One of the most frequent questions I receive from CISOs, Chief Compliance Officers, and AI governance teams is a variation of the same question: "We know we need an AI governance framework — but which one do we actually use?"

It is a deceptively complex question. The EU AI Act is a binding regulation that carries fines of up to €35 million. ISO 42001 is the first internationally certified AI management system standard. The NIST AI Risk Management Framework is the most comprehensive and widely referenced voluntary guidance available globally. They are not alternatives to each other — but they are different in nature, scope, geographic reach, and what they require organisations to do.

With 18+ years of experience designing AI governance programs across enterprise environments, I've supported organisations navigating all three of these frameworks — often simultaneously. This guide gives you the practitioner's perspective that analyst reports often miss: not just what each framework says, but how they work together, where they conflict, and which combination makes sense for your specific organisational context.

The AI Governance Framework Landscape

The current AI governance framework landscape is characterised by a proliferation of guidance instruments — national regulations, international standards, voluntary frameworks, industry codes of practice, and sectoral guidance — that organisations must navigate simultaneously. The three frameworks covered in this article represent the three dominant paradigms:

🇪🇺
EU AI Act
Binding Regulation · 2024
A mandatory, risk-tiered regulation applicable to any organisation developing, deploying, or using AI systems that affect EU residents. Non-compliance carries fines up to €35 million or 7% of global annual turnover.
Mandatory Risk-tiered EU-jurisdictional Prescriptive
🌐
ISO/IEC 42001
Certifiable Standard · 2023
The world's first international AI Management System standard. Voluntary but certifiable — organisations can obtain third-party certification demonstrating structured, auditable AI governance. Global applicability.
Voluntary Certifiable Global Process-based
🇺🇸
NIST AI RMF
Voluntary Framework · 2023
A comprehensive, voluntary AI risk management framework from the US National Institute of Standards and Technology. Provides the most detailed practical guidance on how to identify, assess, and manage AI risks across the full lifecycle.
Voluntary Non-certifiable US-originated Guidance-focused
💡
The Core Insight
These three frameworks are not competing answers to the same question. The EU AI Act asks: "Is your AI legal in the EU?" ISO 42001 asks: "Can you prove your AI is governed systematically?" NIST AI RMF asks: "Do you understand and manage your AI risks well?" Most mature organisations will need engagement with all three — the question is sequencing, prioritisation, and how to avoid duplicating effort across them.

EU AI Act — Deep Dive

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024, with provisions applying in phases through 2027. It is the world's first comprehensive binding AI regulation, and it will shape AI governance globally — not just in the EU — because of its extraterritorial effect.

The Risk-Based Tiering Model

The Act's architecture is built around four risk tiers, each carrying different obligations:

Risk TierDefinitionExamplesKey Obligations
Unacceptable Risk AI that poses an unacceptable threat to fundamental rights or safety Social scoring by governments; real-time remote biometric identification in public spaces; cognitive manipulation Prohibited. Placing on market or putting into service is illegal.
High Risk AI used in critical infrastructure, regulated products, or high-impact decisions about people AI in medical devices; recruitment and hiring AI; creditworthiness assessment; AI in law enforcement; educational qualification AI Mandatory: risk management system, data governance, technical documentation, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment, registration in EU database
Limited Risk AI with specific transparency risks Chatbots interacting with users; AI-generated content; deepfakes Transparency obligations: users must be informed they are interacting with AI
Minimal Risk All other AI systems AI-enabled spam filters; AI in video games; AI-powered search recommendations No mandatory obligations. Voluntary codes of conduct encouraged.

Who Must Comply — Extraterritorial Reach

The EU AI Act applies to:

  • Providers placing AI systems on the EU market or putting them into service in the EU — regardless of where the provider is established
  • Deployers using AI systems within the EU — businesses using AI from non-EU providers remain in scope
  • Importers and distributors of AI systems in the EU supply chain

An Indian technology company providing an AI-powered hiring tool to a German enterprise is a provider under the EU AI Act. A US bank using a third-party AI credit scoring model for its EU customer base is a deployer. Neither geographic location nor corporate headquarters exempts an organisation from scope.

Key Timelines

  • February 2025: Prohibited AI practices provisions apply (unacceptable risk tier)
  • August 2025: GPAI model provisions and governance infrastructure provisions apply
  • August 2026: High-risk AI provisions under Annex I (products covered by existing EU safety legislation) apply; obligations for deployers begin
  • August 2027: High-risk AI provisions under Annex III apply to certain systems already in service
⚠️
General-Purpose AI (GPAI) Models
The EU AI Act introduced a distinct regime for General-Purpose AI (GPAI) models — large foundation models like GPT-4, Claude, Gemini, and Llama that can serve diverse downstream tasks. Providers of GPAI models face transparency and technical documentation requirements. Providers of GPAI models with systemic risk (trained on compute above 10²⁵ FLOPs) face additional obligations including adversarial testing, incident reporting, and cybersecurity measures. This tier is directly relevant to organisations building on foundation model APIs — they inherit obligations from their upstream model providers and may have their own obligations depending on how they deploy and modify those models.

ISO 42001 — Deep Dive

ISO/IEC 42001:2023 is a management system standard — the same structural paradigm as ISO 27001 for information security and ISO 9001 for quality. Its goal is to give organisations a structured, auditable, and certifiable framework for governing AI as a management discipline.

What ISO 42001 Actually Requires

Unlike the EU AI Act's prescriptive requirements tied to specific AI system risk levels, ISO 42001 specifies what an organisation's AI governance system must demonstrate, regardless of which specific AI systems are in scope. The standard requires:

  • Context establishment: Understanding the internal and external factors that affect your AI governance, identifying interested parties and their expectations
  • Leadership commitment: Board and executive-level endorsement of an AI Policy and clear allocation of AI governance roles and responsibilities
  • AI risk assessment: A structured methodology for identifying, analysing, and evaluating AI-related risks — to the organisation, individuals, and society
  • AI impact assessment: Pre-deployment evaluation of potential consequences of AI systems on affected people and communities
  • Controls implementation: Selection and implementation of appropriate controls from Annex A (38 controls across 9 domains) based on risk assessment results
  • Competence and awareness: Ensuring staff understand AI governance obligations and have the skills to fulfil them
  • Operational controls: Governance across the AI system lifecycle from design through decommissioning
  • Performance evaluation: Measuring AIMS effectiveness through internal audit and management review
  • Continual improvement: Systematic enhancement of the AIMS over time

The Certification Value Proposition

ISO 42001 certification provides something the EU AI Act and NIST AI RMF cannot: independent, third-party verification that an organisation's AI governance is systematic, documented, and effective. This has concrete commercial and regulatory value:

  • Evidence of structured AI governance in customer and enterprise procurement processes
  • Credible response to regulatory inquiries about AI governance capability
  • Competitive differentiation in AI-enabled services markets where clients are increasingly demanding governance credentials
  • Foundation for demonstrating EU AI Act compliance — the Act's conformity assessment requirements for high-risk AI can be partially met through ISO 42001-aligned documentation
🔗
ISO 42001 and the EU AI Act — The Alignment
While ISO 42001 is not formally "harmonised" with the EU AI Act (a process that would make certification presumptively demonstrate compliance), the European Commission and national standardisation bodies are actively working toward this alignment. Many of the EU AI Act's requirements for high-risk AI systems — risk management system (Art. 9), data governance (Art. 10), technical documentation (Art. 11), human oversight (Art. 14) — map directly to ISO 42001 requirements. Organisations that implement ISO 42001 robustly will find they have already addressed a significant portion of EU AI Act compliance obligations.

NIST AI RMF — Deep Dive

The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023, is the most comprehensive and practically detailed AI governance guidance available globally. It was developed through an extensive multi-stakeholder process involving industry, government, academia, and civil society — and the depth of that process shows in the resulting framework.

The Core Framework Structure: GOVERN, MAP, MEASURE, MANAGE

The NIST AI RMF organises AI risk management around four core functions:

FunctionFocusKey Activities
GOVERN Organisational culture, policies, and accountability structures for AI risk Establishing AI risk policies; assigning roles and responsibilities; building organisational AI literacy; creating incentive structures that reward responsible AI behaviour; supply chain risk governance
MAP Identifying and categorising AI risks in context Contextualising AI systems and their impacts; identifying affected communities; documenting intended uses and foreseeable misuses; categorising risk types (bias, privacy, security, reliability, explainability)
MEASURE Quantifying and analysing identified AI risks Evaluating AI system performance across trustworthiness dimensions; testing for bias and fairness; assessing explainability; measuring security and robustness; benchmarking against acceptable risk thresholds
MANAGE Prioritising and treating AI risks Implementing risk treatment measures; monitoring deployed AI systems; responding to incidents and failures; communicating risk information to stakeholders; iterating on risk treatment based on ongoing measurement

The AI RMF Playbook

Alongside the core framework, NIST published the AI RMF Playbook — a companion document providing specific suggested actions for each of the framework's 72 subcategories. This level of operational detail is what distinguishes NIST AI RMF from other frameworks: it does not just tell you what to do, it provides concrete starting-point practices for how to do it.

NIST AI RMF 2.0 and Generative AI

NIST subsequently published the Generative AI Profile (NIST AI 600-1) in July 2024, providing additional guidance specifically for managing risks associated with generative AI systems — including hallucination, data poisoning, harmful content generation, intellectual property risks, and privacy violations from training data. Organisations deploying generative AI must engage with this profile alongside the core RMF.

🌍
Global Adoption Beyond the US
Despite its US government origins, NIST AI RMF has achieved remarkable global adoption. Organisations in the EU, UK, India, Singapore, Japan, and Australia reference it as a foundational AI risk management resource. This is partly due to its practical depth and partly because its voluntary nature makes it easier to adopt than prescriptive regulatory frameworks. For multinational organisations, the NIST AI RMF provides a common risk management language that works across jurisdictions while more prescriptive frameworks (like the EU AI Act) provide the legal floor in specific geographies.

Head-to-Head Comparison

Dimension EU AI Act ISO 42001 NIST AI RMF
Nature Binding regulation — legal obligation Voluntary management system standard — certifiable Voluntary guidance framework — no certification
Issuing body European Parliament and Council ISO/IEC JTC 1/SC 42 US National Institute of Standards and Technology
Geographic scope EU + extraterritorial (any org serving EU market) Global — applicable to any organisation Global — US-originated but internationally adopted
Approach Risk-tiered, prescriptive requirements per risk level Process-based, outcome-focused management system Function-based, flexible risk management guidance
AI scope Specific AI systems classified by risk tier; GPAI models have separate regime Any organisation developing, providing, or using AI — scoped by organisation Any AI system — particularly detailed on generative AI and ML
Certification Conformity assessment for high-risk AI (may be self-assessment or third-party) Full third-party certification by accredited certification bodies No certification mechanism
Penalties for non-compliance Up to €35M or 7% of global annual turnover Certification withdrawal; no direct financial penalty None — voluntary framework
Human oversight Mandatory for high-risk AI (Art. 14) Required within AIMS operational controls Addressed in MANAGE function and Playbook actions
Transparency Mandatory transparency for limited-risk AI; technical documentation for high-risk Addressed through communication requirements and impact assessment Detailed guidance on explainability and transparency in Playbook
Practical depth High — specific requirements and Articles; implementation guidance emerging Medium — requirements-based; leaves implementation method to organisation Very high — Playbook provides specific suggested actions for each subcategory
Update cadence Regulatory delegated acts; relatively slow to formally amend Full revision every ~5 years; faster normative guidance possible Living document — profiles and supplemental guidance published frequently
Best for Ensuring legal compliance for EU market activities Demonstrating governance maturity; winning enterprise clients Building deep AI risk management capability; multi-jurisdiction flexibility

Where They Overlap and Complement Each Other

Rather than choosing between these frameworks, the most sophisticated organisations use them in combination — treating each as addressing a different layer of the AI governance challenge. The overlaps and complementarities are substantial.

🇪🇺 EU AI Act Only
Prohibited AI practices (absolute bans)
CE marking and conformity assessment
EU database registration for high-risk AI
GPAI model-specific regime
Post-market monitoring obligations
Serious incident reporting to national authorities
Legal penalties and enforcement mechanisms
Notified body involvement for certain high-risk AI
🔗 Shared / Overlapping
AI risk assessment requirements
Human oversight mechanisms
Transparency and explainability
Data governance and quality
Technical documentation
Accountability and governance structures
Bias and fairness considerations
Lifecycle management of AI systems
Third-party/supply chain AI governance
Monitoring and logging of AI systems
Security and robustness
🌐 ISO 42001 & NIST Only
Full management system structure (ISO 42001)
Third-party certification (ISO 42001)
Voluntary adoption globally
Detailed GOVERN function guidance (NIST)
Quantitative risk measurement guidance (NIST)
GenAI-specific profiles (NIST)
AI impact assessment methodology
AI literacy and competence building
Continual improvement requirements

The Three-Layer Integration Model

The cleanest way to think about how these frameworks layer together is through a three-tier model:

  • Layer 1 — Legal Floor (EU AI Act): Establishes the mandatory minimum for organisations in EU scope. Non-negotiable. Must be addressed before anything else if your organisation is in scope.
  • Layer 2 — Governance System (ISO 42001): Provides the management system infrastructure that operationalises both Layer 1 compliance and Layer 3 risk management. The AIMS is the engine that makes governance repeatable and auditable.
  • Layer 3 — Risk Intelligence (NIST AI RMF): Provides the detailed risk identification, measurement, and management practices that populate and strengthen the governance system. The Playbook actions are the operational content that gives the ISO 42001 AIMS its substantive depth.
🏗️
The Efficiency Insight
Organisations that implement ISO 42001 using NIST AI RMF as the risk methodology — while simultaneously mapping both to EU AI Act requirements — achieve the highest control efficiency. Rather than building three separate governance programs, they build one integrated AIMS that satisfies all three frameworks, with a documented mapping showing how each ISO 42001 control addresses both the relevant EU AI Act Article and the corresponding NIST AI RMF subcategory. This approach reduces duplication by an estimated 50–65% compared to implementing each framework independently.

Which Framework Is Right for Your Organisation?

Framework selection should be driven by four key variables: your geographic market, your AI risk profile, your maturity level, and your stakeholder requirements. The following profiles reflect the organisations I most commonly encounter and the framework strategies I recommend for each.

🏦
EU-Regulated Enterprise (Financial Services, Healthcare, Insurance)
Example: European bank deploying AI for credit scoring, fraud detection, and customer service
Primary Frameworks
  • EU AI Act — mandatory. Credit scoring is Annex III high-risk AI. Full technical documentation, risk management system, human oversight, and conformity assessment are required before deployment.
  • ISO 42001 — strongly recommended. Provides the management system framework that makes EU AI Act compliance repeatable and auditable. Certification demonstrates governance maturity to the ECB, EBA, and national supervisors.
  • NIST AI RMF — advisory use. Use the Playbook to populate ISO 42001 AIMS controls, particularly for bias testing, model performance monitoring, and explainability documentation.
Why This Combination
  • The EU AI Act is legally non-negotiable for credit, insurance underwriting, and financial fraud detection AI — all are Annex III high-risk.
  • ISO 42001 addresses DORA's ICT risk management requirements alongside AI Act obligations — single governance system covers multiple regulatory mandates.
  • European financial regulators (ECB, EBA, EIOPA) are increasingly referencing ISO 42001 in supervisory guidance — early adoption provides regulatory capital.
EU AI Act — Mandatory ISO 42001 — Certify NIST AI RMF — Advisory Also consider: DORA, EBA Guidelines
🌐
Global Technology Company / AI Product Provider
Example: US-headquartered SaaS company with AI-powered HR and recruitment tools sold globally including to EU customers
Primary Frameworks
  • EU AI Act — mandatory for EU customers. Recruitment AI is Annex III high-risk. As a provider placing the product on the EU market, full compliance obligations apply regardless of US headquarters.
  • ISO 42001 — certify. Certification is rapidly becoming a procurement requirement for enterprise clients. Provides a globally credible proof point for AI governance across all markets including US, UK, and APAC.
  • NIST AI RMF — implement fully. US government and enterprise customers increasingly reference NIST AI RMF in procurement. Also aligns with EO 13960 requirements for US federal agency customers.
Why This Combination
  • A global AI product provider cannot afford to maintain different governance approaches per market — an integrated framework covering EU, US, and global requirements from one AIMS is essential.
  • ISO 42001 certification provides a single governance credential accepted across markets, reducing due diligence overhead in enterprise sales cycles.
  • NIST AI RMF alignment is expected by US federal customers and enterprise procurement teams familiar with NIST standards.
EU AI Act — Mandatory ISO 42001 — Certify NIST AI RMF — Full Adoption Also consider: UK AI framework, Singapore ISAGO
🇮🇳
India / APAC Enterprise Deploying AI Internally
Example: Indian IT services company using AI for internal operations and project delivery, with EU-based clients
Primary Frameworks
  • ISO 42001 — certify immediately. No binding domestic AI regulation exists yet in India, but the market signal is clear — EU clients will increasingly require ISO 42001 certification from technology partners. First-mover advantage is significant.
  • NIST AI RMF — use as the risk methodology. Provides the detailed operational guidance to populate the ISO 42001 AIMS without prescribing technology choices.
  • EU AI Act — scoping assessment required. If any services involve AI systems used by EU-based clients for decisions affecting EU residents, EU AI Act obligations may apply. Scoping analysis is essential.
Why This Combination
  • India has no equivalent binding regulation yet — but India's Digital Personal Data Protection Act and emerging AI governance guidance signal this will change. ISO 42001 builds governance infrastructure ahead of that curve.
  • EU clients are already asking IT services suppliers for AI governance credentials. ISO 42001 certification provides the credible response needed to protect and grow EU client relationships.
  • NIST AI RMF is technology-neutral and practical — ideal as the operational backbone for an AIMS being built from scratch.
ISO 42001 — Certify NIST AI RMF — Implement EU AI Act — Scoping Assessment Also consider: DPDP Act, MeitY AI guidance
🏛️
Public Sector / Government Agency
Example: UK government agency deploying AI for benefits eligibility assessment and public service delivery
Primary Frameworks
  • NIST AI RMF — primary framework. GOVERN, MAP, MEASURE, MANAGE provides the most comprehensive risk management guidance for high-stakes public-sector AI. The framework's emphasis on affected communities and fairness aligns directly with public sector accountability obligations.
  • ISO 42001 — implement, consider certification. Provides the management system structure needed for Ministerial accountability and public audit. Certification not always mandatory but increasingly expected.
  • EU AI Act — where applicable. EU member state agencies are directly in scope. Post-Brexit UK agencies should follow UK AI regulatory guidance (ICO, DSIT) which substantially mirrors EU principles.
Why This Combination
  • Benefits eligibility and social services AI are explicitly high-risk under the EU AI Act — public sector deployers face mandatory obligations including human review of AI-assisted decisions.
  • Public sector accountability requires explainability and documented decision logic — NIST AI RMF's MEASURE function provides the most detailed guidance on explainability assessment.
  • ISO 42001 provides the audit trail and management system structure required for parliamentary or congressional oversight of AI in government.
NIST AI RMF — Primary ISO 42001 — Implement EU AI Act — Where Applicable Also consider: OECD AI Principles, national AI strategies
🚀
AI Startup / SME
Example: Series B AI startup building a medical diagnosis support tool targeting EU and US hospital markets
Primary Frameworks
  • EU AI Act — cannot be avoided. Medical device AI is explicitly Annex III high-risk. The Act provides a specific pathway for SMEs and startups including regulatory sandboxes, reduced documentation burdens in some cases, and support from national competent authorities. Engage early.
  • NIST AI RMF — use the Playbook as a starting checklist. Provides practical, lightweight starting-point practices that do not presuppose large team capacity. The framework's flexibility suits an iterative startup build.
  • ISO 42001 — roadmap to certification. Full certification may be 18–24 months away for an early-stage startup, but building the AIMS documentation from day one avoids expensive retroactive governance work and signals governance maturity to clinical and enterprise buyers.
Why This Combination
  • Hospital procurement teams and NHS/EU health systems will require EU AI Act compliance documentation as a condition of procurement — non-compliance means inability to sell into the target market.
  • NIST AI RMF's Playbook is the most practically useful starting point for a small team — it tells you specifically what to do, not just what to achieve.
  • Building toward ISO 42001 certification from day one is dramatically cheaper than retrofitting governance onto an already-deployed system. Governance debt compounds faster than technical debt.
EU AI Act — Mandatory NIST AI RMF — Playbook First ISO 42001 — Build Toward Also consider: MDR (Medical Device Regulation), FDA AI/ML guidance

Building an Integrated Multi-Framework Strategy

For most organisations that need to engage with more than one framework, the goal is not to implement three separate governance programs — it is to build one integrated AI governance infrastructure that satisfies the requirements of all applicable frameworks simultaneously, with explicit documentation showing how each element addresses each framework's requirements.

Step 1
Scoping and Applicability Assessment
Before designing your integrated framework, determine which of the three frameworks actually apply to your organisation and to what extent.
  • Map all AI systems in use or development across your organisation
  • Assess EU AI Act applicability — are you a provider, deployer, or both? Do any systems qualify as high-risk under Annex I or III?
  • Confirm the geographic scope of your AI deployments and their potential effects on EU residents
  • Identify stakeholder requirements — do clients, investors, or regulators expect specific framework certifications or compliance?
  • Determine which NIST AI RMF profiles are relevant (Core RMF, GenAI Profile 600-1, sector-specific profiles)
Step 2
Build the ISO 42001 AIMS as Your Central System
Use ISO 42001 as the organisational spine — the management system that houses and operationalises governance across all frameworks.
  • Establish the AI governance committee and AI Policy as ISO 42001 Clause 5 requires
  • Develop your AI risk assessment methodology aligned to NIST AI RMF MAP and MEASURE functions
  • Map EU AI Act Article requirements for each applicable AI system into ISO 42001 operational control documentation
  • Select Annex A controls using NIST AI RMF Playbook actions as the implementation guidance
  • Design the AI Impact Assessment process to satisfy both ISO 42001 Clause 6 and EU AI Act Article 9 requirements simultaneously
Step 3
Create the Unified Controls Mapping Document
A single document that maps each governance control to the framework requirements it satisfies is the most efficient way to demonstrate multi-framework compliance without duplication.
  • Build a controls cross-reference matrix: ISO 42001 clause/control → EU AI Act Article → NIST AI RMF subcategory
  • Identify where a single control satisfies requirements across all three frameworks (these are your highest-value investments)
  • Flag gaps where EU AI Act requirements have no ISO 42001 or NIST equivalent — these need bespoke controls
  • Document evidence requirements for each control — what will demonstrate compliance to an auditor, regulator, or certification body?
Step 4
Audit, Certify, and Maintain
The integrated framework must be tested, certified where applicable, and maintained as frameworks evolve.
  • Conduct internal audit of the ISO 42001 AIMS against all three framework requirements
  • Engage a certification body for ISO 42001 Stage 1 and Stage 2 audit
  • For EU AI Act high-risk AI, complete conformity assessment (self-assessment or notified body depending on AI system category)
  • Establish a framework monitoring process — NIST, ISO, and the EU Commission all update their guidance; assign responsibility for tracking and incorporating updates
  • Schedule annual management reviews that assess the integrated framework against all applicable requirements

Common Mistakes When Choosing AI Governance Frameworks

Mistake 1: Treating EU AI Act Compliance as the Finish Line

The EU AI Act tells you what you must not do and what minimum requirements you must meet — it does not tell you how to build excellent AI governance. Organisations that focus exclusively on EU AI Act compliance often end up with documentation that satisfies the letter of the regulation but lacks the management system infrastructure that makes compliance sustainable and demonstrable over time. ISO 42001 provides that infrastructure.

Mistake 2: Implementing NIST AI RMF Without a Management System

NIST AI RMF is rich in guidance but does not provide the management system structure that turns that guidance into organisational practice. Organisations that implement NIST AI RMF without the ISO 42001 AIMS discipline tend to produce impressive risk assessments that sit on a shelf — comprehensive documentation without the governance machinery to ensure it is maintained, acted upon, and improved.

Mistake 3: Over-Scoping EU AI Act Compliance

The EU AI Act's high-risk tier requirements are substantial — and applying them to AI systems that are not actually high-risk under the Act creates unnecessary compliance burden. Many organisations I have worked with spend months preparing conformity assessment documentation for AI systems that are minimal risk under the Act. Precise scoping analysis before compliance work begins is essential, and typically requires legal counsel familiar with the Act's definitions.

Mistake 4: Neglecting the EU AI Act's Deployer Obligations

Most governance attention focuses on AI providers — those building AI systems. But the EU AI Act imposes significant obligations on deployers — organisations using third-party AI in their operations. A bank using a credit scoring model from a third-party AI vendor is a deployer with its own compliance obligations, including conducting a fundamental rights impact assessment before deployment of high-risk AI, implementing human oversight mechanisms, and maintaining appropriate documentation. Deployers who assume their vendor's compliance covers their own obligations are mistaken.

Mistake 5: Starting with the Framework, Not the Risk

The most common failure I see across 18+ years of governance program delivery: organisations that choose a framework before understanding their AI risk landscape. The framework should follow the risk — once you understand what AI systems you operate, at what risk level, with what potential impacts, the framework selection becomes considerably more straightforward. Starting with the framework and then mapping it to your AI systems almost always results in wasted effort and misaligned controls.

Mistake 6: Ignoring the Evolving Landscape

The EU AI Act is supplemented by an ongoing program of delegated acts, implementing regulations, and European Commission guidance. NIST AI RMF has already expanded with the GenAI Profile. ISO 42001 will undergo revision. AI governance is not a project you complete — it is an ongoing discipline. Organisations that do not assign responsibility for tracking and incorporating framework updates will find their governance programs becoming outdated faster than they expect.

Practical Implementation Pathways

For organisations at different starting points, the following pathways reflect the practical sequencing I recommend based on the organisational profile and starting maturity.

Starting PositionFirst 90 DaysMonths 4–12Year 2 Target
No AI governance structure; EU scope; high-risk AI deployed Immediate EU AI Act gap assessment; appoint AI compliance lead; begin conformity assessment documentation for deployed high-risk systems Implement ISO 42001 AIMS; conduct AI system inventory; complete risk assessments using NIST RMF methodology ISO 42001 certification; EU AI Act conformity assessment complete; annual management review cycle established
ISO 27001 certified; beginning AI governance Extend existing ISMS to cover AI-specific controls; map ISO 27001 controls to ISO 42001 Annex A; conduct AI system inventory Implement ISO 42001 AIMS as extension of existing management system; conduct AI risk assessments; adopt NIST RMF Playbook actions for AI-specific controls ISO 42001 certification (leveraging existing ISO 27001 audit relationship); EU AI Act compliance mapped and documented
NIST framework user; expanding to include AI governance NIST AI RMF gap assessment against existing NIST CSF implementation; identify AI systems requiring dedicated AI risk management Implement NIST AI RMF GOVERN, MAP, MEASURE, MANAGE for AI systems; begin ISO 42001 AIMS design using NIST as the risk methodology ISO 42001 certification with NIST RMF as documented risk methodology; EU AI Act scoping and compliance assessment complete
AI startup, pre-Series A, US-headquartered with EU market ambitions AI system inventory; EU AI Act risk tier classification for all products; implement NIST AI RMF Playbook priority actions for your highest-risk systems Build ISO 42001 AIMS documentation from scratch; integrate compliance documentation into product development workflow; engage EU regulatory sandbox if applicable ISO 42001 certification (or pre-certification readiness); EU AI Act conformity documentation complete for target market

The Evolving Framework Landscape

The AI governance framework landscape will not remain static. Several developments are already in motion that will shape how organisations navigate these frameworks over the next three to five years.

EU AI Act Harmonised Standards

The European Commission has mandated European standardisation organisations (CEN, CENELEC, ETSI) to develop harmonised standards that provide presumption of conformity with EU AI Act requirements. When these standards are published in the Official Journal of the EU, compliance with them will be presumed to satisfy the corresponding AI Act requirements. ISO 42001 is expected to be among the standards in this harmonisation program — which would make ISO 42001 certification a direct evidence of EU AI Act compliance for the requirements it covers.

UK AI Regulation Evolution

Post-Brexit, the UK has taken a sector-based regulatory approach rather than a single AI Act. However, the UK government has signalled an intention to introduce statutory AI governance requirements, and existing UK regulators (ICO, FCA, CMA, MHRA) have published sector-specific AI guidance. UK organisations should track these developments and ensure their ISO 42001 AIMS is designed to accommodate UK-specific requirements as they mature.

Global Proliferation of National AI Regulations

Brazil, Canada, China, India, Singapore, and Japan all have AI governance regulations at various stages of development. ISO 42001 is well-positioned to serve as the global governance standard that mediates between these national requirements — providing a common governance infrastructure that can accommodate the specific requirements of each jurisdiction through targeted supplementary controls.

NIST AI RMF Sector Profiles

NIST is developing sector-specific AI RMF profiles for financial services, healthcare, critical infrastructure, and other sectors. These profiles will provide sector-tailored implementation guidance that translates the core framework into the risk context of specific industries. Organisations in these sectors should integrate these profiles into their AIMS as they are published.

Key Takeaways

Choosing Your AI Governance Framework — The Decision Guide
The EU AI Act is not optional for EU scope. If you place AI on the EU market, use AI affecting EU residents, or supply AI into EU supply chains, compliance is mandatory — regardless of where you are headquartered.
ISO 42001 is the governance engine. It provides the management system infrastructure that makes compliance with both the EU AI Act and NIST AI RMF sustainable, auditable, and repeatable over time.
NIST AI RMF is the most practically detailed guide available. Use the Playbook as operational content — it tells you specifically what to do to manage AI risks across GOVERN, MAP, MEASURE, and MANAGE.
The three frameworks are not alternatives — they are layers. EU AI Act = legal floor. ISO 42001 = governance system. NIST AI RMF = risk intelligence. Most mature organisations need all three.
Deployers have their own obligations. Using a third-party AI system does not transfer all EU AI Act compliance responsibilities to the provider. Deployers of high-risk AI have mandatory obligations including fundamental rights impact assessments.
Start with risk, not framework. Understand your AI system landscape, risk levels, and geographic market first. The right framework combination follows from that analysis — not the other way around.
Integration beats parallelism. One integrated AI governance infrastructure satisfying all applicable frameworks is always more efficient than three separate compliance programs. Build the cross-reference mapping document from day one.
Governance debt compounds. Building ISO 42001 AIMS from the first AI deployment is dramatically cheaper than retrofitting governance onto deployed systems. Start governance early.
ISO 42001 certification is becoming a commercial requirement. Enterprise procurement teams and regulated industry clients increasingly require evidence of structured AI governance — ISO 42001 certification is the most credible available proof point.
The landscape is evolving fast. Harmonised standards, new NIST profiles, national AI regulations, and EU delegated acts are all in motion. Assign responsibility for framework monitoring and plan for annual governance program reviews.
JK
Written by Juno David K
Strategic Delivery Leader with 18+ years of experience designing AI governance programs across enterprise environments. I've supported organisations across financial services, technology, and public sector in navigating the EU AI Act, ISO 42001, and NIST AI RMF — building integrated governance strategies that satisfy multiple frameworks without duplicating effort.
Discuss AI Governance → More Articles