ISO/IEC 42001 vs the NIST AI Risk Management Framework
- ISO 42001 is certifiable by an accredited body; NIST AI RMF is not certifiable.
- NIST AI RMF is a risk-management framework organised around four functions: Govern, Map, Measure, Manage.
- Buyers who ask 'do you have a certificate?' are asking about ISO 42001, not NIST.
- The two crosswalk cleanly — one control regime can report into both structures.
- Neither is a substitute for the EU AI Act — see the dedicated article on that.
- General information, not legal advice. Current as of July 2026.
The core difference
ISO/IEC 42001 is a management-system specification: an accredited certification body audits your organisation's AIMS against the standard and issues a certificate that is recognised across jurisdictions. NIST AI RMF is a risk-management framework: it structures how to identify, map, measure and manage AI risk, but no certificate exists at the end of it. The National Institute of Standards and Technology publishes NIST AI RMF as guidance; it does not accredit auditors.
How they crosswalk
The two structures crosswalk cleanly. NIST's Govern function corresponds to the ISO 42001 leadership, policy and organisational-role clauses and Annex A's policy controls. Map corresponds to context, scope and risk-identification requirements. Measure corresponds to performance-evaluation clauses and impact-assessment controls. Manage corresponds to operational planning, risk treatment and monitoring. A single set of controls, properly recorded, can report into both languages simultaneously.
Which one to lead with
Lead with what the buyer or regulator is asking for. Enterprise procurement questionnaires — CAIQ, SIG Lite — increasingly ask 'do you hold ISO/IEC 42001?', a certificate question. NIST AI RMF alignment is worth stating alongside, but it is not what a certificate question is asking. Where the driver is US federal contracting, NIST alignment carries independent weight.
Using them together
The practical pattern is to run one AI governance programme and report it two ways. ISO 42001 gives you the auditable management-system structure and the certificate. NIST AI RMF gives you a richly detailed risk-practice library that helps you populate the risk work underneath — particularly Map and Measure — and speaks the language many US-based partners and buyers prefer.