NIST AI RMF vs EU AI Act vs ISO 42001: What Is the Difference?

NIST AI RMF vs EU AI Act vs ISO 42001: the one-paragraph version

The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary US framework published by the National Institute of Standards and Technology in January 2023. No law requires you to adopt it. It gives organisations a structured way to identify, analyse, and manage AI risk across four functions: Govern, Map, Measure, and Manage. Sector regulators in the US increasingly reference it when evaluating whether AI practices meet a reasonable standard of care, but it carries no penalties of its own.

The EU AI Act is a binding regulation of the European Union, adopted in June 2024, published in the Official Journal in July 2024, and entering into force on 1 August 2024. It applies in phases from February 2025 onwards. It is law. It classifies AI systems by risk tier - prohibited, high-risk, limited-risk, and minimal-risk - and attaches mandatory obligations, conformity assessments, and fines to the higher-risk categories. Organisations that place AI systems on the EU market or use them to affect people in the EU must comply, regardless of where they are headquartered.

ISO/IEC 42001:2023 is a management-system standard published by the International Organization for Standardization and the International Electrotechnical Commission in December 2023. It is voluntary, but - unlike the NIST AI RMF - it is auditable and certifiable. An accredited certification body can audit an organisation against it and issue a certificate. That makes it structurally similar to ISO 27001 for information security: adoption is a choice, but the certificate is a verifiable, third-party claim.

Why the category difference matters more than the content

AIGP candidates sometimes study these three instruments as if they are competing versions of the same thing. They are not. The EU AI Act creates legal rights and duties enforceable in court. ISO 42001 creates a verifiable management-system posture. The NIST AI RMF creates a shared vocabulary and a structured process. An organisation can use all three at once - and in practice, sophisticated organisations do.

The practical implication is that compliance with the NIST AI RMF does not constitute compliance with the EU AI Act. Implementing ISO 42001 does not discharge EU AI Act obligations either, though as of mid-2026, implementing ISO 42001 is widely noted to address a substantial portion of the documentation requirements for high-risk AI systems under the Act. ISO 42001 is not yet a harmonised standard under the EU AI Act, which means conformity to it does not automatically satisfy high-risk conformity assessment requirements.

For AIGP exam purposes, domain 2 of the blueprint - "Understanding how laws, standards and frameworks apply to AI" - carries 25 per cent of scored questions and tests exactly this distinction. Blueprint objective 2.6 names the OECD AI principles, the NIST AI RMF, and the core ISO AI standards (ISO 22989, 42001, and 42005) as required knowledge, while objectives 2.4 and 2.5 cover the EU AI Act risk classification system and its key legal requirements. You are expected to distinguish their purposes and scopes, not just recite their contents.

The NIST AI RMF and ISO 42001: two ways to govern without a mandate

The AI RMF organises AI risk management around four core functions. Govern establishes the culture, policies, and accountability structures. Map identifies context, actors, and potential harms. Measure analyses and prioritises risks. Manage applies responses and monitors outcomes. The accompanying Playbook provides specific suggested actions under each function. The framework is deliberately non-prescriptive: it does not tell an organisation which risks are acceptable or what controls to implement. That flexibility is both its strength and its limitation - it requires significant internal judgment to operationalise and offers no external verification mechanism.

As of April 2026, NIST released a concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure, and in February 2026 it announced an AI Agent Standards Initiative through its Center for AI Standards and Innovation (CAISI), with an AI Agent Interoperability Profile reportedly targeted for late 2026. The AI RMF retains practical weight within US federal agencies through agency adoption and NIST guidance, even though the executive order that had directed federal agency use - EO 14110 - was revoked in January 2025. Sector regulators and large enterprises continue to reference the framework when evaluating AI risk practices.

ISO 42001 takes a different approach. It follows the high-level structure common to ISO management-system standards - the same clause architecture used in ISO 27001 and ISO 9001 - covering leadership commitment, risk management, AI policy, operational planning, performance evaluation, and continual improvement. Certification is obtained through an audit by an accredited third-party body. Established audit firms including BSI and Schellman operationalised their ISO 42001 practices during 2025, and technology vendors began acquiring the certification as a procurement differentiator. The certificate is time-limited and subject to surveillance audits, meaning it represents an ongoing management commitment rather than a one-time exercise.

The EU AI Act: binding law with a shifting timeline

The EU AI Act entered into force in August 2024 and has applied in stages ever since. Prohibitions on AI systems posing unacceptable risk - such as real-time biometric identification in public spaces and social scoring by governments - applied from 2 February 2025. Governance infrastructure requirements and obligations for providers of general-purpose AI models applied from 2 August 2025.

The timeline has moved. A provisional agreement reached on 7 May 2026 under the Digital Omnibus - a package of targeted amendments agreed between the European Parliament and the Council of the EU - deferred the high-risk AI system obligations that had been due on 2 August 2026. Annex III (use-based high-risk systems) obligations are now deferred to 2 December 2027; Annex I systems embedded in regulated products face a deadline of 2 August 2028. Some transparency obligations for AI-generated content were deferred to 2 December 2026. As of mid-June 2026, the Digital Omnibus is a provisional political agreement pending legal-linguistic revision and formal publication in the Official Journal.

For AIGP candidates, the key conceptual point is that the EU AI Act assigns obligations primarily by actor role - provider, deployer, importer, distributor - and by risk tier of the AI system. A high-risk AI system used in credit scoring carries different mandatory obligations than a chatbot providing general-purpose information. Objective 2.4 of the AIGP blueprint tests this classification logic directly, and objective 2.5 covers the resulting requirements including human oversight, transparency, technical documentation, and conformity assessments.

How the three instruments fit together in practice

A common mental model for practitioners: the NIST AI RMF tells you how to think about risk, the EU AI Act tells you what you must do if you are in scope, and ISO 42001 gives you a documented management system that demonstrates you are doing it systematically.

For a European-headquartered organisation deploying a high-risk AI system, the primary obligation is the EU AI Act. ISO 42001 certification can serve as evidence of a structured AI governance programme, which is relevant to demonstrating the technical and organisational measures the Act requires. The NIST AI RMF may inform internal risk assessment methodology, particularly for teams with US regulatory exposure or US federal customers.

For a US-based organisation with no EU market presence, the EU AI Act may not apply directly. The NIST AI RMF is the most relevant national framework, and ISO 42001 offers a path to demonstrable governance maturity for enterprise procurement requirements. Many large enterprises now include AI governance requirements - sometimes referencing ISO 42001 explicitly - in their supplier due diligence processes.

The AIGP credential reflects this integrated reality. The exam's domain structure requires candidates to understand all three instruments at a level sufficient to advise an organisation on how they interact - not just to define them in isolation.

How the AIGP exam tests these frameworks

The IAPP Certified AI Governance Professional exam runs 100 questions over 165 minutes, delivered as multiple choice via Pearson VUE - online proctored or at a test centre. Of the 100 questions, 85 are scored; the remaining 15 are unscored pilot items being evaluated for future exams. The passing score is 300 on a scaled score of 100-500. The current exam fee is $799 for non-members and $649 for IAPP members. The body of knowledge version is v2.1, effective 2 February 2026.

The four domains and their approximate weights are: Foundations of AI Governance (21 per cent), Laws, Standards and Frameworks (25 per cent), Governing AI Development (27 per cent), and Governing AI Deployment and Use (27 per cent). The frameworks covered in this article sit primarily in domain 2, but they surface throughout the exam wherever a scenario question asks a candidate to apply a risk classification, select a governance control, or evaluate an organisation's compliance posture.

Scenario-based questions make up roughly 30 per cent of the exam, according to publicly available exam-guide materials. That means rote definitions are insufficient. You need to be able to read a fact pattern describing an AI system, identify its risk tier under the EU AI Act, assess what a NIST AI RMF Govern function might require, and judge whether ISO 42001 certification is relevant evidence - often within the same question stem.

Getting exam-ready when the frameworks are moving targets

One genuine challenge for AIGP candidates is that all three instruments are in motion. The EU AI Act's timeline shifted materially in May 2026. NIST is releasing new profiles and guidance through 2026. ISO 42001 certification practice is still maturing. Exam questions are anchored to the published body of knowledge - but understanding the current state of each framework is essential for scenario questions that ask you to evaluate a realistic governance situation.

The most effective preparation combines reading the primary source documents with active recall practice. Passive reading of frameworks builds recognition; it does not build the retrieval speed required under exam conditions. The AIGP is not a recall test for definitions - it tests whether you can apply governance concepts to novel situations.

Practice questions that reflect the actual exam format, scenario-based with plausible distractors that require you to distinguish between a voluntary framework recommendation and a binding legal obligation, are particularly valuable for this exam. A practice environment where every question includes a worked explanation of why each answer choice is correct or incorrect, and specifically why each distractor fails, trains exactly the reasoning the exam rewards. Working through questions on EU AI Act risk classification, NIST AI RMF function mapping, and ISO 42001 management-system requirements in realistic exam conditions is the most direct route to closing the gap between knowing a framework and being able to apply it under time pressure.