Someone in your organisation finally asked the question out loud in a meeting: “Which AI governance framework do we actually need?”
And immediately three names got mentioned — the EU AI Act, NIST AI RMF, and ISO/IEC 42001. Everyone nodded as if they knew exactly what those meant. Nobody wanted to admit they were not completely sure how the three relate to each other or which one applies to your situation.
This article answers that question clearly.
I will explain what each framework actually is, what it requires from your organisation, who it applies to, what happens if you ignore it, and — most practically — how to decide which one to prioritise given your geography, industry, and where you are in AI maturity. I will also explain why most serious organisations end up using all three, and how to do that without building three separate compliance programmes.
Let me start with the most important distinction that most summaries miss.
The Single Most Important Distinction — Law vs. Standard vs. Framework
Quick answer: The EU AI Act is legally binding law with financial penalties. ISO/IEC 42001 is a voluntary international standard you can get certified against. NIST AI RMF is a voluntary guidance document with no certification and no penalties. These are fundamentally different things.
Before comparing features, requirements, or scope, you need to understand what category each of these sits in. Getting this wrong leads to serious misjudgements about compliance priority.
The EU AI Act is a regulation. It was formally adopted in 2024, entered into force in August 2024, and is being phased in through a staggered enforcement schedule running through 2027. It applies across all 27 EU member states without any national legislation needed to give it force. It carries financial penalties that exceed even the GDPR at their maximum — up to €35 million or 7% of global annual turnover for the most serious violations. If you operate in the EU market or your AI systems produce outputs that affect EU residents, this is not optional. Non-compliance is not a governance gap — it is a legal exposure.
ISO/IEC 42001 is a standard. Published in December 2023, it is the world’s first international standard specifically for AI Management Systems. Like ISO 27001 for information security and ISO 9001 for quality management, it defines requirements that organisations can implement and then verify through independent third-party audits. Certification is voluntary — no law currently requires it. But certification demonstrates to customers, partners, and regulators that your AI governance is independently verified rather than self-assessed. In procurement contexts and in EU market relationships, this distinction matters significantly.
NIST AI RMF is a framework. Published by the US National Institute of Standards and Technology in January 2023, it is a structured guidance document that helps organisations understand and manage AI-related risks. There is no certification pathway. There are no penalties for not following it. There is no audit. It is a practical playbook that organisations can adapt to their specific context. Despite being entirely voluntary, it has become the de facto reference point for AI risk management across US federal agencies, and multiple regulators — including the FTC, CFPB, FDA, and SEC — reference its principles in their own guidance.
Understanding these three categories explains everything that follows. Mandatory regulation requires compliance regardless of preference. Certifiable standards provide verified assurance that creates market differentiation. Voluntary frameworks provide structured guidance that builds internal capability.
What the EU AI Act Actually Requires — The Practical Obligations
Quick answer: The EU AI Act classifies AI systems into four risk levels — unacceptable, high, limited, and minimal — and imposes obligations proportional to that classification. Unacceptable uses are banned. High-risk systems face the most demanding requirements. Most organisations’ exposure depends on what their AI does, not just what it is.
The EU AI Act covers the entire EU market for AI systems. It applies based on what your AI system does and whether it affects EU residents — not where your company is headquartered. A US company using hiring algorithms for European employees, a Canadian company using credit scoring for European customers, or an Asian company providing AI to European healthcare providers — all fall within scope.
The four risk categories:
Unacceptable risk systems are banned entirely. These include AI that manipulates human behaviour using subliminal techniques, social scoring systems operated by governments or private entities, real-time biometric identification in public spaces (with narrow law enforcement exceptions), and AI that exploits the vulnerabilities of specific groups. These prohibitions were enforceable from February 2, 2025. The penalties for violations are at the maximum level — up to €35 million or 7% of global annual turnover, whichever is higher.
High-risk systems face the most significant compliance obligations. Annex III of the Act lists the categories: biometric identification and categorisation, management and operation of critical infrastructure, education and vocational training systems, employment and recruitment tools, access to essential private and public services (including credit scoring), law enforcement, migration and border control, and administration of justice. AI used in hiring algorithms, credit decisions, medical diagnostics, educational assessments — if your organisation uses AI in these areas and it affects EU residents, these are your primary compliance obligations.
For high-risk systems, the obligations are substantial. They include maintaining documented risk management systems throughout the AI lifecycle, implementing data governance practices covering training data quality and appropriateness, maintaining complete technical documentation that regulators can review, automatic logging of system operations for audit trails, transparency obligations toward deployers and affected persons, human oversight mechanisms that allow humans to monitor and intervene in AI decisions, and accuracy and robustness requirements.
The most critical enforcement deadline for most organisations is August 2, 2026, when requirements for Annex III high-risk AI systems become fully enforceable. Note: the European Commission proposed a “Digital Omnibus” package in late 2025 that could potentially extend certain deadlines to December 2027, but this remains a proposal under negotiation. Prudent compliance planning treats August 2026 as the binding deadline.
Limited risk systems — such as chatbots and AI-generated content — primarily face transparency obligations. Users must be informed when they are interacting with AI, and AI-generated content must be labelled.
Minimal risk systems — the vast majority of AI applications — face no specific obligations under the Act, though voluntary codes of conduct are encouraged.
What this means practically:
The EU AI Act requires organisations to first know what AI they have. Over half of organisations still lack a systematic inventory of AI systems in production or development. Without knowing what AI exists, risk classification is impossible and compliance planning cannot begin. The first concrete step for any organisation in scope is building that inventory.
What NIST AI RMF Actually Contains — The Four Functions Explained
Quick answer: NIST AI RMF organises AI risk management into four functions — Govern, Map, Measure, and Manage. It is not a checklist. It is a flexible structure that organisations adapt to their specific context. It has no compliance requirement and no auditor. It is the thinking tool you use to build your internal AI risk capability.
The NIST AI Risk Management Framework was developed through extensive collaboration with industry, academia, and government. It is designed to work for any organisation of any size in any sector — which means it is deliberately non-prescriptive. It tells you what good AI risk management looks like without telling you exactly how to achieve it.
The four core functions work like this:
Govern establishes the organisational environment for AI risk management. This means policies, accountability structures, defined roles and responsibilities, culture, and continuous improvement processes. Governance applies across the entire AI lifecycle. If no one in your organisation is accountable for AI risk, you cannot effectively manage it. Govern creates that accountability infrastructure.
Map builds understanding of your AI systems and their context. Who are the stakeholders? What is the intended purpose? What are the societal and business impacts? What are the system’s limitations? Mapping is where you discover what you actually have and what it actually does — including potential negative impacts you did not intend. For organisations that have never done a systematic AI inventory, Map is where most of the initial work happens.
Measure analyses and monitors AI risks and benefits over time. This covers model performance measurement, bias testing, uncertainty quantification, ongoing monitoring, and evaluating whether the AI system is producing the outcomes you intended. Measurement turns governance from a document exercise into a living process.
Manage is where you prioritise and respond to identified risks. You decide which risks to address, in what order, with what resources. Risk responses get integrated into operational workflows and decision-making. Management includes ongoing monitoring and adjustment as conditions change.
NIST also published a Generative AI Profile (AI 600-1) that extends the framework to the specific risks of generative AI systems — including 12 risk categories specific to large language models and foundation models. For organisations using ChatGPT, Claude, Gemini, or similar tools in their operations, this profile provides more targeted guidance than the core framework alone.
What NIST AI RMF actually gives you:
The NIST AI RMF is most valuable as an internal capability-building tool. It helps your team develop a common language for AI risk. It provides structured questions to ask about any AI system. It gives you a framework for ongoing risk management rather than point-in-time compliance. And it is widely referenced enough that using it demonstrates to regulators, partners, and customers that your AI risk management approach is grounded in recognised best practice — even though no one is auditing your conformance.
In the US federal government context, NIST AI RMF alignment is increasingly expected for contractor and vendor relationships. Multiple US regulatory agencies reference it explicitly. For US-focused organisations without EU market exposure, NIST AI RMF is the foundational starting point for AI governance.
What ISO/IEC 42001 Actually Requires — The Management System Approach
Quick answer: ISO/IEC 42001 requires you to build a documented AI Management System covering your entire AI lifecycle — from planning and design through deployment, monitoring, and improvement. It follows the same clause structure as ISO 27001 and ISO 9001, making integration with existing management systems relatively straightforward. Certification requires independent third-party audit.
ISO/IEC 42001 is built on the ISO Harmonized Structure (Annex SL) — the same framework used by ISO 27001, ISO 9001, ISO 14001, and most other ISO management system standards. This design choice matters practically. If your organisation already holds ISO 27001 certification, you already have the management system infrastructure — documentation practices, internal audit processes, management review mechanisms, continuous improvement cycles — that ISO 42001 builds on.
The standard covers Clauses 4 through 10:
Clause 4 — Understanding the organisation and its context. What is your organisation’s role in the AI ecosystem? What are the internal and external factors relevant to your AI activities? Who are the interested parties and what do they need from you? This includes understanding your organisation’s impact on individuals and society — not just the risks to the organisation itself.
Clause 5 — Leadership. Top management must demonstrate commitment to the AI management system. An explicit AI policy must be established. Roles and responsibilities must be assigned and communicated. Leadership in ISO 42001 is not passive approval — it requires active engagement from senior executives.
Clause 6 — Planning. Risk and opportunity assessments for your AI activities. Specific AI impact assessments. Setting objectives for the management system and planning how to achieve them. This is where you formally define what good AI governance looks like for your organisation.
Clause 7 — Support. Resources, competence, awareness, communication, and documented information. This includes AI literacy requirements — your staff need to understand AI systems relevant to their work.
Clause 8 — Operation. This is the heart of the standard — how you actually control your AI development, procurement, deployment, and monitoring processes. Annex A provides a library of controls covering AI system design, data management, transparency, accountability, third-party relationships, and more. Unlike the mandatory clause requirements, Annex A controls are selected based on your specific risk assessment — you choose which controls apply to your context.
Clause 9 — Performance evaluation. Internal audits, management reviews, and monitoring of AI system performance. You must have mechanisms to know whether your management system is working.
Clause 10 — Improvement. Nonconformity management and continual improvement. When something goes wrong, you have a documented process to address it and prevent recurrence.
What makes ISO 42001 different from NIST AI RMF:
ISO 42001 requires evidence. A NIST AI RMF implementation can exist primarily in people’s heads or in informal practices. ISO 42001 certification requires documented procedures, records, audit trails, and the ability to demonstrate conformance to an external auditor. This documentation burden is also an asset — it forces clarity about who is responsible for what, and it creates the evidence base that regulators and enterprise customers increasingly expect.
An important distinction that ISO itself highlights: ISO 42001 is outward-looking in a way that ISO 27001 is not. Information security management focuses primarily on protecting the organisation’s assets. AI management requires considering the impact of AI systems on individuals outside the organisation — customers, affected communities, society broadly. This broader accountability scope reflects the nature of AI risk.
Certification timeline:
Most organisations take 4 to 6 months from programme initiation to initial certification, assuming they have existing ISO management system infrastructure. Organisations building from scratch should expect 9 to 12 months. Two-stage external audits are conducted by accredited certification bodies.
Side-by-Side Comparison — What Each Framework Does and Does Not Do
Quick answer: Three different tools serving three different purposes. The EU AI Act tells you what you must not do and what you must do. NIST AI RMF tells you how to think about AI risk. ISO 42001 tells you how to build a system that manages AI risk sustainably. All three are needed for comprehensive AI governance.
| EU AI Act | NIST AI RMF | ISO/IEC 42001 | |
|---|---|---|---|
| Type | Mandatory regulation | Voluntary framework | Voluntary certifiable standard |
| Legally binding? | Yes — for EU-connected orgs | No | No |
| Certifiable? | No (conformity assessment for high-risk) | No | Yes — third-party certification |
| Penalties for non-compliance | Up to €35M or 7% global revenue | None | None |
| Geographic scope | EU market + extraterritorial reach | Global but US-weighted | Global |
| Who it primarily addresses | Providers and deployers of AI in EU | Any organisation using or developing AI | Any organisation using or developing AI |
| Primary purpose | Legal compliance and safety | Risk identification and management | Documented, auditable governance |
| Key enforcement date | August 2, 2026 (high-risk systems) | Ongoing — no deadline | After certification audit |
| Overlap with others | ~70% with NIST and ISO 42001 | ~70% with EU AI Act and ISO 42001 | ~70% with EU AI Act and NIST |
| Implementation time | 6-12 months for high-risk compliance | 2-4 months baseline | 4-6 months to certification |
| Generative AI specific guidance? | GPAI provisions (August 2025 active) | AI 600-1 Generative AI Profile | Limited — covered through risk assessment |
The approximately 70% overlap figure across all three frameworks is important. It means building one governance foundation and mapping to all three frameworks simultaneously is significantly more efficient than running three separate compliance programmes.
Which Framework Does Your Organisation Actually Need — The Decision Guide
Quick answer: Your geography, your AI use cases, and where you are in governance maturity together determine where to start. But for most serious organisations, the realistic answer is eventually all three — just in the right sequence.
Let me walk through the most common organisational situations.
Situation 1: US-based organisation, no EU customers or operations, early-stage AI governance
Start with NIST AI RMF. It is flexible, fast to implement, does not require certification overhead, and aligns with how US regulatory agencies and federal procurement think about AI risk. Build your internal capability using the four functions as your structure. Use the Generative AI Profile if you are deploying foundation model-based tools.
Do not start with ISO 42001 if you have no governance foundation — the management system requirements will outpace your actual AI maturity. Do not start with the EU AI Act unless you anticipate EU market entry in the next 18 to 24 months.
Situation 2: Organisation operating in or serving EU customers
The EU AI Act is not optional. Start with understanding your regulatory exposure immediately. Build your AI system inventory. Classify every system against the risk tiers. For any system that falls into Annex III high-risk categories, begin conformity assessment preparation now — the August 2026 deadline is not distant if you are starting from scratch. Conformity assessment alone takes 6 to 12 months.
While building EU AI Act compliance, use NIST AI RMF as the risk management methodology that structures your documentation and risk assessment work. The frameworks are complementary — NIST gives you the analytical depth, the EU AI Act tells you where documentation is legally required.
Situation 3: Organisation selling AI products or services to enterprise customers
ISO 42001 certification is becoming a meaningful differentiator and, in some procurement processes, a requirement. Enterprise customers in regulated industries are increasingly asking vendors to demonstrate independently verified AI governance rather than accepting self-assessment. If your customers are in financial services, healthcare, or public sector — or if you are selling into EU markets — pursue ISO 42001 certification.
Use NIST AI RMF to build your internal risk management capability first, then formalise and certify it through ISO 42001. The sequencing reduces rework.
Situation 4: Multinational organisation with EU operations and US operations and global customer base
You need all three. The EU AI Act covers your legal obligations in EU jurisdictions. NIST AI RMF covers your US regulatory exposure and provides the risk management methodology. ISO 42001 certification provides the internationally recognised assurance that customers and partners across geographies accept as evidence of governance maturity.
The most efficient path: build one unified governance programme using NIST AI RMF as the operational framework, structure it as an ISO 42001-compliant management system, and ensure it satisfies EU AI Act requirements through a crosswalk that maps your controls to the specific Articles and Annexes that apply to your AI systems.
Situation 5: Small or mid-sized organisation with limited AI governance resources
Start with NIST AI RMF — specifically the Quick Start Guides and the Playbook, which are free and designed for organisations with limited prior governance infrastructure. Do not attempt to pursue ISO 42001 certification in parallel with EU AI Act compliance if resources are constrained — sequence them. Get NIST-based governance functioning first. Use it to prepare for EU AI Act compliance if applicable. Pursue ISO 42001 certification when the governance programme is mature enough to pass an audit.
How to Use All Three Together Without Building Three Separate Programmes
Quick answer: Build one unified AI governance programme using NIST AI RMF as the operating methodology, ISO 42001 as the management system structure, and EU AI Act requirements as the legal overlay. Approximately 70% of requirements overlap — collect evidence once and map it to all three frameworks.
The mistake most organisations make is treating these as competing compliance projects with separate teams, separate documentation, and separate evidence bases. That approach is expensive, produces duplicated work, and creates inconsistencies across your governance documentation.
The smarter approach is a layered architecture:
Layer 1 — NIST AI RMF as your risk management foundation
Use the four functions — Govern, Map, Measure, Manage — as the operating model for your AI governance programme. The flexibility of NIST means you can implement it relatively quickly and adapt it as your AI portfolio grows. Use the Generative AI Profile for any foundation model deployments.
This layer gives every AI system a documented risk assessment, a responsible owner, ongoing monitoring, and a process for responding to emerging risks.
Layer 2 — ISO 42001 as your management system structure
Once your NIST-based risk management is functioning, formalise it into the documented, auditable structure that ISO 42001 requires. Most of what you built for NIST — risk assessments, governance policies, monitoring processes, accountability structures — maps directly to ISO 42001 clauses with relatively minor additions and formalisation.
The addition of ISO 42001 certification transforms your internal programme into something an external auditor can verify and that customers and regulators can trust without having to inspect your internal processes directly.
Layer 3 — EU AI Act as your legal compliance overlay
For any AI system in scope of the EU AI Act, run a gap analysis against the specific Articles that apply to your risk classification. Annex IV technical documentation requirements, Article 9 risk management systems, Article 10 data governance, Article 12 logging — these are specific, prescriptive requirements that sit on top of your NIST and ISO governance foundation.
Because 70% of documentation and operational requirements across all three frameworks overlap, most of what you built for NIST and ISO 42001 already satisfies the EU AI Act’s requirements. The gap analysis focuses on what is unique to the EU AI Act — the specific documentation formats, the conformity assessment process, the EU database registration, the post-market monitoring requirements.
The cross-framework register that makes this work:
For each AI system, maintain a single register capturing: the system name and purpose; its EU AI Act risk classification; which NIST AI RMF functions have been applied; which ISO 42001 Annex A controls are in scope; the responsible owner; the current compliance status across all applicable frameworks; any outstanding gaps; and where the evidence documentation lives.
This register serves all three frameworks simultaneously. It satisfies ISO 42001’s Clause 8 requirements for operational planning, supports NIST AI RMF’s Map and Govern functions, and provides the AI system inventory required for EU AI Act compliance. Maintained with quarterly reviews, it keeps your governance current as your AI portfolio changes.
The Enforcement Reality Check — What Is Actually Happening in 2026
Quick answer: EU AI Act enforcement is real and accelerating. Only 8 of 27 EU member states had fully designated enforcement authorities by early 2026 — but Finland was already active in January 2026, and others are coming online throughout the year. The penalty structure creates board-level attention at any company size.
One question I hear frequently: “Are they actually going to enforce this?”
The honest answer is: yes, enforcement is coming, the infrastructure is building, and the timeline is shorter than most organisations assume.
What is already enforceable:
The prohibition on unacceptable-risk AI practices has been enforceable since February 2, 2025. Multiple investigations are reportedly underway for workplace emotion recognition and social scoring applications, though no public penalties have been announced as of the time of writing.
GPAI model obligations — applying to providers of general-purpose AI models like foundation models — became active on August 2, 2025. Major AI providers including Microsoft, Google, Amazon, OpenAI, and Anthropic signed the GPAI Code of Practice in August 2025.
What becomes enforceable on August 2, 2026:
The majority of the remaining EU AI Act provisions — including the full set of high-risk system requirements under Annex III — become enforceable. Transparency obligations under Article 50 (labelling AI-generated content) also activate. Every EU member state must have at least one AI regulatory sandbox operational.
The enforcement gap:
Only 8 of 27 EU member states had formally designated their single point of contact by early 2026 — a significant gap in the enforcement infrastructure. This creates real variation in enforcement pressure across the EU. A company operating in Finland faces an active, fully operational national regulator. A company operating in a member state still establishing its AI office faces practical enforcement risk that is lower today but not zero. The penalty framework exists regardless of whether the enforcement authority is fully operational.
The practical implication: the enforcement timeline is real and the penalty structure is serious. But enforcement pressure will be uneven across the EU throughout 2026. This is not a reason to delay compliance — it is a reason to prioritise based on your specific national exposure and the severity of your potential penalties.
A note on the Digital Omnibus:
In November 2025, the European Commission proposed the Digital Omnibus package, which could extend high-risk enforcement deadlines to December 2027 — but only conditionally, tied to the availability of harmonised standards. This proposal is still under negotiation. The European Parliament was scheduled to vote on its position in March 2026. Even if adopted, backstop dates ensure enforcement happens regardless. The prudent approach: treat August 2026 as your planning deadline and benefit from any extension as a buffer rather than a primary strategy.
The Most Common Mistakes Organisations Make With AI Governance Frameworks
Mistake 1: Treating EU AI Act compliance as a legal department problem
The EU AI Act’s requirements touch every function that touches AI — engineering for technical documentation and logging, data teams for data governance, HR for the employment-related high-risk categories, legal for conformity assessment, compliance for ongoing monitoring. Organisations that route it exclusively through legal find themselves unable to implement the technical requirements on time.
Mistake 2: Skipping the AI inventory
You cannot classify, assess, or govern what you cannot find. Over half of organisations still lack a systematic inventory of AI systems in production. This is not a technical problem — it is an organisational one. Solving it requires a process for identifying all AI systems regardless of where they sit in the business, including AI tools embedded in third-party software and AI used by employees without IT involvement.
Mistake 3: Pursuing ISO 42001 certification before governance is mature enough
ISO 42001 certification through an external audit requires documented evidence of a functioning management system. Organisations that rush to certification before their governance programme is genuinely operational fail their first audit or receive a conditional certification with significant non-conformities. Build the governance capability first. Certify it when it is real.
Mistake 4: Running parallel compliance programmes
Building separate documentation packages for NIST AI RMF, ISO 42001, and the EU AI Act is the most expensive and least sustainable approach. The 70% overlap means a unified evidence base serves all three. Build integrated, not parallel.
Mistake 5: Assuming agentic AI is covered
None of the three frameworks was originally designed for agentic AI — AI systems that autonomously take actions, use tools, browse the web, write and execute code, or operate with significant autonomy. Singapore released the only governance document directly addressing autonomous agents as of early 2026. If your organisation is deploying agentic AI systems, you are operating in governance territory that current frameworks cover only partially. Document your specific risk assessments for agentic systems explicitly and build human oversight mechanisms appropriate to the autonomy level of the systems you are deploying.
The Right Sequence — Where to Start and What to Build Next
Quick answer: Start with NIST AI RMF for risk management foundation. Add ISO 42001 structure when you need certifiable verification. Layer EU AI Act compliance as a legal obligation if you have EU exposure. The sequence matters — starting with the wrong layer wastes resources.
Step 1 — Build your AI inventory (before anything else)
Every framework requires knowing what AI you have. This is the universal prerequisite. Assign an owner. Survey every business unit. Document every AI system — purchased, built, embedded in vendors, or used by employees. Include the AI features inside your existing software stack (hiring platforms, CRM tools, financial systems) — these may carry EU AI Act implications even if you did not build them.
Step 2 — Classify against EU AI Act risk tiers (if in scope)
If your organisation operates in or serves EU markets, classify every AI system against the EU AI Act risk tiers immediately. This classification determines your compliance obligations and timeline. For any system that falls into Annex III high-risk, start the conformity assessment process now.
Step 3 — Implement NIST AI RMF across your AI portfolio
Use the four functions to build your risk management capability. Establish governance structures. Map stakeholders and impacts. Define measurement approaches for your AI systems. Create risk management processes. This takes 2 to 4 months for baseline implementation and gives you the analytical foundation everything else builds on.
Step 4 — Formalise into ISO 42001 structure
Once NIST-based governance is functioning, structure it into the documented management system ISO 42001 requires. Add the missing elements — formal AI policy, documented procedures, internal audit programme, management review process. Pursue third-party certification when the system is mature enough to withstand external scrutiny.
Step 5 — Maintain the cross-framework register
Ongoing governance is not a project — it is a process. The cross-framework register, reviewed quarterly, keeps your governance current as your AI portfolio evolves, as EU AI Act guidance develops through delegated acts and codes of practice, and as NIST publishes additional profiles and resources.
FAQs
Q1: Does the EU AI Act apply to my US company if we have no EU office? Yes. The EU AI Act has extraterritorial reach similar to GDPR. If your AI systems produce outputs used by EU residents — including EU-based employees, EU customers, or EU users of your platform — you are in scope regardless of where your company is headquartered. A US company using AI for credit decisions affecting European customers must comply with the relevant EU AI Act provisions.
Q2: Is ISO/IEC 42001 certification required for EU AI Act compliance? No — ISO 42001 certification is not mandated by the EU AI Act. However, ISO 42001-aligned governance significantly simplifies the documentation and management system requirements that the EU AI Act imposes on high-risk systems. The two frameworks are designed to work together, and EU regulators are expected to recognise ISO 42001 certification as evidence of mature AI governance in practice.
Q3: Can a small organisation implement NIST AI RMF without dedicated AI governance staff? Yes. NIST publishes free Quick Start Guides specifically designed for small organisations, startups, and teams without dedicated compliance resources. The framework is explicitly designed to scale — a small company using one AI tool has different implementation needs than a multinational with hundreds of AI systems. Start with the elements most relevant to your specific AI use cases.
Q4: What is the difference between EU AI Act conformity assessment and ISO 42001 certification? EU AI Act conformity assessment is a legal compliance process — for some high-risk AI systems, it involves third-party review; for others, self-assessment is permitted. It results in a CE marking and EU database registration, not a certification. ISO 42001 certification is a voluntary quality assurance process conducted by an accredited certification body. It results in a certificate demonstrating that your AI management system meets the standard’s requirements. Both involve external review, but they serve different purposes and produce different outcomes.
Q5: How long does NIST AI RMF implementation take compared to ISO 42001 certification? NIST AI RMF baseline implementation typically takes 2 to 4 months, depending on your existing risk management infrastructure and the size of your AI portfolio. ISO 42001 certification typically takes 4 to 6 months for organisations with existing ISO management system infrastructure (like ISO 27001), or 9 to 12 months for organisations building from scratch. EU AI Act compliance for high-risk systems requires 6 to 12 months, with conformity assessment being the longest single element.
Q6: Do the penalties in the EU AI Act apply to every company equally regardless of size? The penalty structure scales with company size. Maximum fines are expressed as the higher of a fixed amount or a percentage of global annual turnover — which means larger companies face proportionally larger maximum penalties. The EU AI Act also has specific provisions acknowledging the burden on SMEs and providing some flexibility in implementation approaches, though the core obligations still apply.
Q7: What does NIST AI RMF’s Generative AI Profile (AI 600-1) add beyond the core framework? The Generative AI Profile identifies 12 AI risk categories specific to generative AI and large language models: confabulation (hallucination), data privacy, human-AI configuration, information security, intellectual property, obscene or abusive content, societal impacts, value chain and component integration, harmful bias and homogenisation, data provenance, accountability gaps, and environmental impacts. It provides specific subcategories and suggested actions for each risk category, making it significantly more actionable for organisations deploying LLM-based tools than the core framework alone.
Q8: If I already have ISO 27001, how much additional work does ISO 42001 require? Organisations with mature ISO 27001 implementations have a significant head start. The Harmonized Structure is shared, so governance infrastructure, internal audit programmes, management review processes, and documentation practices all carry over. The additional work focuses on AI-specific elements: understanding AI system context and stakeholder impacts, AI impact assessments, AI-specific controls from Annex A, AI lifecycle management procedures, and the broader accountability scope that extends beyond organisational boundaries. Most ISO 27001-certified organisations should expect 40 to 60 percent additional effort for ISO 42001 compared to a greenfield implementation.
Q9: What AI uses are completely banned under the EU AI Act? Systems banned since February 2, 2025 include: AI that deploys subliminal techniques to manipulate behaviour outside a person’s awareness; AI that exploits vulnerabilities of specific groups (age, disability) to distort behaviour; social scoring systems by public or private actors; real-time remote biometric identification in public spaces (with narrow law enforcement exceptions); retrospective remote biometric identification (with judicial authorisation exceptions); AI used to infer emotions in workplace or educational settings (with some exceptions); and untargeted scraping of facial images from the internet or CCTV for facial recognition databases.
Q10: Do I need a lawyer to implement these frameworks, or can my internal team do it? You need both. Internal teams can implement NIST AI RMF, build ISO 42001-compliant management systems, and manage the operational dimensions of EU AI Act compliance. Legal counsel is specifically needed for: EU AI Act risk classification decisions for borderline cases, conformity assessment requirements for your specific systems, interpretation of the extraterritorial scope, GDPR-AI Act overlap analysis, and understanding which national member state authority applies to your operations. The frameworks themselves are implementable by compliance professionals and technical teams. The legal interpretation of how they apply to specific AI systems and business relationships requires qualified regulatory counsel.
