Frameworks

Top AI Governance Frameworks Compared: NIST, EU AI Act, OECD and ISO 42001

By Daman David Pant May 2026 12 min read

There is no single global standard for AI governance. Instead, organisations must navigate a patchwork of frameworks, regulations, and standards, each with different scope, authority, and requirements. For the AIGP exam, you need to know the four most important ones and be able to distinguish between them in scenario-based questions.

This guide covers the NIST AI RMF, EU AI Act, OECD AI Principles, and ISO 42001, with a side-by-side comparison and exam tips for each.

Quick answer: The four key AI governance frameworks differ by authority and purpose. The EU AI Act is binding law that classifies AI by risk. The NIST AI RMF is a voluntary process for managing AI risk (Govern, Map, Measure, Manage). The OECD AI Principles are values-based and non-binding. ISO 42001 is a certifiable management-system standard. Most mature organisations use them together rather than choosing one.

Quick Comparison Overview

Framework Origin Binding? Scope Primary Focus
EU AI Act European Union Yes (law) Any AI affecting EU residents Risk classification and legal compliance
NIST AI RMF United States Voluntary Any organisation globally Risk management process
OECD AI Principles OECD (42 countries) Voluntary Governments and organisations Values-based principles for trustworthy AI
ISO 42001 International (ISO) Voluntary (certifiable) Any organisation AI management system standard

1. EU AI Act

Legally Binding

What it is

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law. It classifies AI systems into four risk tiers and imposes legal obligations on providers and deployers based on risk level.

Core structure

Who it applies to

Any organisation placing AI systems on the EU market or using AI in a way that affects EU residents, regardless of where the organisation is headquartered.

AIGP exam relevance

Heavily tested. You must know the risk tiers, prohibited practices, high-risk categories, and GPAI model rules. See our full EU AI Act guide.

2. NIST AI Risk Management Framework (AI RMF)

Voluntary

What it is

Published by the US National Institute of Standards and Technology in January 2023, the NIST AI RMF is a voluntary framework that helps organisations identify, assess, and manage AI risks throughout the AI lifecycle. It is widely adopted across sectors globally, not just in the US.

Core structure: the four functions

Key characteristics

AIGP exam relevance

You need to know the four core functions (Govern, Map, Measure, Manage) and the trustworthiness properties. Questions often ask you to identify which function a specific activity belongs to.

3. OECD AI Principles

Voluntary

What it is

Adopted in 2019 and updated in 2024, the OECD AI Principles were the first intergovernmental standard on AI, endorsed by 42 countries. They are values-based principles rather than a compliance framework.

The five principles

Key characteristics

AIGP exam relevance

Often tested as a contrast to the EU AI Act. The OECD framework is broader and aspirational; the EU AI Act is specific and legally enforceable. Questions may ask you to identify the primary goal of the OECD framework (balancing harm prevention with fostering innovation).

4. ISO 42001

Certifiable Standard

What it is

Published in December 2023, ISO/IEC 42001 is the first international standard for AI management systems (AIMS). Like ISO 27001 for information security, it provides a certifiable framework that organisations can implement and have independently audited.

Core structure

Key characteristics

AIGP exam relevance

Know that ISO 42001 is a management system standard (not a technical standard) and that it is certifiable. It is often tested alongside ISO 27001 comparisons and as a contrast to voluntary frameworks.

How They Work Together

These frameworks are not mutually exclusive. In practice, a well-governed organisation would typically:

Exam tip: A common question asks which framework a specific activity belongs to. NIST is about process (Govern/Map/Measure/Manage). OECD is about principles. ISO 42001 is about management systems. EU AI Act is about legal compliance and risk classification.

Singapore Model AI Governance Framework

Worth mentioning as a fifth framework that appears in AIGP exam questions. Published by Singapore's IMDA and PDPC, it is a voluntary, practical framework focused on two core principles:

It is most often tested as a contrast to the EU AI Act: Singapore's approach is voluntary and principles-based, while the EU's is mandatory and prescriptive.

AIGP vs ISO 42001: What's the Difference?

This is one of the most common points of confusion, because the two are often searched together, but they are fundamentally different kinds of things.

AIGPISO 42001
What it isA professional certification for an individualA management system standard for an organisation
Who earns itA person (governance, privacy, risk, legal professional)A company or team
Awarded byIAPP, via a proctored examAn accredited certification body, via audit
ProvesThat you understand AI governanceThat your organisation has a working AI management system
RenewalContinuing education credits (CPE)Surveillance audits and recertification

In one line: a person earns an AIGP; an organisation certifies to ISO 42001. They are complementary. An AIGP-certified professional is often exactly the person who helps an organisation implement and maintain an ISO 42001 management system. For the exam, know that ISO 42001 itself is part of the AIGP body of knowledge: the AIGP tests your understanding of standards like ISO 42001, among others. For a deeper breakdown, see our dedicated guide: AIGP vs ISO 42001: What's the Difference?

ISO 42001 vs NIST AI RMF: Which Should You Use?

Both are voluntary and widely adopted, but they play different roles, and most mature programmes use them together rather than choosing one.

ISO 42001NIST AI RMF
TypeCertifiable management system standardVoluntary risk-management framework
OriginISO/IEC (international)NIST (United States)
StructurePlan-Do-Check-Act management systemFour functions: Govern, Map, Measure, Manage
Can you be certified?Yes, by an accredited bodyNo formal certification
Best used asThe auditable governance layer for stakeholdersThe day-to-day operational method for managing AI risk

A practical pattern: run your operations using the NIST AI RMF, then pursue ISO 42001 certification to formally evidence that those operations meet an auditable standard. They reinforce each other.

Frequently Asked Questions

What is the difference between AIGP and ISO 42001?

AIGP is a certification for an individual person; ISO 42001 is a certifiable standard for an organisation's AI management system. A person earns an AIGP; a company certifies to ISO 42001. They are complementary, not alternatives.

What is the difference between ISO 42001 and the NIST AI RMF?

ISO 42001 is a certifiable management system standard you can be audited against. The NIST AI RMF is a voluntary, non-certifiable risk-management process. Many organisations operate with NIST and certify to ISO 42001 to demonstrate maturity.

Which AI governance framework should I use?

Most well-governed organisations combine them: the EU AI Act for legal compliance, the NIST AI RMF for operational risk management, the OECD Principles for values, and ISO 42001 certification to evidence maturity. They are layers, not competing choices.

Test your frameworks knowledge

Practice with 200 scenario-based AIGP questions covering all governance frameworks. Free, no payment needed.

Start Free Practice Quiz →

About the author: Daman David Pant, AIGP is a Principal Consultant at Infosys with 20+ years in IT, focused on AI governance, agentic AI accountability, and responsible AI. He passed the IAPP AIGP exam with a score of 475/500 and built the AIGP Playbook to make exam preparation accessible to everyone.