EU AI Act compliance, NIST AI Risk Management Framework adoption and ISO/IEC 42001 certification often arrive as three separate projects. That triples the cost and produces three artefacts saying overlapping things in incompatible language. Treated as one programme with three external artefacts, the work compresses. This piece is the practitioner mapping — written to amplify your in-house expertise.
Why these three travel together
The three frameworks differ in legal weight, but they answer the same underlying questions. The EU AI Act is binding regulation in the Union and extraterritorially under Article 2 of Regulation (EU) 2024/1689. NIST AI RMF is a voluntary framework published by the US National Institute of Standards and Technology. ISO/IEC 42001 is a certifiable management-system standard — the AI equivalent of ISO 27001 for information security.
The shared logic is a risk-management lifecycle: govern, map, measure, and manage risks; document the system, the data, and the oversight; monitor after deployment; feed incidents back. That logic lets one internal programme produce the evidence each framework asks for in its own format.
Practitioners who lead with the programme — not the framework — typically find the AI Act high-risk obligations are the most prescriptive, ISO 42001 controls give the cleanest auditable structure, and NIST AI RMF supplies the language US headquarters expect to see in board materials. None of the three contradicts the others.
Mapping by control area
The five control areas below cover roughly 80% of the overlap. Build the internal programme around these, then produce the framework-specific artefact for each external audience.
| Control area | EU AI Act anchor | NIST AI RMF function | ISO 42001 clause |
|---|---|---|---|
| Risk management | Article 9 — risk-management system across the lifecycle | Govern + Map | 6.1 risk assessment / Annex A.4 risk management |
| Data governance | Article 10 — training, validation, and testing data | Map (data characterisation) | Annex A.7 data for AI systems |
| Transparency & documentation | Articles 11–13 — technical documentation, record-keeping, instructions for use | Map + Measure | Annex A.6 AI system lifecycle / Annex A.8 information for interested parties |
| Human oversight | Article 14 — human oversight measures | Manage | Annex A.9 use of AI systems |
| Post-market monitoring | Article 72 — providers' post-market monitoring system; Article 73 — serious-incident reporting | Manage + Measure | Annex A.10 third-party relationships / 9 performance evaluation |
Notes on the table:
- Risk management is the spine. Article 9 mandates a continuous risk-management process across the lifecycle for high-risk systems. NIST RMF Govern + Map cover the same ground voluntarily; ISO 42001 Clause 6.1 plus Annex A.4 is the certifiable structure.
- Data governance is where evidence quality matters most. Article 10 sets a high bar on training, validation, and testing data; NIST RMF Map and ISO 42001 Annex A.7 ask for substantively the same evidence in different formats.
- Transparency and documentation map cleanly across all three. Documentation satisfying Annex IV of the AI Act satisfies most of what NIST and ISO ask for, with light reformatting.
- Human oversight is where the AI Act is most prescriptive. Article 14 expects defined oversight measures, role-based competence and intervention capability. NIST and ISO take a lighter touch.
- Post-market monitoring is where teams underinvest. Articles 72 and 73 push the work into deployer and provider operations; ISO 42001 Clause 9 and NIST RMF Manage point the same way.
What ISO 42001 certification buys you that the Act doesn't
ISO 42001 is a management-system standard, which means an accredited certification body audits your programme and issues a certificate. The Act does not.
For organisations that already hold ISO 27001 or ISO 9001, ISO 42001 slots in alongside as an AI-specific management system using the familiar high-level structure. The practical value of the certificate is twofold: customers and partners increasingly ask for it in procurement, and the audit discipline forces the programme to stay current.
ISO 42001 does not discharge AI Act obligations. A certified ISO 42001 management system will still need to demonstrate Article 9–15 compliance system-by-system for any high-risk AI in scope. The two are complementary, not substitutable.
What NIST AI RMF adds for US-headquartered teams
The NIST AI Risk Management Framework is voluntary, but it carries weight in US contexts that the AI Act and ISO 42001 do not. Federal agencies expect it, US-listed company boards understand it, and US-based auditors and insurers increasingly use it as a reference.
For organisations with US headquarters or significant US operations, NIST AI RMF is the framework that translates the internal programme into language American boards, regulators, and counterparties expect. The Govern–Map–Measure–Manage structure also makes a clean board-level slide, which has internal-comms value disproportionate to the technical effort.
Two cautions. First, NIST AI RMF is voluntary; it does not produce a certificate. Second, it is a framework, not a checklist — the work of operationalising it inside your organisation is the same work the AI Act and ISO 42001 require.
Where to read the source material
- Regulation (EU) 2024/1689 — full text on EUR-Lex — Article 9 (risk management), Article 10 (data governance), Articles 11–13 (documentation and transparency), Article 14 (human oversight), Articles 72–73 (post-market monitoring and incident reporting).
- European Commission AI Act policy page — application timeline.
- NIST AI Risk Management Framework — published by the US National Institute of Standards and Technology. Read the current edition directly from the NIST publications site to ensure the version is current.
- ISO/IEC 42001 — AI management system standard. Available via national standards bodies (BSI in the UK, AFNOR in France, DIN in Germany) or the ISO store directly.
Map your frameworks with the Gap Analyser → /tools/gap-analyser
Or generate your AI policy → /tools/policy-generator
Qualified review still required. Outputs are AI-generated starting-point documents — not a substitute for qualified legal or compliance advice.