All Articles

ISO 42001 and NIST AI RMF: Which Framework Should You Use?

Two major AI governance frameworks have emerged as standards. Here's how they compare, when to use each, and how to leverage both.

Tenlines Team10 min read

The Two Frameworks

NIST AI Risk Management Framework (AI RMF)

Released in January 2023 by the National Institute of Standards and Technology, the AI RMF provides voluntary guidance for managing AI risks. It's principles-based, flexible, and designed to complement existing risk management practices.

Structure: Four core functions — Govern, Map, Measure, Manage — each with categories and subcategories that guide AI risk management activities.

Nature: Voluntary framework with no certification. Organizations self-assess their implementation.

Scope: Applies to AI systems throughout their lifecycle, from design through deployment and monitoring.

Legal relevance: Colorado's AI Act specifically references "nationally or internationally recognized risk management frameworks" for its affirmative defense, making NIST AI RMF compliance legally meaningful.

ISO/IEC 42001

Published in December 2023, ISO 42001 is the first international standard for AI management systems. It follows ISO's familiar management system structure, similar to ISO 27001 for information security.

Structure: Requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS).

Nature: Certifiable standard. Organizations can achieve third-party certification demonstrating conformity.

Scope: Addresses organizations that provide or use AI systems, covering governance, risk management, and lifecycle management.

Legal relevance: As an international standard, ISO 42001 certification provides strong evidence of governance maturity for regulatory compliance and business relationships.

Key Differences

Certification vs. Self-Assessment

ISO 42001 enables third-party certification. An accredited certification body audits your AI management system and, if conforming, issues a certificate. This provides external validation that carries weight with regulators, customers, and partners.

NIST AI RMF is a framework for self-assessment. Organizations implement the framework and may document their approach, but there's no formal certification. This offers flexibility but less external validation.

Prescriptive vs. Principles-Based

ISO 42001 uses "shall" statements that specify requirements. Organizations must demonstrate conformity with specific requirements to achieve certification.

NIST AI RMF uses "should" and descriptive guidance. Organizations have more latitude in how they implement the framework's principles.

International vs. US Focus

ISO 42001 is an international standard developed through ISO's global consensus process. It carries weight globally and aligns with other ISO management system standards.

NIST AI RMF was developed by a US agency, though with broad stakeholder input. It's particularly relevant for US regulatory contexts, including explicit references in Colorado's AI Act.

Integration with Existing Systems

ISO 42001 integrates naturally with ISO 27001 (information security), ISO 27701 (privacy), and other ISO management system standards. Organizations with existing ISO certifications can extend their management systems.

NIST AI RMF is designed to integrate with existing enterprise risk management (ERM) and cybersecurity risk management (particularly the NIST Cybersecurity Framework). Organizations using NIST frameworks will find familiar concepts.

When to Use NIST AI RMF

NIST AI RMF is particularly appropriate when:

Colorado compliance is a priority. The AI Act's affirmative defense explicitly contemplates recognized risk management frameworks. NIST AI RMF implementation strengthens your legal position.

You need flexibility. The principles-based approach accommodates diverse organizational contexts, AI applications, and risk profiles without rigid requirements.

You're integrating with existing NIST frameworks. If you already use the NIST Cybersecurity Framework or NIST Privacy Framework, AI RMF concepts will be familiar and integration straightforward.

You want a starting point. The framework's Playbook provides extensive practical guidance for organizations beginning their AI risk management journey.

Budget constraints exist. Self-assessment costs less than certification. Organizations can implement AI RMF without certification body fees.

When to Use ISO 42001

ISO 42001 is particularly appropriate when:

External validation matters. Certification provides proof to customers, partners, regulators, and other stakeholders that your AI governance meets international standards.

You serve global markets. International recognition of ISO standards supports business relationships across jurisdictions.

You have ISO certifications already. Extending existing management systems (27001, 27701) to include 42001 leverages established processes and audit relationships.

Contractual requirements demand it. Enterprise customers increasingly require vendor certifications. ISO 42001 may become a procurement requirement.

You want structured requirements. The shall-statement approach provides clear requirements rather than general principles.

Using Both Frameworks

The frameworks aren't mutually exclusive. Many organizations will benefit from using both:

NIST AI RMF as the operational framework. Use its Govern-Map-Measure-Manage structure and detailed playbook guidance for day-to-day AI risk management.

ISO 42001 as the management system foundation. Implement the management system requirements, pursue certification, and demonstrate conformity to stakeholders.

Map between frameworks. NIST and ISO have different terminology but address similar concepts. A mapping between the frameworks helps ensure comprehensive coverage.

The combination provides both operational guidance (NIST) and certifiable governance (ISO).

Framework Comparison: Key Areas

Governance

NIST AI RMF Govern function:

  • Policies, processes, procedures
  • Accountability structures
  • Organizational culture
  • Workforce diversity and competence

ISO 42001 governance requirements:

  • Leadership commitment
  • AI policy
  • Roles, responsibilities, authorities
  • Planning for AI management system

Both emphasize that governance starts at the top and requires organizational commitment.

Risk Assessment

NIST AI RMF Map and Measure functions:

  • Context establishment
  • Risk identification
  • Risk analysis
  • Risk evaluation

ISO 42001 risk assessment:

  • Risk assessment process
  • AI system impact assessment
  • Treatment of risks

Both require systematic risk identification and assessment, though with different structural approaches.

Lifecycle Management

NIST AI RMF addresses lifecycle through the Map function (understanding context, including lifecycle stage) and Manage function (prioritizing and acting on risks throughout lifecycle).

ISO 42001 includes specific lifecycle requirements in Annex B, addressing development, provision, use, and retirement of AI systems.

Documentation

NIST AI RMF recommends documentation but doesn't specify required documents. Organizations determine appropriate documentation.

ISO 42001 requires specific documented information: AI policy, risk assessment results, treatment records, performance metrics, and evidence of management system operation.

Continuous Improvement

NIST AI RMF builds in feedback loops and emphasizes that AI risk management is iterative.

ISO 42001 requires formal continuous improvement processes, including management review, internal audit, and corrective action — consistent with all ISO management system standards.

Implementation Approach

Whether using one or both frameworks, implementation follows a similar pattern:

Phase 1: Foundation

  • Executive commitment and resource allocation
  • Scope definition (which AI systems, which organizational boundaries)
  • Governance structure establishment
  • Initial policy development

Phase 2: Assessment

  • AI system inventory
  • Risk identification and assessment
  • Gap analysis against framework requirements
  • Prioritization of improvements

Phase 3: Implementation

  • Control implementation
  • Process development
  • Documentation creation
  • Training and awareness

Phase 4: Verification

  • Internal assessment/audit
  • Management review
  • Corrective actions
  • (For ISO 42001) Certification audit

Phase 5: Continuous Operation

  • Ongoing monitoring
  • Regular assessment cycles
  • Continuous improvement
  • Adaptation to changes

Making the Choice

For most organizations, the practical answer is: start with NIST AI RMF's practical guidance, build toward ISO 42001 requirements if certification is needed.

If you're just starting: Begin with NIST AI RMF. The Playbook provides accessible, practical guidance for organizations new to AI risk management.

If you need certification: Plan for ISO 42001. Use NIST AI RMF guidance to implement, then ensure your implementation meets ISO 42001's specific requirements for certification.

If you're already ISO-certified: Extend your existing management system. Add AI-specific controls and pursue ISO 42001 certification as an extension of your current program.

If Colorado compliance is critical: Ensure NIST AI RMF implementation is documented sufficiently to support the affirmative defense, regardless of whether you also pursue ISO certification.

The frameworks are tools, not destinations. Choose based on your organizational context, stakeholder requirements, and strategic objectives.

Stop data leakage before it starts

Tenlines sits between your team and AI providers, scrubbing sensitive data before it leaves your environment. No workflow changes required.

Join the Waitlist