Frameworks

Top AI Governance Frameworks Compared: NIST, EU AI Act, OECD and ISO 42001

By Daman David Pant May 2026 12 min read

There is no single global standard for AI governance. Instead, organisations must navigate a patchwork of frameworks, regulations, and standards, each with different scope, authority, and requirements. For the AIGP exam, you need to know the four most important ones and be able to distinguish between them in scenario-based questions.

This guide covers the NIST AI RMF, EU AI Act, OECD AI Principles, and ISO 42001, with a side-by-side comparison and exam tips for each.

Quick Comparison Overview

Framework	Origin	Binding?	Scope	Primary Focus
EU AI Act	European Union	Yes (law)	Any AI affecting EU residents	Risk classification and legal compliance
NIST AI RMF	United States	Voluntary	Any organisation globally	Risk management process
OECD AI Principles	OECD (42 countries)	Voluntary	Governments and organisations	Values-based principles for trustworthy AI
ISO 42001	International (ISO)	Voluntary (certifiable)	Any organisation	AI management system standard

1. EU AI Act

Legally Binding

What it is

The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law. It classifies AI systems into four risk tiers and imposes legal obligations on providers and deployers based on risk level.

Core structure

Prohibited practices: outright bans on AI that poses unacceptable risk (social scoring, subliminal manipulation)
High-risk systems: conformity assessment, documentation, human oversight, registration
Limited risk: transparency obligations only (e.g. chatbots must disclose they are AI)
Minimal risk: no requirements

Who it applies to

Any organisation placing AI systems on the EU market or using AI in a way that affects EU residents, regardless of where the organisation is headquartered.

AIGP exam relevance

Heavily tested. You must know the risk tiers, prohibited practices, high-risk categories, and GPAI model rules. See our full EU AI Act guide.

2. NIST AI Risk Management Framework (AI RMF)

Voluntary

What it is

Published by the US National Institute of Standards and Technology in January 2023, the NIST AI RMF is a voluntary framework that helps organisations identify, assess, and manage AI risks throughout the AI lifecycle. It is widely adopted across sectors globally, not just in the US.

Core structure: the four functions

GOVERN: establish the culture, policies, and accountability structures for AI risk management
MAP: identify and categorise AI risks in context
MEASURE: analyse and assess identified risks using metrics and tools
MANAGE: prioritise and treat risks, implement responses, monitor outcomes

Key characteristics

Voluntary and flexible, not prescriptive
Applies to the full AI lifecycle
Emphasises trustworthiness across six properties: valid, reliable, safe, secure, explainable, fair, privacy-enhanced, and accountable
Includes an AI RMF Playbook with practical implementation guidance

AIGP exam relevance

You need to know the four core functions (Govern, Map, Measure, Manage) and the trustworthiness properties. Questions often ask you to identify which function a specific activity belongs to.

3. OECD AI Principles

Voluntary

What it is

Adopted in 2019 and updated in 2024, the OECD AI Principles were the first intergovernmental standard on AI, endorsed by 42 countries. They are values-based principles rather than a compliance framework.

The five principles

Inclusive growth and sustainable development: AI should benefit people and the planet
Human-centred values and fairness: AI must respect human rights and democratic values
Transparency and explainability: stakeholders should be able to understand AI outcomes
Robustness, security and safety: AI systems should function reliably and safely throughout their lifecycle
Accountability: AI actors should be responsible for proper functioning and respect of these principles

Key characteristics

High-level and principles-based, not operational
Aimed at governments and policy makers as well as organisations
Primary goal: balance innovation with preventing societal harms
Non-binding but widely referenced in national AI strategies

AIGP exam relevance

Often tested as a contrast to the EU AI Act. The OECD framework is broader and aspirational; the EU AI Act is specific and legally enforceable. Questions may ask you to identify the primary goal of the OECD framework (balancing harm prevention with fostering innovation).

4. ISO 42001

Certifiable Standard

What it is

Published in December 2023, ISO/IEC 42001 is the first international standard for AI management systems (AIMS). Like ISO 27001 for information security, it provides a certifiable framework that organisations can implement and have independently audited.

Core structure

Follows the standard ISO high-level structure (Plan-Do-Check-Act)
Requires organisations to establish an AI management system with defined policies, roles, and processes
Covers: AI policy, risk and impact assessment, operational controls, performance evaluation, and continual improvement
Includes annexes on AI risk management and AI system impact assessment

Key characteristics

Voluntary but certifiable by accredited bodies
Applies to any organisation that develops or uses AI
Complements the EU AI Act and NIST AI RMF rather than replacing them
Provides a management system layer on top of technical standards

AIGP exam relevance

Know that ISO 42001 is a management system standard (not a technical standard) and that it is certifiable. It is often tested alongside ISO 27001 comparisons and as a contrast to voluntary frameworks.

How They Work Together

These frameworks are not mutually exclusive. In practice, a well-governed organisation would typically:

Comply with the EU AI Act for legal obligations (if operating in or affecting the EU)
Use the NIST AI RMF as the operational framework for managing AI risk day to day
Align values and principles with the OECD AI Principles
Pursue ISO 42001 certification to demonstrate governance maturity to stakeholders

Exam tip: A common question asks which framework a specific activity belongs to. NIST is about process (Govern/Map/Measure/Manage). OECD is about principles. ISO 42001 is about management systems. EU AI Act is about legal compliance and risk classification.

Singapore Model AI Governance Framework

Worth mentioning as a fifth framework that appears in AIGP exam questions. Published by Singapore's IMDA and PDPC, it is a voluntary, practical framework focused on two core principles:

Internal governance: organisations should have clear accountability and human oversight
Human-centric AI: decisions that significantly affect individuals should have human review

It is most often tested as a contrast to the EU AI Act: Singapore's approach is voluntary and principles-based, while the EU's is mandatory and prescriptive.

Test your frameworks knowledge

Practice with 200 scenario-based AIGP questions covering all governance frameworks. Free, no payment needed.

Start Free Practice Quiz →

Top AI Governance Frameworks Compared: NIST, EU AI Act, OECD and ISO 42001

Quick Comparison Overview

1. EU AI Act

What it is

Core structure

Who it applies to

AIGP exam relevance

2. NIST AI Risk Management Framework (AI RMF)

What it is

Core structure: the four functions

Key characteristics

AIGP exam relevance

3. OECD AI Principles

What it is

The five principles

Key characteristics

AIGP exam relevance

4. ISO 42001

What it is

Core structure

Key characteristics

AIGP exam relevance

How They Work Together

Singapore Model AI Governance Framework

Test your frameworks knowledge

Related articles