NIST AI RMF to ISO 42001: a control crosswalk
- ISO/IEC 42001 is certifiable; the NIST AI RMF is not — they answer different buyer questions.
- Govern, Map, Measure and Manage each map to specific ISO clauses and Annex A controls.
- Operate one control set: record it once, reference it into both vocabularies.
- A crosswalk aligns structures, not certificates: consult the ISO standard itself for authoritative control text.
- General information, not legal advice. Current as of July 2026.
Why crosswalk rather than choose
Organisations often hold both because they answer different questions. ISO/IEC 42001 gives you something certifiable, an AI management system an accredited body can audit and certify, which buyers and boards recognise. The NIST RMF gives you a widely understood risk method, especially in the US market. Rather than run two programmes, map one onto the other and operate a single set of controls that reports into both vocabularies. This is a comparison of structure, not a legal equivalence; neither substitutes for the other's certificate or context.
The mapping, function by function
Govern maps to the heart of ISO/IEC 42001: leadership, AI policy, roles and responsibilities, and the management-system clauses that establish accountability, along with the Annex A controls on organisational policies. Map maps to the standard's context-of-the-organisation and risk-identification requirements, and to Annex A controls on understanding AI systems and their intended use. Measure maps to the performance-evaluation clauses and the Annex A controls on assessing AI system impacts and testing. Manage maps to operational planning and control, risk treatment, and the Annex A controls on managing AI risks through the lifecycle, including monitoring and incident handling.
Running one programme for both
In practice: use ISO/IEC 42001's management-system requirements as the backbone, because that is what gets certified, then use the RMF's functions and the Playbook's suggested actions to populate the risk work underneath. A control you operate once, say a documented human-oversight point with an owner and evidence, satisfies an ISO Annex A control and an RMF Manage outcome simultaneously. Record it once, reference it into both.
What the crosswalk cannot do
A crosswalk aligns structures; it does not certify. Only an accredited body can certify ISO/IEC 42001, and the RMF confers no certificate at all. And because ISO/IEC 42001 is a formal standard, this article describes the mapping in general terms rather than reproducing the standard's controls; consult the standard itself for the authoritative control text before relying on any mapping.
Key terms
- Crosswalk
- A structural mapping between two frameworks that lets one set of controls serve both.
- Management system
- The set of policies, roles, and processes an organisation uses to direct and control a topic — in ISO/IEC 42001, AI.
- Annex A controls
- The catalogue of AI-specific controls attached to ISO/IEC 42001, used as reference controls for the management system.
- Certification
- Formal attestation by an accredited body that a management system meets a standard; available for ISO/IEC 42001, not for the RMF.
- Single control set
- One operated control that produces evidence for multiple frameworks at once.