Governance & guardrails
AI compliance framework: NIST AI RMF vs ISO 42001 vs the EU AI Act
An AI compliance framework question usually arrives as three names in one sentence: NIST AI RMF, ISO/IEC 42001, EU AI Act. Plenty of pages list all three. Almost none map them to each other, so that's what this page does, in one table you can work from.
Which one applies to you
The short version: the EU AI Act applies if your AI systems or their outputs touch the EU market, and it's the only one of the three that can fine you. ISO/IEC 42001 applies if a customer, a regulator, or your board wants third-party proof; it's voluntary but auditable. The NIST AI RMF applies to everyone in practice, because it's free, respected, and the vocabulary US enterprises and insurers now use. Most mid-to-large US companies end up with: NIST as the working method, ISO 42001 if and when someone demands a certificate, and EU AI Act classification for any system with European reach.
The three regimes at a glance
| NIST AI RMF | ISO/IEC 42001 | EU AI Act | |
|---|---|---|---|
| What it is | Voluntary risk management framework (NIST AI 100-1) | Certifiable AI management system standard (ISO/IEC 42001:2023) | Binding regulation (Reg. (EU) 2024/1689) |
| Published / in force | Released 26 Jan 2023; a 1.0 revision is underway | Published Dec 2023; the first AIMS standard | In force 1 Aug 2024; obligations phase in through 2028 |
| Who it binds | Nobody; adopted by choice or by contract | Whoever seeks certification | Providers and deployers whose systems reach the EU |
| Structure | Four functions: Govern, Map, Measure, Manage | Clauses 4 to 10 plus 38 Annex A controls in 9 domains | Risk tiers: prohibited, high-risk, transparency, minimal |
| External proof | None; self-attestation only | Accredited certification, three-year cycle | Conformity assessment for high-risk systems |
The crosswalk: one set of controls, three regimes
These three weren't written in isolation. NIST publishes an official crosswalk between the AI RMF and ISO 42001, and the EU AI Act's Article 40 lets harmonised standards carry a presumption of conformity. Published crosswalk analyses put ISO 42001 or the NIST AI RMF at roughly 60 to 70 percent of the Act's management-system and risk-governance requirements. So the sane strategy is to build each governance capability once and know where it lands in all three. That mapping, capability by capability:
| What you have to stand up | NIST AI RMF | ISO/IEC 42001:2023 | EU AI Act |
|---|---|---|---|
| Set policy, roles, and accountability | Govern: risk culture, policies, and clearly assigned roles | Clause 5 (leadership and commitment); A.2 AI policy; A.3 roles and reporting of concerns | Obligations attach to a named role, provider or deployer. Step one is knowing which you are for each system. |
| Inventory your AI systems and their context | Map: establish context, categorize each system | Clause 4 (context of the organisation); A.4 resources for AI systems documented | Classify every system: prohibited (Art. 5), high-risk (Art. 6 and Annex III), transparency-only (Art. 50), or minimal risk |
| Assess the risk | Map and Measure: identify risks, then analyze and track them | Clause 6.1 (risk assessment and risk treatment, with a Statement of Applicability) | High-risk systems need a risk assessment and mitigation system before they go to market |
| Assess impact on people | Map: impacts on individuals, groups, and society | A.5 AI system impact assessment: process, documentation, individual and societal impact | The high-risk categories are impact-defined: health, safety, and fundamental rights (hiring, credit, education, and so on) |
| Govern the data | Map and Measure: data provenance and quality as tracked risk factors | A.7 data for AI systems: acquisition, quality, provenance, preparation | High-risk: dataset quality requirements aimed at minimizing discriminatory outcomes |
| Control the system lifecycle | Manage: risk response built into design, deployment, and operation | A.6 AI system life cycle: nine controls from requirements and verification through deployment and event logs | High-risk: detailed technical documentation and activity logging for traceability |
| Tell people what the system is | Transparency is a core trustworthiness characteristic, cutting across all four functions | A.8 information for interested parties: system documentation, external reporting | Art. 50: disclose chatbots as machines, label AI-generated content (applies from 2 Aug 2026) |
| Keep a human in charge | Govern: human accountability for AI outcomes | A.9 use of AI systems: responsible use, intended use, objectives for use | High-risk: appropriate human oversight measures are a hard requirement |
| Manage vendors and the value chain | Map: third-party risks identified and owned | A.10 third-party and customer relationships: allocating responsibilities, suppliers, customers | Duties are split along the value chain; GPAI model providers carry their own obligations (since 2 Aug 2025) |
| Monitor and handle incidents | Measure and Manage: track risks in production, respond and recover | Clause 9 (performance evaluation); A.6 operation and monitoring; A.8 communication of incidents | High-risk: post-market monitoring by providers and serious-incident reporting |
| Improve over time | Manage: iterate; the framework itself is circular by design | Clause 10 (improvement): nonconformities and corrective action | Compliance is continuous; market surveillance authorities police systems already on the market |
| Prove it to someone else | Nothing. NIST certifies no one; you self-attest alignment | Certifiable: accredited body, stage 1 and 2 audits, three-year cycle | Conformity assessment for high-risk systems; harmonised standards give a presumption of conformity (Art. 40) |
Two honest caveats. The mapping is at the capability level: inside each row, the regimes differ in depth (the Act's high-risk documentation requirements are far more prescriptive than anything in the RMF). And the row where they genuinely diverge is the last one: only ISO 42001 gives you a certificate, only the EU AI Act carries penalties, and NIST gives you neither, just a good method.
Where they genuinely differ
Teeth. The EU AI Act carries fines and can keep a system off the EU market. ISO 42001's penalty is losing a certificate. The NIST AI RMF has no penalty at all; its force comes from contracts and expectations, which in practice is still force.
Stability. None of the three is finished. NIST states the AI RMF 1.0 is being revised, and the July 2024 Generative AI Profile (NIST AI 600-1) already extended it with twelve GenAI-specific risks. ISO 42001's text is stable, but certification practice is young; accredited bodies only stood up audit services through 2025 and 2026. And the EU AI Act's high-risk dates moved once already, via the omnibus. Whatever you build, budget for re-checking it against the sources a couple of times a year.
Cost shape. NIST costs you effort only. ISO 42001 adds real audit and maintenance fees on top of the effort. EU AI Act costs concentrate almost entirely on systems that land in the high-risk categories, which is a strong argument for doing the classification early and carefully.
The dates that matter
The EU AI Act is the only column with a clock on it, and the clock moved in late 2025, which is why a lot of ranking pages are wrong about it. Per the European Commission's AI Act page:
- 2 Feb 2025: the eight prohibited practices and AI literacy obligations took effect
- 2 Aug 2025: rules for general-purpose AI models and the governance framework took effect
- 2 Aug 2026: the Act becomes generally applicable, including the Article 50 transparency rules (chatbot disclosure, labeling AI-generated content)
- 2 Dec 2027: obligations for high-risk systems in the listed areas (biometrics, critical infrastructure, education, employment, migration and border control, and others) begin, pushed back from 2026 by the AI omnibus simplification package (adopted 19 Nov 2025, political agreement 7 May 2026)
- 2 Aug 2028: obligations for high-risk systems embedded in regulated products begin
If a guide tells you all high-risk obligations bite in August 2026, it predates the omnibus. Check the date on anything you read about this law, including this page.
A sensible order of operations
- Inventory and tier. List every AI system and classify it against the EU AI Act's tiers and a NIST-style risk rating. Every regime starts here, and it's the step companies most often skip.
- Close the biggest gaps. Policy, access rules, data boundaries, human oversight for anything high-impact. This work counts toward all three columns simultaneously.
- Then decide about the certificate. ISO 42001 is worth it for some companies and not others; we wrote the honest version of that call, with numbers, in our ISO 42001 certification cost guide. If you do proceed, our ISO 42001 checklist covers every clause and control, ungated.
If you'd rather have this mapping applied to your actual systems than read about it, that's the fixed-scope AI risk assessment, and the ongoing version is AI governance consulting.
One line of legal hygiene: this page is general information, not legal advice; for obligations that apply to your specific systems, talk to counsel.
Questions people ask
- What is the difference between ISO 42001 and the NIST AI RMF?
- Enforceability and shape. The NIST AI RMF is a voluntary US framework: four functions (Govern, Map, Measure, Manage) that describe how to think about AI risk, with no audit and no certificate. ISO/IEC 42001 is a certifiable management-system standard: clauses 4 to 10 plus 38 Annex A controls that an accredited auditor checks. Roughly: NIST tells you how to reason, ISO tells you what to be able to show.
- Is the NIST AI RMF mandatory?
- No. NIST states it is intended for voluntary use, and there is no NIST certification for it. It still matters because US enterprises and regulators treat it as the default reference, and contracts increasingly ask for alignment with it.
- Does ISO 42001 cover EU AI Act compliance?
- Partly. Article 40 of the Act gives harmonised standards a presumption of conformity, and published crosswalk analyses put ISO 42001 or the NIST AI RMF at roughly 60 to 70 percent of the Act's management-system and risk-governance requirements. The prescriptive high-risk obligations (conformity assessment, logging, registration) still have to be met on their own terms. See our ISO 42001 certification cost guide before assuming the certificate is the cheap path.
- Do US companies need to care about the EU AI Act?
- Only if an AI system's output is used in the EU or you serve EU customers with it; the Act reaches providers and deployers outside the EU in those cases. If you're purely domestic, the NIST AI RMF and US state law are your reference points, but classifying your systems against the Act's categories is still a useful risk exercise.
- Which framework should we start with?
- Start with an inventory and risk tiering, which every regime asks for first. Then: EU exposure means classifying against the Act now; enterprise customers asking for proof means ISO 42001; neither means running the NIST AI RMF informally and skipping the certificate. That decision, applied to your actual systems, is the first thing our AI risk assessment settles.
Tell us about the work.
A few lines is enough. We read every enquiry ourselves and reply within one business day.