Hael
Sign inRequest a demo
ISO/IEC 42001 · Buyer intent

ISO/IEC 42001 vs the NIST AI Risk Management Framework

Updated 12 July 2026 · 6 min read
Key takeaway
ISO/IEC 42001 and the NIST AI Risk Management Framework are not competitors. ISO 42001 is a certifiable management-system standard — an accredited body can audit and issue a certificate. NIST AI RMF is a voluntary risk-management framework, widely used in the United States, that structures how an organisation identifies and mitigates AI risk. Most organisations that adopt both use NIST as the risk practice library and ISO 42001 as the certifiable wrapper that reports the same work into an auditable structure.
  • ISO 42001 is certifiable by an accredited body; NIST AI RMF is not certifiable.
  • NIST AI RMF is a risk-management framework organised around four functions: Govern, Map, Measure, Manage.
  • Buyers who ask 'do you have a certificate?' are asking about ISO 42001, not NIST.
  • The two crosswalk cleanly — one control regime can report into both structures.
  • Neither is a substitute for the EU AI Act — see the dedicated article on that.
  • General information, not legal advice. Current as of July 2026.

The core difference

ISO/IEC 42001 is a management-system specification: an accredited certification body audits your organisation's AIMS against the standard and issues a certificate that is recognised across jurisdictions. NIST AI RMF is a risk-management framework: it structures how to identify, map, measure and manage AI risk, but no certificate exists at the end of it. The National Institute of Standards and Technology publishes NIST AI RMF as guidance; it does not accredit auditors.

How they crosswalk

The two structures crosswalk cleanly. NIST's Govern function corresponds to the ISO 42001 leadership, policy and organisational-role clauses and Annex A's policy controls. Map corresponds to context, scope and risk-identification requirements. Measure corresponds to performance-evaluation clauses and impact-assessment controls. Manage corresponds to operational planning, risk treatment and monitoring. A single set of controls, properly recorded, can report into both languages simultaneously.

Which one to lead with

Lead with what the buyer or regulator is asking for. Enterprise procurement questionnaires — CAIQ, SIG Lite — increasingly ask 'do you hold ISO/IEC 42001?', a certificate question. NIST AI RMF alignment is worth stating alongside, but it is not what a certificate question is asking. Where the driver is US federal contracting, NIST alignment carries independent weight.

Using them together

The practical pattern is to run one AI governance programme and report it two ways. ISO 42001 gives you the auditable management-system structure and the certificate. NIST AI RMF gives you a richly detailed risk-practice library that helps you populate the risk work underneath — particularly Map and Measure — and speaks the language many US-based partners and buyers prefer.

References

Related guides

Keep reading on ISO/IEC 42001.

Free check

See where you stand on ISO/IEC 42001, free.

Answer a few questions and get an indicative view of what ISO/IEC 42001 expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
ISO/IEC 42001 · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to ISO/IEC 42001
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE