AI Governance · Comparison

ISO 42001 vs NIST AI RMF: Which AI Governance Framework Do You Need?

Both help organisations manage AI responsibly — but they are different tools. ISO/IEC 42001 is a certifiable management system standard; the NIST AI RMF is a voluntary risk framework. Here is how they compare, when to use each, and how they work best together.

ISO/IEC 42001:2023
Certifiable international standard
NIST AI RMF 1.0
Voluntary U.S. risk framework
Better together
RMF practice inside a certified AIMS
Quick answer

ISO/IEC 42001 and the NIST AI RMF are complementary, not competitors. The NIST AI RMF is a free, voluntary framework that gives you a shared vocabulary and practices for identifying and managing AI risk. ISO/IEC 42001 is a certifiable management system standard: it turns those practices into an auditable system that an independent body can certify. If you need to prove responsible AI governance to customers, partners or regulators, ISO 42001 certification is the credential; the RMF is an excellent way to operationalise the risk thinking inside it.

The two frameworks

What Each One Is

Certifiable standard

ISO/IEC 42001:2023

Published in December 2023 by ISO and IEC, ISO/IEC 42001 is the world’s first certifiable Artificial Intelligence Management System (AIMS) standard.

  • Management-system requirements in the ISO harmonised structure (clauses 4–10)
  • Annex A reference controls with Annex B implementation guidance
  • AI risk assessment and AI impact assessment on individuals and society
  • Independent third-party certification, with audit time set by ISO/IEC 42006:2025 based on your AI role (producer, provider or user)
  • Integrates with ISO/IEC 27001, ISO 9001 and other ISO management systems
Voluntary framework

NIST AI RMF 1.0

Released in January 2023 by the U.S. National Institute of Standards and Technology, the AI Risk Management Framework is a voluntary, free framework for managing risks of AI systems.

  • Four core functions: Govern, Map, Measure, Manage
  • Focus on trustworthy-AI characteristics: valid, safe, secure, accountable, transparent, privacy-enhanced, fair
  • Companion Playbook plus a Generative AI Profile for GenAI-specific risks
  • No certification — adoption is self-directed and self-attested
  • Widely referenced in U.S. government and enterprise procurement
Side by side

ISO 42001 vs NIST AI RMF at a Glance

Comparison — ISO/IEC 42001:2023 vs NIST AI RMF 1.0
DimensionISO/IEC 42001:2023NIST AI RMF 1.0
What it isCertifiable AI management system (AIMS) standardVoluntary AI risk management framework
Published byISO/IEC (international), December 2023U.S. NIST, January 2023
CertificationYes — independent, accredited third-party audit and certificateNo — self-adoption; no formal attestation exists
StructureClauses 4–10 + Annex A controls + implementation guidanceFour functions (Govern, Map, Measure, Manage) + Playbook + profiles
Risk approachAI risk assessment + AI impact assessment, embedded in a PDCA management systemRisk identification and treatment practices organised by function
RecognitionGlobal; strong signal for enterprise procurement and EU AI Act governance readinessStrong in U.S. markets and federal-adjacent procurement
Effort & costBuilding an AIMS + certification audit (role-based audit time under ISO/IEC 42006)Free to adopt; effort scales with how deeply you implement it
Best forOrganisations that must demonstrate responsible AI to customers, partners or regulatorsTeams building internal AI risk practice, or selling into U.S. markets
Decision guide

Which Should You Choose?

Choose ISO 42001

When you need proof

Customers ask for evidence of AI governance in due diligence, tenders demand certification, or you operate where the EU AI Act and similar regulation make demonstrable governance essential. Certification gives you an independent, internationally recognised credential.

Start with NIST AI RMF

When you are building practice

You are early in your AI governance journey, want a free and flexible way to structure risk thinking, or your market is primarily U.S.-based where the RMF is the common reference. It is an excellent on-ramp — without an audit.

Use both

When you want the best of each

Most mature AI governance programmes use RMF-style risk practice inside an ISO 42001 management system: the framework guides how you think about AI risk day-to-day, and the standard makes it systematic, auditable and certifiable.

Better together

How the RMF Maps into ISO 42001

The two are built on the same risk-based thinking — NIST even publishes a crosswalk between them. In practice, each RMF function has a natural home in an ISO 42001 AIMS.

Govern

Leadership, policy & roles

The RMF’s Govern function maps to ISO 42001’s leadership, AI policy, roles and responsibilities, and planning requirements — the parts of the AIMS that set direction and accountability for AI.

Map

Context & impact assessment

Mapping AI systems, their context and their potential impacts lines up with ISO 42001’s requirements to understand context, identify AI systems in scope, and perform AI impact assessments on individuals and society.

Measure

Risk assessment & evaluation

The Measure function’s analysis and tracking of AI risks corresponds to the AIMS risk assessment, performance evaluation, monitoring and internal audit requirements — evidence an ISO 42001 auditor examines.

Manage

Treatment & improvement

Managing and responding to prioritised risks becomes the AIMS risk treatment plan, Annex A controls and continual improvement cycle — closing the loop the RMF opens.

Ready to Make Your AI Governance Certifiable?

Cianaa provides independent auditors for certification across New Zealand and Australia. We audit AI management systems against ISO/IEC 42001 — impartially, without consulting — whether you are starting fresh or formalising an existing NIST AI RMF practice.

Book a Scoping Call →
FAQ

ISO 42001 vs NIST AI RMF — Common Questions

Is the NIST AI RMF certifiable?
No. The NIST AI RMF is a voluntary framework — there is no accredited certification against it. If you need an independent credential for your AI governance, ISO/IEC 42001 is the certifiable standard.
Do ISO 42001 and the NIST AI RMF conflict?
No — they are highly compatible. Both are risk-based and technology-neutral, and NIST publishes a crosswalk mapping the RMF to ISO/IEC 42001. Many organisations use RMF practices to implement the risk requirements of their ISO 42001 management system.
Which is better for EU AI Act readiness?
Neither framework is a legal determination of EU AI Act compliance. However, ISO/IEC 42001’s certifiable management system — covering risk management, impact assessment, transparency and human oversight — is widely used to demonstrate the governance the Act expects, with independent audit evidence behind it.
Does ISO 42001 cover generative AI?
Yes. ISO/IEC 42001 applies to any organisation developing, providing or using AI systems — including generative AI. The NIST AI RMF addresses generative AI through its dedicated Generative AI Profile.
How long does an ISO 42001 certification audit take?
Audit time is set by ISO/IEC 42006:2025 and depends on your AI role — producer, provider or user — and the number of people in scope. Use our audit duration calculator for an indicative figure.
Can we adopt the NIST AI RMF first and certify to ISO 42001 later?
Yes — that is a common and sensible path. RMF adoption builds the risk practice and artefacts (AI inventories, risk registers, impact analyses) that an ISO 42001 management system needs; certifying later formalises the work you have already done.