AI governance frameworks compared: EU AI Act vs NIST vs ISO 42001
- The three pillars are the EU AI Act (binding law), NIST AI RMF (voluntary method), and ISO 42001 (certifiable standard).
- They occupy different roles: an obligation, a method, and a provable system; they are not competing choices.
- A natural pattern: use NIST as the method, ISO 42001 to prove it, and satisfy the EU AI Act where it applies.
- Govern once and map many: build one practice and map all three onto it rather than running parallel efforts.
- Current as of June 2026. This is general information, not legal advice.
The three at a glance
- EU AI Act: A binding EU law. If it applies to you, compliance is mandatory and carries penalties. It prescribes obligations by risk tier. It tells you what you must do.
- NIST AI RMF: A voluntary US-origin framework. It offers a method for managing AI risk through four functions, Govern, Map, Measure, Manage, with no enforcement. It tells you how to manage AI risk well.
- ISO/IEC 42001: An international, certifiable standard for an AI management system. You can be independently certified against it. It lets you build, and prove, a structured governance system.
How they compare
| Dimension | EU AI Act | NIST AI RMF | ISO/IEC 42001 |
|---|---|---|---|
| Nature | Binding law | Voluntary framework | Certifiable standard |
| Enforcement | Fines up to 35M euro / 7% | None | None (but certifiable) |
| Tells you | What you must do | How to do it | How to build and prove a system |
| Proof to others | Compliance and conformity | Self-described alignment | Independent certificate |
| Origin | EU | US (global use) | International |
Different roles, not competing choices
The key insight from the table is that they occupy different roles. The EU AI Act is an obligation, the NIST AI RMF is a method, and ISO 42001 is a provable system. They are not competing choices; they answer different questions.
How they fit together
Because they rest on the same underlying discipline, they combine naturally. A common and effective pattern is: use the NIST AI RMF as the operating method to manage AI risk, build that into an ISO 42001 management system so you can prove it with a certificate, and ensure the whole thing satisfies the EU AI Act where it applies to you. In this pattern, NIST is how you work, ISO 42001 is how you prove it, and the EU AI Act is a binding requirement the system must meet. Each plays to its strength.
The shared substance
The reason this works is that all three call for the same fundamental things: knowing your AI systems, assessing their risks, applying controls, maintaining oversight, and keeping evidence. The vocabulary and the specific requirements differ, but the substance overlaps heavily. An organisation that governs its AI well, with a clear inventory, risk assessments, controls, and evidence, has built the foundation that all three draw on.
The practical conclusion
The practical conclusion is to govern once and map many. Rather than building a separate programme for each instrument, build one coherent AI governance practice and map the EU AI Act's obligations, the NIST functions, and the ISO 42001 requirements onto it. Capturing the facts about each AI system once, and using them to satisfy each framework, is far more efficient than maintaining three parallel efforts, and it produces governance that is coherent rather than fragmented. The frameworks are different shapes; your governance is the substance that fills them.
Key terms
- Binding law
- A statute that imposes mandatory obligations with enforcement, like the EU AI Act.
- Voluntary framework
- A non-binding method, like the NIST AI RMF, organisations adopt by choice.
- Certifiable standard
- A standard, like ISO 42001, that an accredited body can independently certify against.
- Govern once, map many
- Building one governance practice and mapping multiple frameworks onto it.