Organisations navigating AI governance often face three overlapping frameworks: the EU AI Act (a binding regulation with enforcement penalties), ISO/IEC 42001 (a certifiable AI management system standard), and the NIST AI Risk Management Framework (a voluntary US-originated governance guide). All three address AI risk management, but from different angles and with different enforcement mechanisms. Understanding where they converge and diverge is critical for organisations operating across jurisdictions or building compliance programs that satisfy multiple requirements simultaneously.
The Core Mapping
Risk Management (EU AI Act Article 9 ↔ ISO 42001 Clause 6.1 ↔ NIST AI RMF GOVERN/MAP): All three frameworks require systematic identification and mitigation of AI-related risks. The EU AI Act mandates a specific risk management system for high-risk AI systems. ISO 42001 requires risk assessment as part of the AI management system planning process. NIST AI RMF addresses this through its GOVERN and MAP functions. The overlap is substantial — an organisation with a mature ISO 42001 risk assessment process will have covered approximately 70-80% of what Article 9 requires.
Data Governance (Article 10 ↔ ISO 42001 Annex A Control A.8 ↔ NIST MAP 1.1): Article 10 sets specific requirements for training, validation, and testing data sets. ISO 42001 addresses data management through its Annex A controls covering data quality, provenance, and lifecycle management. NIST AI RMF touches data governance through its MAP function. The EU AI Act's requirements here are more prescriptive than either ISO 42001 or NIST, particularly around bias examination, data completeness, and statistical properties. This is a common gap for organisations using ISO 42001 as their primary framework.
Documentation (Article 11/Annex IV ↔ ISO 42001 Clause 7.5 ↔ NIST GOVERN 1.3): The EU AI Act requires specific technical documentation per Annex IV for high-risk systems. ISO 42001 requires documented information as part of management system operations. NIST recommends documentation as part of governance practices. The EU AI Act's Annex IV requirements are the most granular of the three — specifying exactly what must be documented including training methodologies, data governance measures, design choices, validation results, and monitoring procedures.
Human Oversight (Article 14 ↔ ISO 42001 Annex A Control A.5 ↔ NIST GOVERN 1.5): Article 14 mandates that high-risk AI systems be designed to allow effective human oversight, including the ability to understand system capabilities and limitations, to monitor operation, and to override or interrupt the system. ISO 42001 addresses this through human oversight controls in its Annex A. NIST covers it under governance functions related to human-AI interaction. The EU AI Act is the most specific about implementation requirements, including physical override mechanisms.
Accuracy, Robustness, Cybersecurity (Article 15 ↔ ISO 42001 Annex A Control A.7 ↔ NIST MEASURE): All three frameworks address technical performance requirements. Article 15 requires appropriate levels of accuracy, robustness, and cybersecurity throughout the AI system lifecycle. ISO 42001 covers these through its Annex A controls on AI system performance and security. NIST's MEASURE function addresses testing and evaluation. For organisations already ISO 27001 certified, the cybersecurity component of Article 15 will overlap significantly with existing controls.
Where the Gaps Are
EU AI Act has no equivalent in ISO 42001 or NIST: The prohibition regime under Article 5 is unique to the EU AI Act — neither ISO 42001 nor NIST AI RMF prohibit any specific AI practice. Similarly, the conformity assessment procedures, CE marking requirements, and the specific penalty structure are regulatory constructs that have no voluntary standard equivalent. The AI literacy obligation under Article 4 is also unique in its mandatory nature.
ISO 42001 has depth that the EU AI Act lacks: ISO 42001 provides a comprehensive management system framework including leadership commitment requirements, internal audit processes, management review procedures, and continual improvement mechanisms. The EU AI Act focuses on specific technical requirements per system rather than organisational governance maturity. An organisation with ISO 42001 certification will have stronger AI governance processes even in areas where the EU AI Act does not prescribe specific requirements.
NIST AI RMF has societal context that others underplay: The NIST framework's emphasis on sociotechnical context — understanding how AI systems interact with broader social systems — provides analytical depth that neither the EU AI Act's prescriptive rules nor ISO 42001's management system controls fully capture.
Practical Recommendation
If you are starting from scratch, begin with the EU AI Act requirements since they carry enforcement penalties, then map ISO 42001 controls to demonstrate management system maturity, and use NIST AI RMF functions to fill analytical gaps. If you already have ISO 42001 certification, your gap analysis for EU AI Act compliance will be focused on the prescriptive requirements of Articles 10 (data governance), 11/Annex IV (documentation specifics), and the Article 5 prohibition screening.
Our EU AI Act Compliance Toolkit includes detailed NIST AI RMF crosswalk mappings for each Article 8-15 requirement. For a preliminary classification of your systems, start with the free Compliance Checker.
About the author: Abhishek G Sharma is the founder of Move78 International Limited and holds ISO 42001 Lead Auditor, CISA, CISM, CRISC, and CEH certifications. The crosswalk analysis draws on 20+ years of cybersecurity, risk management, and compliance experience across ISO 27001, NIST CSF, and AI governance frameworks.
Disclaimer: This article is for educational purposes only. Consult qualified legal counsel for binding compliance decisions. Last updated: March 2026.