Every organization deploying AI faces the same problem: the regulatory and standards landscape has fractured into four overlapping frameworks, each with a different scope, legal weight and operational logic. Pick only one and you will have gaps. Try to implement all four without a clear structure and you will duplicate effort across teams.
This guide maps all four major AI governance frameworks, explains how they relate to each other and provides a practical sequencing plan for organizations building a multi-framework compliance programme.
What Is an AI Governance Framework?
An AI governance framework is a structured set of policies, processes, roles and controls that governs how an organization develops, deploys and monitors AI systems. It answers three questions: who is accountable for AI decisions, how are risks identified and managed, and what evidence proves that controls are working.
Governance frameworks differ from internal AI policies in one important way. A policy states what must happen. A framework defines how to organize everything that must happen, who owns each piece and how the pieces connect to each other. Without a framework, compliance becomes a collection of standalone actions with no one responsible for the overall programme.
Three pillars appear across every major framework:
Accountability. Someone must own each AI system and be able to explain the decisions it makes.
Transparency. The organization must be able to describe how the AI works, what data it uses and what its limitations are.
Risk management. Risks must be identified, assessed and actively managed before deployment and throughout the system’s operational life.
The distinction matters in practice. An organization with a well-written AI policy but no governance framework will struggle to demonstrate compliance to an auditor, respond to a regulatory inquiry or onboard a new AI system without reinventing its approach each time.
Why Organizations Cannot Afford to Wait
The enforcement calendar is no longer theoretical.
The EU AI Act’s prohibition on unacceptable-risk AI practices came into force in February 2025. Obligations for general-purpose AI model providers began in August 2025. Full high-risk AI system requirements apply from August 2026. Organizations placing AI on the EU market that have not started their governance programmes are already operating without a compliance baseline.
ISO 42001 adoption is accelerating in parallel. A 2025 survey by Sprinto found that 76% of organizations planned to pursue ISO 42001 certification within the year. Regulators in the UK, Singapore and Canada have begun referencing the standard in guidance documents, treating certification as a signal of governance maturity even where it is not legally required.
Market pressure is compounding regulatory pressure. Gartner estimated in February 2026 that the AI governance platform market had exceeded $1 billion in annual revenue. Enterprise procurement teams now routinely request evidence of AI governance documentation as part of vendor security and compliance questionnaires.
Organizations without a structured programme face three concrete risks: regulatory fines reaching EUR 35 million or 7% of global turnover under the EU AI Act, reputational damage from publicly exposed AI failures and operational disruption when auditors find no evidence trail.
The Four Frameworks Every AI Governance Lead Should Know
The four frameworks each occupy a distinct layer of the governance stack. Understanding each one clearly is the prerequisite for combining them effectively.
NIST AI Risk Management Framework (AI RMF)
The National Institute of Standards and Technology published AI RMF 1.0 in January 2023. An updated Generative AI Profile followed in 2024, addressing large language models and foundation models specifically.
The framework organizes AI risk management around four functions:
GOVERN establishes the organizational culture, policies, accountability structures and oversight mechanisms that make risk management possible and repeatable.
MAP identifies AI risks before deployment: what could go wrong, who is affected and how severe the consequences could be across different contexts.
MEASURE quantifies and tests AI risk using metrics, red-teaming exercises, bias evaluations and technical audits.
MANAGE prioritizes and treats the risks identified through MEASURE, assigns owners and tracks residual risk over time.
NIST AI RMF is voluntary. There is no certification scheme and no legal obligation for any organization to adopt it. Its strength is flexibility: it works for AI systems of any type, any size of organization and any sector. It is particularly well suited to technology companies and risk-function teams who want a structured process without a heavy compliance overhead.
The AI RMF Playbook, a companion document, provides more than 200 subcategory actions across the four functions, making implementation concrete even for organizations starting from scratch.
ISO/IEC 42001:2023: AI Management System Standard
ISO 42001 is the first international standard that can be independently certified. Published in December 2023, it follows the Annex SL high-level structure used by ISO 27001 (information security management) and ISO 9001 (quality management). Organizations with existing certifications can integrate AI governance into their management system without building a parallel structure from scratch.
The standard organizes requirements into ten clauses. Clauses 4 through 10 are auditable and form the basis for certification. Annex A provides 38 controls across nine control domains, covering AI policy, AI impact assessments, AI system design and development, data management, supplier management and performance evaluation.
Third-party certification follows the same pattern as other ISO management system standards: an initial stage-one documentation review, a stage-two on-site audit, then annual surveillance audits, with full recertification every three years. ISO/IEC 42006:2025 defines the competency requirements for certification auditors.
ISO 42001 is best suited to enterprise organizations, regulated industries and companies with global supply chains that need a common governance baseline across subsidiaries and suppliers. It requires visible top management commitment, designated AI roles, documented AI objectives and a functioning internal audit programme.
EU AI Act: The World’s First Binding AI Regulation
Regulation EU 2024/1689, published in the Official Journal on 12 July 2024, is the world’s first comprehensive legal framework for AI. Unlike NIST AI RMF and ISO 42001, compliance is not optional for organizations within scope.
The regulation classifies AI systems into four risk tiers:
Unacceptable risk: Prohibited outright. This includes social scoring by public authorities, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions) and AI systems that exploit psychological vulnerabilities. These prohibitions applied from February 2025.
High risk: Subject to stringent pre-market and ongoing obligations, including conformity assessment, a documented risk management system, technical documentation, post-market monitoring, registration in the EU AI database and human oversight measures. Full obligations apply from August 2026.
Limited risk: Subject to transparency requirements only. Chatbots and AI-generated content must disclose the AI nature of the interaction or output.
Minimal risk: No obligations. The vast majority of commercial AI applications fall in this tier.
The EU AI Act has extraterritorial scope. It applies to any organization that places AI systems on the EU market or whose AI outputs affect persons located in the EU, regardless of where the organization is headquartered. A company based in the United States or Singapore with EU customers using its AI product must comply.
Fines for violations of prohibited practices reach EUR 35 million or 7% of global annual turnover, whichever is higher. Violations of other high-risk obligations carry fines up to EUR 15 million or 3% of global turnover.
OECD AI Principles: The Global Baseline
The OECD AI Principles (OECD/LEGAL/0449) were adopted in May 2019 and updated in May 2024 to address generative AI and foundation models. They have been adopted by 47 jurisdictions including all G20 members.
The five values-based principles are:
- Inclusive growth, sustainable development and well-being
- Human-centred values and fairness
- Transparency and explainability
- Robustness, security and safety
- Accountability
The 2024 update strengthened the language on transparency and accountability in the context of large language models and added guidance on measuring AI risks at scale.
OECD Principles are non-binding but carry significant policy weight. They formed the basis for the G7 Hiroshima AI Process Code of Conduct. Several national regulators treat demonstrated alignment with OECD Principles as evidence of governance good faith in enforcement proceedings and in regulatory sandbox applications.
How the Four Frameworks Relate to Each Other
The four frameworks operate at different levels of abstraction and legal force. Thinking of them as layers makes the relationship clear.
Layer 1 (values): OECD AI Principles provide the ethical baseline. They describe what good AI governance should achieve, not how to achieve it.
Layer 2 (risk process): NIST AI RMF provides the risk management process. It tells you how to systematically identify, measure and respond to AI risk.
Layer 3 (management system): ISO 42001 provides the organizational system. It tells you how to build the policies, roles, audit cycles and evidence trails that make risk management repeatable at scale.
Layer 4 (legal obligations): EU AI Act converts certain requirements into binding legal obligations with defined penalties and enforcement mechanisms.
A mature AI governance programme uses all four layers. OECD Principles set the direction. NIST AI RMF drives the risk identification and measurement process. ISO 42001 provides the organizational spine and the certification signal that external stakeholders can verify. EU AI Act compliance defines the legal floor for organizations with EU exposure.
Organizations that treat the four frameworks as alternatives, asking which one to use instead of asking how to layer them, consistently end up with programmes that satisfy one audience (say, a certifying body) while leaving gaps visible to another (say, an EU market surveillance authority).
Cross-Framework Control Mapping
The four frameworks use different language but cover substantial overlapping ground. Organizations that recognize these overlaps avoid duplicating documentation and audit effort.
Three control mappings produce the most immediate efficiency gains:
ISO 42001 Clause 5 (Leadership) and NIST GOVERN. Both require a documented AI policy, visible top management commitment and designated accountability for AI risk. An organization that satisfies ISO 42001 Clause 5 has addressed the substantial majority of NIST GOVERN requirements and can use the same evidence artefacts for both.
ISO 42001 Clause 6 (Planning) and EU AI Act Article 9 (Risk Management System). Article 9 requires high-risk AI providers to establish and maintain a risk management system. ISO 42001 Clause 6 requires a structured process for identifying AI-related risks and opportunities. Conformance body analysis indicates that organizations implementing ISO 42001 Clause 6 address approximately 60% of Article 9 requirements through their existing planning and risk assessment process.
ISO 42001 Clause 9 (Performance Evaluation) and NIST MEASURE. NIST MEASURE covers the metrics, testing and evaluation activities that quantify AI risk. ISO 42001 Clause 9 requires internal audits and management reviews of the AI management system’s performance. The evidence generated for one feeds directly into the other, and both can be satisfied by a single audit programme.
Two developing European standards, prEN 18228 and prEN 18282, are being finalized by CEN-CENELEC and will provide additional technical guidance aligned with the EU AI Act. Their eventual publication will add harmonized technical specifications that connect EU AI Act obligations to ISO 42001 controls more precisely.
Choosing Your Starting Point
Most organizations will need to engage with all four frameworks eventually. The practical question is sequencing.
If you have EU exposure: Start with EU AI Act risk classification. Identify every AI system, classify it by risk tier and determine which systems carry high-risk obligations. This tells you where compliance pressure is highest and sets the scope for everything else. Organizations with EU exposure that delay classification are accumulating regulatory risk with every passing month.
If you need a certification signal: Start with ISO 42001. The management system it requires will structure your governance programme in a way that creates parallel value for NIST AI RMF compliance and EU AI Act Article 9 obligations simultaneously. Procurement teams and enterprise customers increasingly treat ISO 42001 certification as a prerequisite for AI vendor approval.
If you are US-based with no EU exposure and no immediate certification need: Start with NIST AI RMF. Its flexibility makes it the lowest-friction entry point. Use it to build your risk identification and measurement capability, then layer ISO 42001 when certification becomes a procurement or regulatory requirement.
If you are building global policy alignment: Start with OECD Principles as the reference for your AI ethics policy, then select the operational framework, ISO 42001 or NIST AI RMF, that fits your sector and regulatory environment.
One sequencing principle holds regardless of starting point: never treat any single framework as complete on its own. Every mature AI governance programme reviewed by external auditors shows elements drawn from all four layers.
Building a Multi-Framework AI Governance Programme
A working multi-framework programme follows five stages.
Stage 1: AI system inventory. List every AI system the organization develops, deploys or procures from third parties. Include systems the organization did not build. Many organizations discover during this stage that AI-enabled tools have been adopted across business units without formal review.
Stage 2: Risk classification. For each system in the inventory, apply the EU AI Act risk tier classification and the NIST AI RMF MAP function to identify the nature and severity of potential harms. This produces a risk register that sets the priority order for the rest of the programme.
Stage 3: Control framework selection. Use ISO 42001 Annex A as the operational spine. For each control in Annex A, determine whether it is already in place, partially implemented or absent. Map NIST AI RMF functions and EU AI Act obligations against the ISO 42001 controls to identify where a single control implementation satisfies multiple framework requirements at once.
Stage 4: Evidence collection. For every control, define what evidence demonstrates that it is working. Evidence might take the form of a policy document, an audit log, a test report or a supplier attestation. A governance platform that tracks evidence against controls across all four frameworks prevents the duplicated documentation effort that typically consumes most of an AI governance team’s capacity.
Stage 5: Continuous monitoring. AI risk is not static. Models drift, regulations change and new AI capabilities emerge regularly. Build a monitoring programme that reviews control effectiveness on a defined cycle, updates risk classifications when new systems are deployed and feeds internal audit findings back into the planning process.
AI Sigil is designed around this five-stage structure. The platform maintains a unified AI system inventory, maps controls across NIST AI RMF, ISO 42001 and EU AI Act simultaneously, collects and links evidence to controls and surfaces gaps before external auditors identify them.
Frequently Asked Questions
Is ISO 42001 mandatory?
No. ISO 42001 is a voluntary international standard. No jurisdiction currently mandates it by law. However, it is increasingly referenced in procurement requirements, regulatory guidance and insurance underwriting criteria, making adoption a de facto expectation in many regulated sectors.
Does the EU AI Act require ISO 42001 certification?
No. The EU AI Act does not require ISO 42001 certification. However, a certified ISO 42001 management system provides strong evidence of a functioning risk management system, which is one of the core obligations for high-risk AI providers under Article 9. Conformance bodies have confirmed that ISO 42001 certification addresses a substantial portion of Article 9 requirements.
What is the difference between a risk framework and a management system standard?
A risk framework defines a process for identifying and managing risk. It does not specify how the organization should be structured to run that process reliably over time. A management system standard specifies the organizational structure, roles, policies and review cycles that make risk management repeatable and auditable year after year. Risk frameworks answer what to do; management system standards answer how to organize the doing.
Can NIST AI RMF and ISO 42001 be used together?
Yes, and most mature organizations do use both. NIST AI RMF provides a detailed risk identification and measurement process that enriches ISO 42001’s more outcome-oriented control requirements. The GOVERN function maps to ISO 42001 Clauses 4 and 5; MAP and MEASURE map to Clauses 6 and 8; MANAGE maps to Clause 10. The two frameworks were designed to be complementary and operate on the same underlying risk management logic.
How long does ISO 42001 certification take?
Most organizations that begin from a documented governance programme reach certification in 6 to 12 months. The timeline depends on the number of AI systems in scope, the maturity of existing documentation (particularly if ISO 27001 or ISO 9001 is already certified) and audit body scheduling. Organizations starting from scratch should plan for 12 to 18 months.
Conclusion
The four AI governance frameworks are not competitors. They are layers. NIST AI RMF, ISO 42001, EU AI Act and OECD Principles each address a different dimension of the same problem: how to govern AI responsibly, at scale, in a way that external stakeholders can verify.
Organizations that layer them correctly build programmes that satisfy regulators, certification bodies, enterprise procurement teams and board-level scrutiny in a single integrated effort. The practical starting point is the same for most: build an AI system inventory, classify risks, adopt ISO 42001 Annex A as the control spine, map NIST AI RMF and EU AI Act obligations against it and monitor continuously.
AI Sigil makes that programme operational. The platform maps controls across all four frameworks, tracks the evidence your next audit will ask for and surfaces gaps before they become findings.
Sources: NIST AI RMF 1.0 (January 2023); ISO/IEC 42001:2023; ISO/IEC 42006:2025; Regulation (EU) 2024/1689 (EU AI Act), OJ L, 12 July 2024; OECD AI Principles (OECD/LEGAL/0449), updated May 2024; Gartner AI Governance Platform Market Analysis, February 2026; Sprinto ISO 42001 Adoption Survey, 2025; prEN 18228 and prEN 18282 (CEN-CENELEC, name-only reference).