Book a discovery →
Governance

NIST AI RMF and ISO 42001: two frameworks, one program

The US risk framework and the international standard are constantly framed as competitors. They’re layers of the same program — here’s how they map, with examples, and why building both is one job.

Atwood · 2026 · 8 min read

Two names come up constantly in AI governance: the NIST AI Risk Management Framework and ISO/IEC 42001. Teams often treat them as competing options and ask which to "pick." That's the wrong question. They're different layers of the same program, and using both is stronger — and barely more work — than either alone.

What each one is

NIST AI RMF is a voluntary, US-recognized risk framework. It organizes the work into four functions — Govern, Map, Measure, Manage — and gives you a practical vocabulary for finding and treating AI risk. It's flexible and fast to adopt, and you can start using it tomorrow. What it doesn't do is certify you against anything.

ISO 42001 is a certifiable management system standard. It's the auditable structure — Plan-Do-Check-Act, Clauses 4–10, Annex A controls — that proves your organization runs AI governance as an ongoing discipline. (See our ISO 42001 explainer for the clause-by-clause view.)

Why they fit together

NIST tells you how to think about risk; ISO tells you how to run and prove it. The four NIST functions map cleanly onto ISO clauses:

  • Govern → Leadership (Clause 5) + Planning (Clause 6)
  • Map → Context (Clause 4) + Impact assessment (Annex A.5)
  • Measure → Performance evaluation (Clause 9)
  • Manage → Operation (Clause 8) + Improvement (Clause 10)

Example: you use NIST's Map function to identify that a member-scoring model could disadvantage a group. That same work satisfies ISO's A.5 impact assessment. You did one analysis; it served both frameworks. Do the risk thinking with NIST's structure, make it auditable with ISO's, and the effort compounds instead of duplicating.

And then there's the regulation

The EU AI Act turns this from optional to mandatory for certain uses, with real penalties. Both NIST and ISO are recognized ways to demonstrate the risk management and governance the Act expects — so building toward them is also building toward compliance. Example: a high-risk AI use under the Act needs documented risk management and human oversight; your ISO 42001 records and NIST risk work are exactly that documentation.

The practical takeaway

Build the control surface once — PII redaction, approval gates, audit trails, impact assessment, access control — and it serves NIST AI RMF, ISO 42001, and the EU AI Act at the same time.

Don't pick a framework. Build the governed substrate underneath all of them, structure the risk work with NIST, and make it provable with ISO. That's one program, three frameworks satisfied — which is the whole point of having a real control surface instead of a binder full of policies.

← All articles Book a discovery →