Hael
Sign inRequest a demo
NIST AI RMF · Crosswalk

NIST AI RMF to ISO 42001: a control crosswalk

Updated 6 July 2026 · 6 min read
Key takeaway
The two fit together cleanly: the NIST RMF is a voluntary method organised around four functions, ISO/IEC 42001 is a certifiable management-system standard organised around a management system and Annex A controls. This crosswalk maps the RMF's functions onto the ISO structure so an organisation can run one programme and satisfy both.
  • ISO/IEC 42001 is certifiable; the NIST AI RMF is not — they answer different buyer questions.
  • Govern, Map, Measure and Manage each map to specific ISO clauses and Annex A controls.
  • Operate one control set: record it once, reference it into both vocabularies.
  • A crosswalk aligns structures, not certificates: consult the ISO standard itself for authoritative control text.
  • General information, not legal advice. Current as of July 2026.

Why crosswalk rather than choose

Organisations often hold both because they answer different questions. ISO/IEC 42001 gives you something certifiable, an AI management system an accredited body can audit and certify, which buyers and boards recognise. The NIST RMF gives you a widely understood risk method, especially in the US market. Rather than run two programmes, map one onto the other and operate a single set of controls that reports into both vocabularies. This is a comparison of structure, not a legal equivalence; neither substitutes for the other's certificate or context.

The mapping, function by function

Govern maps to the heart of ISO/IEC 42001: leadership, AI policy, roles and responsibilities, and the management-system clauses that establish accountability, along with the Annex A controls on organisational policies. Map maps to the standard's context-of-the-organisation and risk-identification requirements, and to Annex A controls on understanding AI systems and their intended use. Measure maps to the performance-evaluation clauses and the Annex A controls on assessing AI system impacts and testing. Manage maps to operational planning and control, risk treatment, and the Annex A controls on managing AI risks through the lifecycle, including monitoring and incident handling.

Running one programme for both

In practice: use ISO/IEC 42001's management-system requirements as the backbone, because that is what gets certified, then use the RMF's functions and the Playbook's suggested actions to populate the risk work underneath. A control you operate once, say a documented human-oversight point with an owner and evidence, satisfies an ISO Annex A control and an RMF Manage outcome simultaneously. Record it once, reference it into both.

What the crosswalk cannot do

A crosswalk aligns structures; it does not certify. Only an accredited body can certify ISO/IEC 42001, and the RMF confers no certificate at all. And because ISO/IEC 42001 is a formal standard, this article describes the mapping in general terms rather than reproducing the standard's controls; consult the standard itself for the authoritative control text before relying on any mapping.

Key terms

Crosswalk
A structural mapping between two frameworks that lets one set of controls serve both.
Management system
The set of policies, roles, and processes an organisation uses to direct and control a topic — in ISO/IEC 42001, AI.
Annex A controls
The catalogue of AI-specific controls attached to ISO/IEC 42001, used as reference controls for the management system.
Certification
Formal attestation by an accredited body that a management system meets a standard; available for ISO/IEC 42001, not for the RMF.
Single control set
One operated control that produces evidence for multiple frameworks at once.

References

Related guides

Keep reading on NIST AI RMF.

Free check

See where you stand on NIST AI RMF, free.

Answer a few questions and get an indicative view of what NIST AI RMF expects of your AI systems and where you stand today — no sign-up to see your result.

Indicative, not legal advice.
NIST AI RMF · indicative readiness
HAEL FREE TOOLLIVE
Applicability
Applies to your AI use
MAPPED
What's expected
Risk classification · governance · documentation · oversight
4 PILLARS
Where you stand
Banded result · pointed to the gaps that matter most
SOURCED
Result
On-screen, free · optional PDF
FREE
Effort
Pre-scoped to NIST AI RMF
~ 5 MIN
INDICATIVE · NOT LEGAL ADVICE