There is no single global standard for AI governance. Instead, organisations must navigate a patchwork of frameworks, regulations, and standards, each with different scope, authority, and requirements. For the AIGP exam, you need to know the four most important ones and be able to distinguish between them in scenario-based questions.
This guide covers the NIST AI RMF, EU AI Act, OECD AI Principles, and ISO 42001, with a side-by-side comparison and exam tips for each.
Quick answer: The four key AI governance frameworks differ by authority and purpose. The EU AI Act is binding law that classifies AI by risk. The NIST AI RMF is a voluntary process for managing AI risk (Govern, Map, Measure, Manage). The OECD AI Principles are values-based and non-binding. ISO 42001 is a certifiable management-system standard. Most mature organisations use them together rather than choosing one.
| Framework | Origin | Binding? | Scope | Primary Focus |
|---|---|---|---|---|
| EU AI Act | European Union | Yes (law) | Any AI affecting EU residents | Risk classification and legal compliance |
| NIST AI RMF | United States | Voluntary | Any organisation globally | Risk management process |
| OECD AI Principles | OECD (42 countries) | Voluntary | Governments and organisations | Values-based principles for trustworthy AI |
| ISO 42001 | International (ISO) | Voluntary (certifiable) | Any organisation | AI management system standard |
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law. It classifies AI systems into four risk tiers and imposes legal obligations on providers and deployers based on risk level.
Any organisation placing AI systems on the EU market or using AI in a way that affects EU residents, regardless of where the organisation is headquartered.
Heavily tested. You must know the risk tiers, prohibited practices, high-risk categories, and GPAI model rules. See our full EU AI Act guide.
Published by the US National Institute of Standards and Technology in January 2023, the NIST AI RMF is a voluntary framework that helps organisations identify, assess, and manage AI risks throughout the AI lifecycle. It is widely adopted across sectors globally, not just in the US.
You need to know the four core functions (Govern, Map, Measure, Manage) and the trustworthiness properties. Questions often ask you to identify which function a specific activity belongs to.
Adopted in 2019 and updated in 2024, the OECD AI Principles were the first intergovernmental standard on AI, endorsed by 42 countries. They are values-based principles rather than a compliance framework.
Often tested as a contrast to the EU AI Act. The OECD framework is broader and aspirational; the EU AI Act is specific and legally enforceable. Questions may ask you to identify the primary goal of the OECD framework (balancing harm prevention with fostering innovation).
Published in December 2023, ISO/IEC 42001 is the first international standard for AI management systems (AIMS). Like ISO 27001 for information security, it provides a certifiable framework that organisations can implement and have independently audited.
Know that ISO 42001 is a management system standard (not a technical standard) and that it is certifiable. It is often tested alongside ISO 27001 comparisons and as a contrast to voluntary frameworks.
These frameworks are not mutually exclusive. In practice, a well-governed organisation would typically:
Exam tip: A common question asks which framework a specific activity belongs to. NIST is about process (Govern/Map/Measure/Manage). OECD is about principles. ISO 42001 is about management systems. EU AI Act is about legal compliance and risk classification.
Worth mentioning as a fifth framework that appears in AIGP exam questions. Published by Singapore's IMDA and PDPC, it is a voluntary, practical framework focused on two core principles:
It is most often tested as a contrast to the EU AI Act: Singapore's approach is voluntary and principles-based, while the EU's is mandatory and prescriptive.
This is one of the most common points of confusion, because the two are often searched together, but they are fundamentally different kinds of things.
| AIGP | ISO 42001 | |
|---|---|---|
| What it is | A professional certification for an individual | A management system standard for an organisation |
| Who earns it | A person (governance, privacy, risk, legal professional) | A company or team |
| Awarded by | IAPP, via a proctored exam | An accredited certification body, via audit |
| Proves | That you understand AI governance | That your organisation has a working AI management system |
| Renewal | Continuing education credits (CPE) | Surveillance audits and recertification |
In one line: a person earns an AIGP; an organisation certifies to ISO 42001. They are complementary. An AIGP-certified professional is often exactly the person who helps an organisation implement and maintain an ISO 42001 management system. For the exam, know that ISO 42001 itself is part of the AIGP body of knowledge: the AIGP tests your understanding of standards like ISO 42001, among others. For a deeper breakdown, see our dedicated guide: AIGP vs ISO 42001: What's the Difference?
Both are voluntary and widely adopted, but they play different roles, and most mature programmes use them together rather than choosing one.
| ISO 42001 | NIST AI RMF | |
|---|---|---|
| Type | Certifiable management system standard | Voluntary risk-management framework |
| Origin | ISO/IEC (international) | NIST (United States) |
| Structure | Plan-Do-Check-Act management system | Four functions: Govern, Map, Measure, Manage |
| Can you be certified? | Yes, by an accredited body | No formal certification |
| Best used as | The auditable governance layer for stakeholders | The day-to-day operational method for managing AI risk |
A practical pattern: run your operations using the NIST AI RMF, then pursue ISO 42001 certification to formally evidence that those operations meet an auditable standard. They reinforce each other.
AIGP is a certification for an individual person; ISO 42001 is a certifiable standard for an organisation's AI management system. A person earns an AIGP; a company certifies to ISO 42001. They are complementary, not alternatives.
ISO 42001 is a certifiable management system standard you can be audited against. The NIST AI RMF is a voluntary, non-certifiable risk-management process. Many organisations operate with NIST and certify to ISO 42001 to demonstrate maturity.
Most well-governed organisations combine them: the EU AI Act for legal compliance, the NIST AI RMF for operational risk management, the OECD Principles for values, and ISO 42001 certification to evidence maturity. They are layers, not competing choices.
Practice with 200 scenario-based AIGP questions covering all governance frameworks. Free, no payment needed.
Start Free Practice Quiz →About the author: Daman David Pant, AIGP is a Principal Consultant at Infosys with 20+ years in IT, focused on AI governance, agentic AI accountability, and responsible AI. He passed the IAPP AIGP exam with a score of 475/500 and built the AIGP Playbook to make exam preparation accessible to everyone.