本文目前仅提供英文版本。
AIRA vs ISO 42001 vs NIST AI RMF: Which AI Governance Framework Is Right for Your Organisation?
Three serious AI governance frameworks, each with different strengths, different audiences, and different regulatory recognition. How they compare, where they overlap, and how to choose — or combine — them for your specific context.
Key Takeaways
ISO 42001 is a certifiable management system standard — the right choice when your clients, contracts, or regulators require formal third-party certification of your AI governance.
NIST AI RMF is the leading voluntary framework in the US context and is increasingly referenced in US regulatory guidance — the right choice for organisations primarily serving the US market or working with US federal agencies.
AIRA integrates both frameworks into an operational governance methodology — the right choice for organisations that need governance to actually operate day-to-day, not just produce documentation for certification.
The frameworks are not mutually exclusive: AIRA implementation produces ISO 42001-aligned documentation and NIST AI RMF-mapped controls — certification against ISO 42001 is achievable for organisations that have implemented AIRA.
The fastest path to regulatory defensibility is AIRA implementation with ISO 42001 alignment — this satisfies the EU AI Act's requirement for a quality management system and provides certification evidence if required.
"仅供参考。本文不构成法律、监管、财务或专业建议。如需具体指导,请咨询合格专家。"
AIRA, ISO 42001, and NIST AI RMF — how the three frameworks fit together
Organisations building AI governance frameworks routinely face the question: which framework should we adopt? The three most commonly considered options are AIRA (the AI Risk Assessment framework), ISO/IEC 42001 (the international AI management system standard), and the NIST AI Risk Management Framework. These three are often presented as alternatives — but they are not. They operate at different levels, serve different purposes, and most mature AI governance programmes use elements of all three.
This article explains what each framework does, where they overlap, where they diverge, and how to use them together.
What each framework is
NIST AI Risk Management Framework (AI RMF) is a voluntary framework published by the US National Institute of Standards and Technology in January 2023, updated through 2025. It is structured around four core functions: Govern (organisational AI governance), Map (identifying AI system context and risks), Measure (evaluating AI system performance and risks), and Manage (treating identified risks). The framework is intentionally flexible and risk-based rather than prescriptive. Companion documents include NIST AI 600-1 (Generative AI Profile, July 2024), NIST IR 8596 (December 2025 preliminary draft bridging AI RMF with Cybersecurity Framework 2.0), and the April 2026 concept note for an AI RMF Profile on Trustworthy AI in Critical Infrastructure.
ISO/IEC 42001:2023 is the international standard for AI management systems, published December 2023. It is structured similarly to ISO 27001 (information security) and ISO 9001 (quality), providing a certifiable management system based on Plan-Do-Check-Act cycles. Organisations implement an Artificial Intelligence Management System (AIMS) covering AI policy, roles and responsibilities, risk assessment, AI lifecycle management, supplier management, and continual improvement. Certification requires external audit by an accredited certification body — auditors themselves must meet the BS ISO/IEC 42006:2025 competency standard.
AIRA (AI Risk Assessment) typically refers to AI risk assessment methodologies — including the Australian AI Risk Assessment framework discussed in some Australian contexts, the Algorithmic Impact Assessments used in jurisdictions like Canada, and similar structured assessment tools. AIRA is not a single defined framework but rather a family of risk assessment methodologies. Implementation typically uses ISO 31000 (risk management) as the structural foundation with AI-specific risk categories layered in.
What each is for
NIST AI RMF is best for: providing a structural methodology US enterprises can adopt without certification; aligning with US federal contractor expectations; demonstrating alignment with US regulator references (FTC, CFPB, FDA, SEC, EEOC all reference NIST AI RMF in their guidance); creating the foundation for sector-specific NIST profiles.
ISO/IEC 42001 is best for: providing certifiable evidence of structured AI governance to customers, regulators, and investors; satisfying procurement requirements (increasingly required in enterprise procurement, particularly in financial services and government supply chains); creating an auditable management system that integrates with existing ISO 27001 and ISO 9001 implementations.
AIRA / risk assessment methodologies are best for: assessing individual AI systems at point of deployment or material change; documenting risk acceptance decisions; providing the evidence base for system-level governance decisions within a broader programme.
Where they overlap
The three frameworks address overlapping content from different angles:
NIST AI RMF's Govern function corresponds substantially to ISO 42001's management system requirements. Both expect organisational AI policy, named accountability, defined roles, training, and operational procedures. An organisation implementing one is most of the way to implementing the other.
NIST AI RMF's Map and Measure functions correspond to risk assessment activity that AIRA-style methodologies operationalise at the system level. Where NIST AI RMF describes what to map and measure, AIRA provides specific assessment templates and risk categorisation.
NIST AI RMF's Manage function corresponds to ISO 42001's risk treatment requirements. Both require risk treatment plans, ongoing monitoring, and improvement cycles.
The EU AI Act (separate from these voluntary frameworks but increasingly relevant) requires substantially similar activity — risk management, data governance, technical documentation, human oversight, post-market monitoring. Mappings published by NIST, ISO, and industry bodies make alignment of frameworks straightforward at the control level.
Where they diverge
Certifiability. ISO 42001 is certifiable through accredited certification bodies; NIST AI RMF is not. For organisations needing demonstrable third-party validation of governance maturity, ISO 42001 has structural advantage.
Geographic alignment. NIST AI RMF aligns with US regulatory references; ISO 42001 is the international standard relevant in most other markets. For organisations operating internationally, ISO 42001 typically has broader recognition.
Specificity. AIRA-style assessments produce specific outputs (risk scores, treatment decisions, residual risk acceptance) at the AI system level. NIST AI RMF and ISO 42001 provide management framework but rely on underlying assessment methodologies for system-level decisions.
Update cadence. NIST is updating AI RMF actively with profiles (GenAI, Critical Infrastructure, Cybersecurity). ISO 42001 update cycles are longer. AIRA-style methodologies vary by source.
The crosswalk — implementing one programme that satisfies all three
The practical approach for most organisations is to build one comprehensive AI governance programme using ISO 42001 as the structural framework, mapping its controls to NIST AI RMF functions and to AIRA-style risk assessment processes. Crosswalk templates make this mapping straightforward. The organisation implements one set of controls, generates one set of evidence, and satisfies multiple framework requirements.
An effective integrated programme typically includes:
ISO 42001 management system foundation — policy, roles, accountability, lifecycle management, supplier management, continual improvement. This provides the auditable governance backbone.
NIST AI RMF functional structure — Govern, Map, Measure, Manage applied to organisational AI activity. This provides the operational structure within the management system.
AIRA-style risk assessments for each AI system — risk identification, analysis, evaluation, treatment, monitoring. This provides the system-level assessment evidence that the management system requires.
EU AI Act compliance overlay for any in-scope systems — provider/deployer obligations, conformity assessment, technical documentation. This addresses the legal compliance requirements that voluntary frameworks alone do not.
Sector-specific framework alignment — APRA CPS 230/CPS 234 for Australian financial services, ECB Supervisory Guide for EU banks (July 2025), FCA Consumer Duty for UK financial services, MHRA for UK medical devices, MAS FEAT for Singapore financial services, PCPD Model Framework for Hong Kong, and others.
Which framework should you start with?
For most organisations, the practical answer depends on context: US-headquartered enterprises typically start with NIST AI RMF as the most directly applicable framework, then add ISO 42001 implementation when international alignment or certifiable evidence becomes important. EU and international enterprises typically start with ISO 42001 implementation as the foundational management system, layering NIST AI RMF terminology and sector-specific frameworks on top. Australian financial services typically start with CPS 230/CPS 234 compliance (APRA prudential obligations), with ISO 42001 providing the structural implementation vehicle. Smaller organisations or those new to AI governance often start with AIRA-style system-level risk assessments to build the evidence base, then formalise into a management system framework as the programme matures.
The three frameworks are complementary, not competing. Mature AI governance programmes use elements of all three — and use them to satisfy not just framework requirements but the legal and sector-specific obligations that increasingly drive AI governance investment.
Primary sources: NIST AI Risk Management Framework · ISO/IEC 42001:2023 · EU AI Act