If your company builds, sells, or even meaningfully uses AI, three frameworks now sit on your compliance roadmap. They overlap significantly but answer different questions. Here is the comparison that finally makes sense of the alphabet soup.
The 30-second positioning
- NIST AI RMF: US voluntary framework. A flexible risk-management approach. Best treated as a foundation.
- ISO/IEC 42001: International AI Management System (AIMS) standard. Certifiable. The “ISO 27001 of AI.”
- EU AI Act: Binding EU regulation with categorical risk tiers and concrete obligations. Effective in stages through 2027.
NIST AI RMF in depth
The NIST AI Risk Management Framework (released 2023, generative AI profile released 2024) organizes around four functions: Govern, Map, Measure, Manage. It does not certify and is not law. Its strength is that it is the lingua franca for US enterprise discussions about AI risk and a flexible starting point.
If you sell to US enterprises, expect to see NIST AI RMF referenced in vendor questionnaires. A reasonable answer is “We have adopted NIST AI RMF as our internal framework, with the following implementation specifics…” accompanied by a mapping document.
ISO/IEC 42001: the certifiable option
Published in December 2023, ISO 42001 is the first international AI Management System standard. It is structured like ISO 27001 – a management system with required clauses (4-10) and an Annex A of controls. The Annex A in 42001 has 38 controls organized across 9 control objectives covering AI policies, internal organization, data resources, lifecycle, third parties, and impact assessment.
Why it matters: 42001 is certifiable by accredited bodies. For organizations already running an ISO 27001 ISMS, adding 42001 is a natural extension. Expect 42001 certifications to become a B2B differentiator in 2026.
| Aspect | NIST AI RMF | ISO 42001 | EU AI Act |
|---|---|---|---|
| Binding | Voluntary | Voluntary (certifiable) | Yes (EU) |
| Structure | 4 functions, 70+ subcategories | Management system + 38 controls | Risk tiers + obligations |
| Best for | Foundational US framework | Certifiable AIMS | EU market access |
| Effective | 2023 | 2023 | Phased: 2024-2027 |
| Penalties | None | Loss of cert | Up to 7% global revenue |
EU AI Act: the regulatory weight
The EU AI Act creates four risk categories with different obligations:
- Unacceptable risk: Banned. Social scoring, untargeted facial scraping, predictive policing.
- High risk: Heavy obligations. Risk management, data governance, transparency, human oversight, accuracy, robustness, cybersecurity, conformity assessment, registration. Examples: medical devices, employment screening, critical infrastructure.
- Limited risk: Transparency obligations. Chatbots must disclose. Deepfakes must be labeled.
- Minimal risk: No specific obligations. Most consumer AI applications.
General-Purpose AI (GPAI) model providers have a separate stack of obligations regardless of downstream use case, with stricter requirements for “systemic risk” models above certain compute thresholds.
Timeline reality check
Prohibitions and AI literacy obligations took effect February 2, 2025. GPAI obligations: August 2, 2025. High-risk system obligations: August 2, 2026 (for systems with safety components) and August 2, 2027 (for stand-alone Annex III systems). If you offer AI products in the EU, you have less time than it feels.
How they overlap
The good news: implementing ISO 42001 covers roughly 70% of NIST AI RMF requirements and 50-60% of EU AI Act technical and documentation obligations. The 42001-as-foundation strategy is increasingly the recommended path.
The pragmatic adoption order
- Now: Build an AI inventory. Every model in production, every meaningful AI feature, every third-party AI tool used internally.
- Q1-Q2: Adopt NIST AI RMF as the operating framework. It is free, flexible, and US enterprise buyers expect it.
- Q2-Q3: Pursue ISO 42001 if you sell B2B internationally. Plan for 6-9 months to certification.
- Q3-Q4: Layer EU AI Act compliance for any high-risk system or EU customer.
Bottom line
NIST AI RMF is your foundation. ISO 42001 is the certification. EU AI Act is the regulatory floor for EU operations. Done well, the three reinforce each other. Done poorly, they create three separate audit trails. QAE ships a unified AI Governance module that maps controls across all three frameworks so you implement once and report multiple times.
Want to skip the spreadsheet years?
QAE automates evidence collection across 200+ integrations, maps controls across 20+ frameworks, and gets you audit-ready in 11 weeks.
Book a Free Demo →