue | Third-party certification |
2. NIST AI Risk Management Framework (AI RMF 1.0)
The NIST AI RMF is a voluntary framework designed to help organizations manage AI risks. It’s structured around four core functions that form a continuous cycle:
2.1 Govern (GV)
Establishes the organizational culture, processes, and structures for managing AI risk. This is the foundation that enables the other three functions.
- GV-1: Policies and procedures for AI risk management are established and documented
- GV-2: Accountability structures for AI system development and deployment are clear
- GV-3: Workforce AI literacy and training programs are in place
- GV-4: Processes for engaging with diverse stakeholders and affected communities
2.2 Map (MP)
Establishes the context and scope of AI systems, identifying stakeholders, intended uses, and potential impacts.
- MP-1: Context and purpose of the AI system are clearly defined
- MP-2: Stakeholders, users, and affected parties are identified
- MP-3: AI system requirements and capabilities are documented
- MP-4: Risks and benefits for all stakeholders are mapped
2.3 Measure (MA)
Employs quantitative and qualitative tools to analyze, assess, benchmark, and monitor AI risk.
- MA-1: AI system performance metrics are established and tracked
- MA-2: Explainability and interpretability methods are applied
- MA-3: Privacy and security impacts are measured
- MA-4: Fairness and bias metrics are monitored
2.4 Manage (MG)
Allocates risk resources to mapped and measured risks on a regular basis.
- MG-1: Risk treatment plans are implemented based on measurement results
- MG-2: Risk responses for deployed AI systems are monitored
- MG-3: Residual risks are documented and communicated
- MG-4: Feedback mechanisms for continuous improvement are established
3. EU AI Act
The EU AI Act is the world’s first comprehensive AI regulation. It takes a risk-based approach, categorizing AI systems into four risk tiers with escalating requirements.
3.1 Risk Tiers
| Risk Level | Description | Examples | Requirements |
|---|---|---|---|
| Unacceptable | Prohibited practices | Social scoring, real-time biometric surveillance in public, manipulative AI | Banned outright |
| High Risk | Significant potential harm | CV-screening tools, medical devices, credit scoring, critical infrastructure | Full compliance: risk management, data governance, transparency, human oversight, conformity assessment |
| Limited Risk | Transparency concerns | Chatbots, deepfakes, emotion recognition | Transparency obligations (users must know they’re interacting with AI) |
| Minimal Risk | Low or no risk | AI-powered spam filters, video game AI, inventory management | No specific requirements (voluntary code of conduct encouraged) |
3.2 Key Requirements for High-Risk AI Systems
- Risk Management System: Continuous risk identification, assessment, and mitigation throughout the AI system lifecycle
- Data Governance: Training data must be relevant, representative, and as free from bias as possible
- Technical Documentation: Comprehensive documentation enabling authorities to assess compliance
- Record-Keeping: Automatic logs of the AI system’s operations for at least 6 months
- Transparency: Users must be informed they’re interacting with an AI system
- Human Oversight: Systems must be designed to allow human intervention and override
- Accuracy & Robustness: Systems must perform consistently and be resilient to errors and attacks
- Conformity Assessment: Third-party or self-assessment before market placement
3.3 Penalties
- Up to €35 million or 7% of global annual turnover for prohibited AI practices
- Up to €15 million or 3% for most other violations
- Up to €7.5 million or 1.5% for supplying incorrect information
3.4 General-Purpose AI (GPAI) Requirements
The Act also covers foundation models and general-purpose AI systems:
- All GPAI providers must provide technical documentation and comply with EU copyright law
- GPAI models with „systemic risk“ (trained with >10^25 FLOPs) face additional requirements including model evaluations, adversarial testing, and incident reporting
- Open-source GPAI models have reduced requirements unless they pose systemic risk
4. ISO/IEC 42001:2023
ISO 42001 is the first international standard for AI Management Systems (AIMS). It provides a certifiable framework for organizations to responsibly develop, provide, or use AI systems.
4.1 Structure (Based on Annex SL)
ISO 42001 follows the standard management system structure, making it compatible with existing ISO standards (9001, 27001, etc.):
- Scope
- Normative References
- Terms and Definitions
- Context of the Organization — Understanding the organization, its context, and stakeholder needs
- Leadership — Top management commitment, AI policy, roles and responsibilities
- Planning — Risk assessment, AI impact assessment, planning of actions
- Support — Resources, competence, awareness, communication, documented information
- Operation — Operational planning, AI system lifecycle, supplier management
- Performance Evaluation — Monitoring, measurement, internal audit, management review
- Improvement — Nonconformity, corrective action, continual improvement
4.2 Key Requirements
- AI Policy: Organization must establish an AI policy aligned with its purpose and context
- AI Impact Assessment: Systematic assessment of impacts on individuals, groups, and society
- Risk Assessment: Identification and treatment of AI-specific risks
- Data Management: Policies for data quality, provenance, and lifecycle management
- System Lifecycle: Defined processes for design, development, deployment, monitoring, and decommissioning
- Third-Party Management: Requirements for AI suppliers and partners
- Transparency: Documentation of AI system capabilities, limitations, and decision-making processes
4.3 Certification Process
- Implement the AIMS according to ISO 42001 requirements
- Conduct internal audits and management reviews
- Engage an accredited certification body
- Stage 1 audit (documentation review)
- Stage 2 audit (implementation verification)
- Receive certification (valid for 3 years with annual surveillance audits)
5. Head-to-Head Comparison
| Dimension | NIST AI RMF | EU AI Act | ISO 42001 |
|---|---|---|---|
| Nature | Voluntary guidance | Binding law | Certifiable standard |
| Geographic scope | US (global influence) | EU/EEA (global impact) | Global |
| Risk approach | Context-dependent | Tiered risk categories | Organization-wide risk management |
| Enforcement | None | Regulatory fines | Certification body audits |
| Focus | Risk management process | Product compliance | Management system |
| Certification | No | Conformity assessment | Yes (3-year cycle) |
| Best for | Getting started, US organizations | EU market access | Enterprise-wide AI governance |
6. Compliance Checklists
NIST AI RMF Quick Checklist
- [ ] AI risk management policy documented and approved by leadership
- [ ] AI system inventory maintained with context and purpose for each system
- [ ] Stakeholder mapping completed for all AI systems
- [ ] Performance metrics defined and tracked for each AI system
- [ ] Bias and fairness assessments conducted regularly
- [ ] Risk treatment plans in place with assigned owners
- [ ] Feedback mechanisms established for continuous improvement
- [ ] Workforce AI literacy training program active
EU AI Act Quick Checklist (High-Risk Systems)
- [ ] AI system risk classification completed
- [ ] Risk management system implemented and documented
- [ ] Data governance practices established for training data
- [ ] Technical documentation prepared per Annex IV
- [ ] Record-keeping and logging systems in place
- [ ] Transparency notices provided to users
- [ ] Human oversight mechanisms implemented
- [ ] Accuracy, robustness, and cybersecurity measures verified
- [ ] Conformity assessment completed
- [ ] EU Declaration of Conformity issued
- [ ] CE marking affixed
ISO 42001 Quick Checklist
- [ ] AI policy established and communicated
- [ ] Context analysis completed (internal/external issues, stakeholder needs)
- [ ] AI impact assessments conducted for all AI systems
- [ ] Risk assessment methodology defined and applied
- [ ] AI system lifecycle processes documented
- [ ] Competence requirements defined for AI roles
- [ ] Supplier and partner AI requirements established
- [ ] Internal audit program active
- [ ] Management review conducted at planned intervals
- [ ] Continual improvement process in place
7. Implementation Roadmap
For organizations looking to comply with all three frameworks simultaneously, here’s a phased approach:
Phase 1: Foundation (Months 1-3)
- Establish AI governance structure and appoint responsible roles
- Create AI inventory — catalog all AI systems in use or development
- Develop AI policy covering ethics, risk management, and responsible use
- Conduct initial risk and impact assessments for all AI systems
Phase 2: Framework Alignment (Months 3-6)
- Map existing practices to NIST AI RMF functions (Govern, Map, Measure, Manage)
- Classify AI systems under EU AI Act risk tiers
- Establish technical documentation standards
li>Implement data governance practices for high-risk systems
Phase 3: Implementation (Months 6-9)
- Deploy risk management systems for high-risk AI systems
- Implement human oversight mechanisms
- Establish logging and record-keeping systems
- Conduct bias and fairness audits
- Prepare for ISO 42001 certification (if pursuing)
Phase 4: Certification & Continuous Improvement (Months 9-12)
- Complete EU AI Act conformity assessments for high-risk systems
- Engage certification body for ISO 42001 (if applicable)
- Establish continuous monitoring and improvement processes
- Conduct regular internal audits and management reviews
8. Conclusion
These three frameworks are complementary, not competing. The NIST AI RMF provides the foundational risk management approach. The EU AI Act sets the regulatory baseline for the European market. ISO 42001 provides the certifiable management system for enterprise-wide governance.
Organizations that invest in aligning with all three frameworks simultaneously will be best positioned for global AI compliance, reduced risk, and competitive advantage. The key is to start with governance fundamentals, then layer on specific regulatory requirements based on your market and risk profile.
Last updated: May 2026