The three reference points for AI risk management are the NIST AI RMF (a voluntary US framework), ISO/IEC 42001 (a certifiable management-system standard), and the EU AI Act (a binding law). They are complementary, not competing: NIST gives you a method, ISO 42001 gives you a certifiable system, and the EU AI Act tells you what is legally required.
What is an AI risk management framework?
An AI risk management framework is a structured way to identify, assess, and control the risks an AI system can create — to people, to the business, and to compliance. Some frameworks are voluntary methods, others are certifiable standards, and one of the three here is law.
NIST AI RMF
The NIST AI Risk Management Framework (AI RMF 1.0), published by the US National Institute of Standards and Technology in 2023, is voluntary and widely used beyond the US. It organizes AI risk work into four functions:
- Govern. Build a culture and structure for managing AI risk.
- Map. Understand the context and identify risks.
- Measure. Analyze and track those risks.
- Manage. Prioritize and act on them.
It also has a companion profile for generative AI.
ISO/IEC 42001
ISO/IEC 42001, published in 2023, is the first certifiable AI management system (AIMS) standard. It does for AI what ISO 27001 does for information security: it defines a management system you can build, audit, and certify against. For enterprises, certification is a credible, formal signal that AI governance is in place.
EU AI Act
The EU AI Act is not a framework but a binding law that sorts AI by risk and sets obligations accordingly, with significant penalties. NIST and ISO 42001 help you operationalize the controls the Act expects. See our guide to the EU AI Act and GDPR for the deadlines and obligations.
NIST AI RMF vs ISO 42001 vs EU AI Act
| NIST AI RMF | ISO/IEC 42001 | EU AI Act | |
|---|---|---|---|
| Type | Voluntary framework | Certifiable standard | Binding law |
| Released | 2023 | 2023 | 2024 (phased to 2027) |
| Geography | US, used globally | International | EU, with extraterritorial reach |
| Structure | Govern, Map, Measure, Manage | Management system (like ISO 27001) | Risk tiers and obligations |
| Certification | None formal | Third-party certifiable | Conformity assessment for high-risk |
Which should you use?
For most enterprises the answer is all three, in different roles: NIST AI RMF to shape the method and shared language, ISO/IEC 42001 to build and certify the program, and the EU AI Act to anchor what is legally required. A single set of controls can satisfy all three.
Key takeaways
- NIST AI RMF is a voluntary method; ISO 42001 is certifiable; the EU AI Act is law.
- They are complementary, and one control set can map to all three.
- Use NIST for method, ISO 42001 for certification, the EU AI Act for legal scope.
Frequently asked questions
What is the NIST AI Risk Management Framework?
The NIST AI RMF is a voluntary framework published by the US National Institute of Standards and Technology in 2023. It helps organizations manage AI risk through four functions — Govern, Map, Measure, and Manage — and has a companion profile for generative AI.
What is ISO/IEC 42001?
ISO/IEC 42001, published in 2023, is the first certifiable management-system standard for AI. It defines an AI management system (AIMS) the way ISO 27001 defines an information security management system, so an organization can be independently audited and certified.
What is the difference between NIST AI RMF and ISO 42001?
The NIST AI RMF is a voluntary method and vocabulary for managing AI risk, with no formal certification. ISO/IEC 42001 is a certifiable standard: you can be audited against it and earn a certificate. Many organizations use NIST to shape the program and ISO 42001 to certify it.
Is the EU AI Act a framework or a law?
The EU AI Act is a binding law, not a voluntary framework. It sets legal obligations for AI based on risk level, with penalties for non-compliance. Frameworks like NIST AI RMF and ISO 42001 help you operationalize the controls the law expects.
Which AI risk framework should we use?
Most enterprises use all three together: the NIST AI RMF for a common method and vocabulary, ISO/IEC 42001 for a certifiable and auditable program, and the EU AI Act to know what is legally required. They are complementary rather than competing.
Whichever frameworks you map to, the operational work is the same: a model inventory, risk classification, enforced policy, and an audit trail. DataSafeguard provides that foundation. Request a walkthrough or read what AI governance covers.