Controlling your algorithms: which AI governance framework suits your organisation?
The EU AI Act obliges deployers of high-risk AI systems to demonstrable governance — but the law does not prescribe how you organise that governance. That is a deliberate choice by the European legislator: room for international standards and existing management frameworks. In practice, that space leads to a recurring question: which framework do you choose as your foundation?
This article compares the three most widely used international AI governance frameworks — NIST AI RMF, ISO 42001 and the OECD AI Principles — and explains how each relates to the concrete obligations of the EU AI Act. No abstract principles, but a practical analysis for the compliance professional who must make a choice today.
Why frameworks are necessary at all
The EU AI Act is legislation: it defines obligations, prohibitions and sanctions. What it does not provide is a working method. How do you inventory AI systems? How do you weigh risks? How do you embed oversight in the practice of your organisation? That is precisely what governance frameworks provide — a structured method for moving from legal obligation to demonstrable practice.
A second reason is robustness. Organisations that structure governance solely on the basis of statutory text build a compliance structure that is vulnerable to changes in interpretation, case law and legislative amendments. Frameworks are broader, deeper and — in the case of ISO 42001 — internationally audited and certified. They offer a foundation that is more than the minimum legal requirement.
Framework 1: NIST AI Risk Management Framework (AI RMF)
The NIST AI RMF, published by the American National Institute of Standards and Technology, is built around four functions that form a cyclical process: Govern, Map, Measure and Manage. The framework is not prescriptive — it does not dictate which specific measures you must take, but provides a structured language and method for identifying, quantifying and managing AI risks.
The four functions in practice
- Govern — Establish the organisational context: who is responsible for AI risk management, which values and risk appetite does your organisation maintain, how is oversight arranged?
- Map — Identify and categorise AI systems and their risks. Which systems does your organisation deploy, for what purpose, and what risks do they carry for those affected?
- Measure — Quantify and prioritise identified risks. This includes performing impact assessments, bias analyses and reliability tests.
- Manage — Implement measures, monitor operation and document decisions. This is the operational domain: incident response, oversight processes, periodic reviews.
Alignment with the EU AI Act
NIST AI RMF aligns well with the systematics of Art. 9 EU AI Act (risk management system) and Art. 26 (deployer obligations). The 'Map' function corresponds to the required inventory and classification; 'Manage' covers the monitoring and oversight obligations of Art. 26.5. However, the framework offers no certification pathway — it is a methodology, not a standard that is audited.
Suitable for whom
NIST AI RMF is particularly suitable for organisations that want to structure governance from an IT or security background, for organisations already working with the NIST Cybersecurity Framework (the approach is closely related), and for teams looking for a pragmatic, stepwise method without certification ambition.
Framework 2: ISO/IEC 42001 — AI Management System
ISO 42001 is the international management standard for artificial intelligence, published in December 2023. It is the AI equivalent of ISO 27001 (information security) and ISO 9001 (quality management) — and like those standards, it leads to a certifiable AI Management System (AIMS). The structure follows the High Level Structure (HLS) shared by all ISO management systems, which simplifies integration with existing ISO certifications.
Core requirements
ISO 42001 requires organisations to establish, implement, maintain and continually improve a documented AIMS. This includes:
- An AI policy established by management;
- A system for identifying and assessing AI-related risks and opportunities;
- Documented objectives and measurable indicators;
- Internal audits and management reviews;
- Corrective actions in response to deviations.
Alignment with the EU AI Act
ISO 42001 is the framework with the strongest direct alignment with the EU AI Act. Art. 17 of the AI Act — which mandates a quality management system for providers of high-risk AI — is closely aligned in content with the AIMS requirements of ISO 42001. For deployers, an ISO 42001 certification provides a powerful means of evidence for the supervisory authority: it demonstrates not only that you have a system, but that an independent auditor has assessed and approved that system.
Suitable for whom
ISO 42001 is suitable for organisations with a serious certification ambition, for organisations that have already implemented ISO 27001 or ISO 9001 (HLS integration significantly reduces the implementation burden), and for organisations where clients or contracting authorities require a demonstrable management framework. The implementation burden is substantial — plan a minimum of six to twelve months for a full implementation including gap analysis, documentation and internal audit cycle.
Framework 3: OECD Principles on Artificial Intelligence
The OECD AI Principles, first established in 2019 and updated since, are five principles at policy level: inclusive growth and wellbeing, human-centred values and fairness, transparency and explainability, robustness and safety, and accountability. The OECD Principles are not an implementation framework — they provide no processes, control points or documentation requirements.
Alignment with the EU AI Act
The EU AI Act is substantially influenced in content by the OECD Principles: the principles can be found in the recitals of the law. For compliance purposes, however, the OECD Principles are a starting point, not an endpoint. They help in formulating AI policy at board level and in articulating your organisation's values around AI — but they do not in themselves produce demonstrable compliance with concrete legal obligations.
Suitable for whom
The OECD Principles are suitable as a policy compass for boards and management, as a basis for an organisation-wide AI ethics policy, and as a supplement to one of the other frameworks — not as a standalone compliance approach. Those who rely solely on the OECD Principles for EU AI Act compliance have a gap in practical implementation.
Comparison matrix: three frameworks side by side
| Criterion | NIST AI RMF | ISO 42001 | OECD Principles |
|---|---|---|---|
| Type | Methodology | Management standard (certifiable) | Policy principles |
| Certification | No | Yes (independent audit) | No |
| EU AI Act alignment | Good (Art. 9, Art. 26) | Strong (Art. 17, Art. 26) | Indirect (recitals) |
| Implementation burden | Medium | High | Low |
| Suitable for SMEs | Yes | Limited (unless already ISO-certified) | Yes (as supplement) |
| Audit evidence for supervisor | Indirect | Strong (third-party certificate) | Weak |
How does this relate to your EU AI Act obligations?
A widely held misconception is that one framework replaces the EU AI Act. It does not. The AI Act is legislation with legally enforceable obligations; frameworks are methodologies that help fulfil those obligations in practice. The relationship is complementary, not substitutable.
Concretely: Art. 9 EU AI Act obliges deployers of high-risk systems to a risk management system. NIST AI RMF and ISO 42001 both offer a methodology for setting up that system — but you still need to determine the specific risk class per system (Art. 6), retain the correct documents (Art. 26.6), and report incidents (Art. 73). No framework replaces those specific obligations.
The smartest approach for most deployers is a combination: ISO 42001 as management framework for the governance structure, supplemented by the NIST AI RMF methodology for operational risk analysis per system, and the EU AI Act as legal assessment framework determining which obligations are concretely applicable.
Own framework: when is it useful?
Some organisations choose their own, tailored governance framework — a combination of elements from existing standards, supplemented by sector-specific requirements. This is a legitimate approach, but requires more internal expertise and is harder to communicate to external supervisory authorities. An own framework offers no certification pathway and requires you to demonstrate at an audit that your approach is equivalent to the legal requirements.
For organisations in heavily regulated sectors — financial services, healthcare, government — a standardised framework is preferable due to its recognisability with sector supervisory authorities (DNB, NZa, ACM).
Practical recommendations by organisation type
Starting compliance teams (0–6 months)
Start with the NIST AI RMF as a methodological compass. The four functions (Govern, Map, Measure, Manage) provide structure without certification pressure. Use the 'Map' phase to build a complete AI register; use 'Govern' to assign ownership and responsibilities. Document everything — every decision, every review.
Organisations with ISO certification (e.g. 27001 or 9001)
Add ISO 42001 as an extension to your existing management system. The High Level Structure makes integration relatively straightforward. Plan a gap analysis as the first step: which elements of ISO 42001 does your current management system already cover, and where are the gaps?
Organisations with certification ambition
Choose ISO 42001 as the primary standard and plan the implementation in two phases: internal implementation and first internal audit (phase 1), followed by certification audit by an accredited body (phase 2). Reserve sufficient budget and time — a full ISO 42001 implementation typically takes six to twelve months.
Boards and management
The OECD Principles offer an accessible framework for placing AI governance on the agenda at board level. Combine them with a concrete implementation approach (NIST or ISO 42001) and ensure a clear mandate for the internal AI Officer or Governance Professional.
Conclusion: choose deliberately, document your choice
There is no universally 'best' framework — the right choice depends on the size of your organisation, your existing governance structures, your sector regulatory context and your certification ambitions. What does apply universally: make a deliberate choice and document why you chose that framework. A supervisory authority reviewing your dossier wants to see not only what you have done, but also why you chose that approach and how that approach demonstrably works in the practice of your organisation.
The EU AI Act makes room for international standards and own management frameworks. Use that space — but fill it with the disciplined structure that only a deliberately chosen framework can provide.