Skip to content
JP Stratton
Book a call
AI Governance February 5, 2026 7 min read

NIST AI RMF, ISO 42001, and the EU AI Act: A Pragmatic Map

NIST AI RMF, ISO 42001, and the EU AI Act overlap significantly. Here's how to satisfy all three without building three separate compliance programs.

Governance frameworks at a glance Scope: risk management Scope: mandatory compliance NIST AI RMF 85% 10% ISO/IEC 42001 70% 40% EU AI Act 20% 95%
Three overlapping circles (Venn diagram) showing NIST AI RMF, ISO 42001, and EU AI Act. Overlapping regions labeled: 'Risk assessment + documentation' (all three), 'Management syst

If you have been following AI governance developments, you have encountered three frameworks cited repeatedly: the NIST AI Risk Management Framework, ISO/IEC 42001, and the EU AI Act. If your governance program needs to address all three — and for many organizations operating across jurisdictions, it does — the instinct is often to build three separate programs.

That instinct is expensive and unnecessary. The frameworks overlap significantly, and a well-structured program can satisfy all three with coordinated effort rather than parallel tracks.

What Each Framework Actually Requires

NIST AI RMF

The NIST AI Risk Management Framework is a voluntary US guidance framework organized around four functions:

Govern — establishing policies, roles, responsibilities, and culture for AI risk management. Map — identifying and categorizing AI systems and their associated risks in context. Measure — quantifying and assessing AI risks using defined metrics and methods. Manage — treating, monitoring, and responding to identified risks.

The NIST framework is non-prescriptive by design. It tells you what categories of activity your governance program should cover; it does not specify exactly how to cover them. This flexibility is appropriate for a voluntary standard but requires internal interpretation work.

As ZenGRC's AI governance analysis notes, organizations that implement comprehensive AI governance frameworks reduce AI incidents by up to 70% — the NIST framework provides the structured thinking; the value comes from actually implementing it.

ISO/IEC 42001

ISO/IEC 42001 is an auditable management system standard for AI — the AI equivalent of ISO 27001. It uses the same Annex SL high-level structure, making integration with ISO 27001 programs straightforward.

Key elements include:

  • Context of the organization and interested parties
  • Risk assessment and treatment processes
  • Documented policies and objectives
  • Competency and awareness requirements
  • Operational controls for AI development and deployment
  • Internal audit and management review

Unlike the NIST framework, ISO 42001 is certifiable. Organizations that achieve certification demonstrate to customers, regulators, and partners that their AI governance program meets an independently audited standard. For B2B organizations where enterprise customers demand supply-chain security evidence, this is increasingly a competitive requirement.

EU AI Act

The EU AI Act is binding regulation for AI systems used in the EU — regardless of where the organization deploying them is headquartered. It takes a risk-tiered approach:

Prohibited AI — systems with unacceptable risk: social scoring, real-time biometric surveillance in public spaces, manipulation of vulnerable populations. These are banned outright.

High-risk AI — systems in regulated sectors (healthcare, employment, critical infrastructure, law enforcement). These face conformity assessments, technical documentation requirements, human oversight mandates, and registration obligations.

Limited-risk AI — systems like chatbots that interact with humans. Transparency requirements apply: users must be informed they are interacting with AI.

Minimal-risk AI — most business automation, spam filters, AI-assisted analytics. Voluntary code of conduct; no mandatory requirements.

The EC-Council's plain-English comparison of these three frameworks notes that the EU AI Act is the only one with teeth — penalties up to €35 million or 7% of global annual turnover for violations of prohibited AI rules.

Where the Frameworks Converge

The good news is substantial: the core activities required by all three frameworks overlap significantly.

AI system inventory. All three require knowing what AI systems you have deployed, their purpose, their risk level, and their data flows. The inventory you build for NIST mapping satisfies the EU Act's registration requirements and ISO 42001's context documentation.

Risk assessment documentation. All three require documented risk assessments for AI systems. The format varies, but the substance — identifying risk, assessing likelihood and impact, documenting treatment — is consistent across all three.

Policy and procedure documentation. NIST Govern, ISO 42001 Clause 6, and EU AI Act Article 9 all require documented policies for AI risk management. One policy framework, properly structured, addresses all three.

Human oversight provisions. ISO 42001 and the EU AI Act both require mechanisms for human oversight of AI decisions. NIST's Manage function includes monitoring and human review as risk treatment options. One human-in-the-loop architecture satisfies all three.

The Divergences That Require Specific Attention

EU Act conformity assessments. High-risk AI systems under the EU Act require formal conformity assessments — third-party audits for some categories, self-assessment for others. This is an EU-Act-specific requirement with no parallel in NIST or ISO 42001 (though ISO 42001 certification provides supporting evidence).

ISO 42001 management system disciplines. ISO 42001 requires the formal management system apparatus: internal audit program, management review, nonconformance and corrective action processes, document control. These are inherited from the Annex SL structure and are more operationally intensive than NIST guidance requires.

Sector-specific EU Act requirements. High-risk AI in healthcare or employment requires specific technical documentation under the EU Act that goes beyond general risk management. Organizations in those sectors need EU-Act-specific compliance work regardless of NIST or ISO 42001 coverage.

Building One Program That Covers All Three

The practical implementation sequence:

  1. Build the AI inventory first — this is the foundation all three frameworks require and the input everything else depends on.
  2. Conduct risk assessments using NIST's Map/Measure functions — the documentation satisfies ISO 42001 and EU Act risk assessment requirements simultaneously.
  3. Draft the AI governance policy with sections that map explicitly to NIST Govern, ISO 42001 Clause 5, and EU Act Chapter 3 requirements.
  4. Implement human oversight provisions for high-risk AI — satisfies all three frameworks.
  5. Layer EU Act conformity work for any high-risk AI systems identified in the inventory.
  6. Add ISO 42001 management system disciplines if certification is a business objective.

The organizations that treat these as three separate compliance initiatives waste resources on redundant work. The organizations that treat them as one coordinated governance program build something more sustainable and more defensible — to regulators, customers, and the board.

Need help building an AI governance program that satisfies all three frameworks without building three programs? Talk to JP Stratton.

Filed under AI Governance.

Keep reading

Related insights.

AI Governance · February 22, 2026

Writing an AI Acceptable Use Policy That Does Not Kill Innovation

A poorly written AI AUP bans everything employees need or is too vague to guide anyone. Here's how to write one that works for security and operations alike.

Read

AI Governance · January 20, 2026

The Air Canada Precedent: Your Chatbot Is Your Liability

Air Canada was ordered to honor a policy its chatbot invented. The ruling established that businesses are liable for what their AI tells customers — full stop.

Read