Docs

Appearance

ISO 42001 vs NIST AI RMF

ISO/IEC 42001:2023 and the NIST AI Risk Management Framework 1.0 are the two most widely adopted AI governance references. They solve different problems, but they are complementary, not competing — most mature AI programs use both.

This page is a side-by-side comparison so you can pick the right starting point and understand how the two fit together.

Quick decision

  • US-headquartered, no EU exposure, no certification pressure → start with NIST AI RMF as a voluntary U.S.-origin baseline. OMB M-25-21 / M-25-22 separately govern federal agency AI use and acquisition and may influence federal buyers, but they do not mandate NIST AI RMF for private-sector entities.
  • EU-headquartered or selling AI products into the EU → ISO/IEC 42001 first as the certifiable management-system shell, layer NIST AI RMF for technical risk depth.
  • Selling AI to US federal agencies → expect buyer-specific AI risk evidence in RFPs, often NIST AI RMF-aligned; NIST AI RMF itself remains voluntary unless contractually incorporated.
  • Operating regulated AI systems (financial services, healthcare, critical infrastructure) → do both. NIST AI RMF as the operating model, ISO 42001 as the audit-ready wrapper.
  • No certification deadline, want a structured starting point → NIST AI RMF first; you can wrap it in an ISO 42001 AIMS later without rework.

TL;DR

  • ISO/IEC 42001:2023 is a certifiable international management-system standard for AI governance. ISO does not certify organizations; certification is carried out by independent certification bodies, which may be accredited by national accreditation bodies. The deliverable is an audit-ready management system plus a third-party assurance signal.
  • NIST AI RMF 1.0 is a voluntary U.S. risk-management framework built around four functions (Govern, Map, Measure, Manage). No certification path exists. The deliverable is an internal operating model.
  • The two are not equivalent and not interchangeable. ISO 42001 codifies the management system; NIST AI RMF describes the risk-management work the system runs on.
  • Consequence: mature programs typically do both — NIST AI RMF as the operating model, ISO 42001 as the certifiable wrapper an auditor can verify.

Side-by-side comparison

DimensionISO/IEC 42001:2023NIST AI RMF 1.0
PublisherISO/IEC (joint)NIST (U.S. Department of Commerce)
Year published20232023
TypeManagement system standardRisk-management framework
Legal statusVoluntaryVoluntary
Geographic scopeInternationalGlobal (U.S. origin)
Certifiable?Yes (accredited third-party audit)No
Primary structureClauses 4–10 (Annex SL management-system structure) + Annex A reference controls4 core functions (Govern, Map, Measure, Manage), categories, subcategories
Operating mental modelPDCA (Plan-Do-Check-Act) management systemcontinuous risk loop with profiles
Risk methodAI risk assessment + AI impact assessment (Clause 6.1)Map (identify) → Measure (analyse) → Manage (treat)
Documentation driverAIMS policy, Statement of Applicability, internal audit, management reviewtarget profile vs current profile, evaluation signals, treatment records
Lifecycle coverageexplicit (Annex A controls for AI system lifecycle)explicit (Map + Measure)
Third-party / vendor coverageAnnex A controls covering supplier relationships and third-party AIGovern 6, Map 4, Manage 3
GenAI specificsthrough AI system impact assessment + Annex A reference controlsexplicit companion: Generative AI Profile (AI 600-1)
Integrates with ISO 27001/27701Yes (Annex D; harmonized structure)Not built-in, but referenced
Typical adoption path6–15 months to Stage 2 audit3–9 months to first operating profile
Signal to external partiesCertification logo, audit letterProgram documentation, profile
Best forprocurement, regulatory assurance, vendor trustinternal operating model, risk-first programs

How the two frameworks map onto each other

You can treat ISO 42001 and NIST AI RMF as two projections of the same underlying governance work. Here is how the NIST functions typically land in the ISO clause structure.

NIST AI RMF functionISO/IEC 42001 homeWhat sits there
GovernClauses 4–5 (context, leadership) + Annex A controls covering AI policies and internal organisationAI policy, roles, responsibilities, oversight
MapClause 6.1 risk-and-opportunity planning (AI risk assessment, AI impact assessment) + Annex A controls covering AI system lifecycle and assessmentscope of AI system, impacted stakeholders, intended use
MeasureClauses 8–9 (operation, performance evaluation) + Annex A controls covering AI system operation, monitoring, and evaluationevaluations, monitoring, measurement of trustworthy characteristics
ManageClauses 6.1 risk treatment + Clause 10 (improvement) + Annex A controls covering risk treatment, third-party, and supplier relationshipstreatment decisions, corrective action, continual improvement

The Generative AI Profile (AI 600-1) maps onto the same ISO clauses; it simply adds a GenAI-specific layer of suggested actions.

Where they overlap

ISO 42001 and NIST AI RMF address the same underlying problem — managing AI risk — from different angles. Several concepts are shared, even when the vocabulary differs:

  • AI risk identification and treatment. ISO 42001 Clause 6.1 (risk-and-opportunity planning, including AI risk assessment and treatment) and the AI RMF Map and Manage functions ask the same questions: what risks does this AI system present, in what context, with what impact, and what is the treatment. The AI RMF MAP / MANAGE subcategories provide the analytical surface; the ISO Clause 6.1 family provides the management-system structure that audits against it.
  • AI system impact assessment. ISO 42001 expects an AI system impact assessment as part of Clause 6.1 risk-and-opportunity work; this sits beside the AI RMF MAP 5 (impacts) subcategories — both produce a documented impact assessment, with the ISO version anchored in the audit trail.
  • Continuous improvement. ISO 42001 Clause 10 (improvement) and the AI RMF Manage function both close the loop after issues are detected — the ISO clause adds explicit nonconformity / corrective-action expectations.
  • Documentation and traceability. ISO 42001's Statement of Applicability (produced through AI risk treatment and control selection) plus Clause 7.5 documented information sits alongside the AI RMF profile (target vs current) and treatment records — same evidence, different filing system.
  • Third-party / supplier risk. ISO 42001 Annex A controls covering supplier relationships and third-party AI sit next to AI RMF GOVERN 6 and MANAGE 3.

In practice, a control that satisfies an ISO 42001 Annex A requirement typically also satisfies one or more NIST AI RMF subcategories. The cross-framework mapping table above is the implementer's bridge between the two vocabularies.

When to choose which

Choose ISO 42001 first when you need…

  • a third-party audit signal to win enterprise deals or satisfy procurement
  • alignment with existing ISO 27001 / ISO 9001 certifications
  • a single certifiable wrapper for a multi-AI-system portfolio
  • explicit expectations from customers, insurers, or regulators that reference ISO management systems

Choose NIST AI RMF first when you need…

  • a risk-first operating model without an immediate audit deadline
  • guidance specific to generative AI (via AI 600-1) before you commit to a full management system
  • a lightweight way to structure AI risk work inside an existing ISO 27001 ISMS
  • a vocabulary that U.S. regulators, agencies, and enterprise risk teams already use

Do both when you…

  • operate regulated AI systems (financial services, healthcare, public sector)
  • deploy generative AI at scale and need both governance depth and external assurance
  • need to support EU AI Act high-risk provider obligations — ISO 42001 can help structure quality-management-system and post-market monitoring evidence; NIST AI RMF can structure the risk-management evidence. Neither standard / framework substitutes for the Regulation; compliance still depends on role (provider vs deployer), system classification, sectoral route, and the applicable conformity-assessment obligations

What this looks like in Modulos

Modulos is designed around the cross-framework mapping problem: you describe a control once and it satisfies requirements from ISO 42001 Annex A, NIST AI RMF subcategories, and any other framework you attach to the project.

A typical setup:

  1. Organization project — ISO 42001 AIMS program work (Clauses 4–10, management review, internal audit).
  2. AI system projects — NIST AI RMF Map/Measure/Manage per system, with requirements drawn from both the ISO Annex A controls selected for that system and the NIST AI RMF subcategories.
  3. Runtime Inspection — evaluations that feed both ISO Annex A operation / performance evidence and NIST Measure signals.
ISO/IEC 42001 guide

AI Management System, clauses 4–10, Annex A, certification

NIST AI RMF guide

Govern, Map, Measure, Manage, profiles, Generative AI Profile

AI governance frameworks comparison

Side-by-side across EU AI Act, ISO 42001, NIST AI RMF, OWASP, GDPR, NIS2, DORA

How to comply with ISO 42001

Step-by-step path to ISO 42001 certification

Disclaimer

This page is for general informational purposes and does not constitute legal advice. References to ISO/IEC 42001:2023 and the NIST AI Risk Management Framework reflect publicly available text at the time of writing; consult the official ISO and NIST sources and qualified legal counsel for binding interpretation in your jurisdiction.