ModelCharter

Comparing AI Governance Frameworks: NIST, ISO 42001 and Beyond

Business data charts comparing AI governance frameworks including NIST and ISO 42001

Photo: RDNE Stock project / Pexels

Three major frameworks have emerged as reference standards for AI governance: the NIST AI Risk Management Framework (US, voluntary), ISO/IEC 42001 (international, voluntary, certifiable), and the EU AI Act (EU law, mandatory for organisations with EU reach). Each approaches AI governance from a different angle. Understanding how they relate helps you build a programme that satisfies multiple frameworks without duplicating effort.

NIST AI RMF: risk-management lens

Published in January 2023, the NIST AI RMF organises governance into four functions: GOVERN, MAP, MEASURE, MANAGE. It is designed to be flexible and scalable, applying to organisations of any size and sector. It carries no legal weight but has become the de facto standard for US federal agencies and enterprise risk management. If your organisation is US-headquartered or sells to US government customers, NIST AI RMF is likely the vocabulary your counterparts use when discussing AI risk.

ISO 42001: management system standard

ISO/IEC 42001 is a third-party-certifiable management system standard for AI, analogous to ISO 27001 for information security. It requires documented policies, objectives, risk assessments, and internal audits, and allows external certification as evidence of compliance. It is most relevant for organisations that want to demonstrate AI governance to customers or regulators via a recognised third-party credential, or for those already embedded in the ISO management system ecosystem.

EU AI Act: mandatory law

The EU AI Act is enforceable law with significant penalties, up to 3% of global annual turnover for most violations, 6% for the most serious. It applies to any organisation whose AI systems operate in the EU, regardless of where the organisation is based. Unlike the voluntary frameworks, it does not just guide good practice: it creates binding obligations around prohibited practices, high-risk systems, transparency, and AI literacy. If your organisation has EU operations or EU-facing AI use, this is your compliance floor, not an optional framework to aspire to.

How they complement each other

The frameworks are additive rather than competing. The EU AI Act tells you the minimum you must do by law. ISO 42001 gives you a structured management system to meet those requirements and demonstrate them via external certification. NIST AI RMF provides a risk management vocabulary and toolset that works within either of the above. Many compliance professionals use NIST to identify and assess AI risks, implement controls that satisfy ISO 42001, and document evidence that satisfies the EU AI Act, three outcomes from one set of activities.

Choosing your starting point

If you are subject to the EU AI Act: start there, it is the legal minimum. If you want certifiable evidence of AI governance for customer assurance: add ISO 42001. If you have US operations or want an established risk-management vocabulary: layer in NIST AI RMF. In all cases, the practical starting point is the same: a written AI usage policy, a register of approved tools, and attestation records. Those artefacts satisfy the documentation requirements of all three frameworks. ModelCharter provides that foundation. From there, which framework to pursue in depth depends on your regulatory context and what your customers and auditors expect to see.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator