Chapter 1: The Three Frameworks
1.1 Why a Unified Approach
Organisations operating AI systems face a fragmented landscape of risk frameworks. The three most influential are:
- The EU AI Act (Regulation (EU) 2024/1689) — a legally binding regulation with a four-tier risk classification and mandatory requirements for high-risk systems.
- The NIST AI Risk Management Framework (AI RMF 1.0, January 2023) — a voluntary framework published by the U.S. National Institute of Standards and Technology, structured around four core functions: Govern, Map, Measure, and Manage.
- ISO/IEC 42001:2023 — an international standard for AI management systems, providing a certifiable framework for establishing, implementing, maintaining, and continually improving AI management within an organisation.
Each framework addresses AI risk from a different angle. The EU AI Act prescribes specific legal obligations. NIST AI RMF provides a flexible methodology for risk identification and mitigation. ISO 42001 establishes an auditable management system. Together, they form a comprehensive approach.
This guide maps the three frameworks into a single operational methodology that satisfies legal requirements (EU AI Act), follows established risk management practice (NIST), and supports management system certification (ISO 42001).
1.2 Framework Comparison
| Dimension | EU AI Act | NIST AI RMF | ISO 42001 |
|---|---|---|---|
| Type | Binding regulation | Voluntary framework | Certifiable standard |
| Geography | EU (with extraterritorial reach) | US-origin, globally applicable | International |
| Approach | Prescriptive risk tiers | Flexible risk management | Management system |
| Structure | Risk classification + requirements | Govern, Map, Measure, Manage | Plan-Do-Check-Act (PDCA) |
| Enforcement | Fines up to 7% global turnover | None (voluntary) | Certification audit |
| Focus | Compliance obligations | Risk identification and mitigation | Organisational governance |
| Audience | Providers and deployers | Any AI stakeholder | Any organisation using AI |
1.3 Framework Alignment Map
| NIST AI RMF Function | ISO 42001 Clause | EU AI Act Article |
|---|---|---|
| Govern | 5 (Leadership), 6 (Planning) | Art.17 (Quality management) |
| Map | 6.1 (Risk assessment), 8 (Operation) | Art.6 (Risk classification), Art.9 (Risk management) |
| Measure | 9 (Performance evaluation) | Art.15 (Accuracy, robustness), Art.12 (Logging) |
| Manage | 10 (Improvement), 8 (Operation) | Art.9 (Risk mitigation), Art.72 (Post-market monitoring) |
Want to monitor your AI compliance automatically? Try AIOS — your AI compliance OS. https://mmoww.net/ai/app/
Quick Decision Matrix
Use this matrix to determine your AI compliance obligations.
| Your Situation | Risk Level | Priority Action | Go To |
|---|---|---|---|
| Deploying AI that affects employment decisions | High | Impact assessment required | Chapter 3 |
| Using AI for customer-facing services | Medium-High | Transparency obligations apply | Chapter 4 |
| Internal AI tools (analytics, automation) | Medium | Document and monitor | Chapter 5 |
| AI in regulated sector (finance, health) | High | Sector-specific rules apply | Chapter 3 |
| Procuring AI from third-party vendor | Medium | Vendor due diligence needed | Chapter 5 |
| Just exploring AI for the first time | Low | Start with governance framework | Chapter 2 |
5-second answer: If your AI system makes decisions that affect people, you have compliance obligations. Start with Chapter 2 for the regulatory framework, then Chapter 3 for your specific obligations.