February 26, 2026
AI Safety Regulation Geopolitics EN / FR
INHUMAIN.AI
The Watchdog Platform for Inhuman Intelligence
Documenting What Happens When Intelligence Stops Being Human
AI Incidents (2026): 847 ▲ +23% | Countries with AI Laws: 41 ▲ +8 YTD | HUMAIN Partnerships: $23B ▲ +$3B | EU AI Act Fines: €14M ▲ New | AI Safety Funding: $2.1B ▲ +45% | OpenAI Valuation: $157B ▲ +34% | AI Job Displacement: 14M ▲ +2.1M | HUMAIN Watch: ACTIVE 24/7 | AI Incidents (2026): 847 ▲ +23% | Countries with AI Laws: 41 ▲ +8 YTD | HUMAIN Partnerships: $23B ▲ +$3B | EU AI Act Fines: €14M ▲ New | AI Safety Funding: $2.1B ▲ +45% | OpenAI Valuation: $157B ▲ +34% | AI Job Displacement: 14M ▲ +2.1M | HUMAIN Watch: ACTIVE 24/7 |
REGULATION

AI Governance Frameworks Compared: NIST vs ISO vs IEEE vs OECD

Comprehensive comparison of the four major AI governance frameworks — NIST AI RMF, ISO 42001, IEEE 7000, and OECD AI Principles. Structure, requirements, certification, and practical adoption guidance.

INHUMAIN.AI Editorial · February 26, 2026 · 16 min read

Organizations building or deploying AI systems face a fundamental governance question: which framework should guide their approach to responsible AI? Four frameworks dominate the global landscape, each with different origins, structures, and practical applications. This guide provides a detailed comparison to help organizations make informed decisions.

Framework Overview

Dimension NIST AI RMF ISO/IEC 42001 IEEE 7000 OECD AI Principles
Full Name AI Risk Management Framework 1.0 AI Management System Standard Standard for Ethics in Autonomous and Intelligent Systems Recommendation on AI
Published January 2023 December 2023 September 2021 May 2019 (updated 2024)
Publisher US National Institute of Standards and Technology International Organization for Standardization Institute of Electrical and Electronics Engineers Organisation for Economic Co-operation and Development
Type Voluntary framework Certifiable standard Technical standard International principles
Binding No No (voluntary certification) No No (but referenced in legislation)
Scope US-focused, globally applicable International International International (46 endorsing countries)
Cost Free Paid standard Paid standard Free
Certification No formal certification Yes (third-party audit) No formal certification No formal certification

NIST AI Risk Management Framework 1.0

Origin and Purpose

The NIST AI RMF was developed under a congressional mandate (National AI Initiative Act of 2020) and published in January 2023 after an extensive multi-stakeholder process. It is designed to help organizations manage risks associated with AI systems throughout their lifecycle. While developed by a US government agency, the framework has been widely adopted internationally.

Structure: The Four Core Functions

The AI RMF is organized around four hierarchical functions, each containing categories and subcategories:

1. GOVERN (GV)

The Govern function establishes the organizational context for AI risk management. It is cross-cutting — it informs and is informed by the other three functions.

  • GV-1: AI risk management policies, processes, and procedures are in place, transparent, and implemented effectively
  • GV-2: Accountability structures are in place so that the appropriate teams and individuals are empowered, responsible, and trained for mapping, measuring, and managing AI risks
  • GV-3: Workforce diversity, equity, inclusion, and accessibility processes are prioritized in AI risk management
  • GV-4: Organizational teams are committed to a culture of AI risk management
  • GV-5: Processes are in place for engagement with relevant AI actors
  • GV-6: Policies and procedures are in place to address AI risks and benefits arising from third-party software and data

2. MAP (MP)

The Map function establishes the context to frame risks. It includes understanding the AI system’s purpose, its potential impacts, and the stakeholders involved.

  • MP-1: Context is established and understood
  • MP-2: Categorization of the AI system is performed
  • MP-3: AI system benefits and costs are defined
  • MP-4: Risks and impacts are characterized
  • MP-5: Impacts to individuals, groups, communities, organizations, and society are characterized

3. MEASURE (MS)

The Measure function uses quantitative, qualitative, or mixed methods to analyze, assess, monitor, and benchmark AI risks.

  • MS-1: Appropriate methods and metrics are identified and applied
  • MS-2: AI systems are evaluated for trustworthy characteristics
  • MS-3: Mechanisms for tracking identified AI risks over time are in place
  • MS-4: Feedback about efficacy of measurement is gathered and acted upon

4. MANAGE (MG)

The Manage function allocates resources to mapped and measured risks on a regular basis and as defined by the GOVERN function.

  • MG-1: AI risks based on the risk assessments and other analytical output from the MAP and MEASURE functions are prioritized, responded to, and managed
  • MG-2: Strategies to maximize AI benefits and minimize negative impacts are planned, prepared, implemented, documented, and informed by input from relevant AI actors
  • MG-3: AI risks and benefits from third-party entities are managed
  • MG-4: Risk treatments, including response and recovery, and communication plans for the identified and measured AI risks are documented and monitored regularly

NIST Generative AI Profile (2024)

In July 2024, NIST published the Generative AI Profile (NIST AI 600-1), extending the AI RMF specifically for generative AI risks. It identifies twelve risk areas unique to or heightened by generative AI:

  1. CBRN Information (Chemical, Biological, Radiological, Nuclear)
  2. Confabulation (hallucination)
  3. Data Privacy
  4. Environmental (energy and resource consumption)
  5. Human-AI Configuration
  6. Information Integrity
  7. Information Security
  8. Intellectual Property
  9. Obscene, Degrading, and/or Abusive Content
  10. Toxicity, Bias, and Homogenization
  11. Value Chain and Component Integration
  12. Harmful Bias and Homogenization

Practical Adoption

Strengths:

  • Free and publicly available
  • Flexible and risk-based (scalable to organization size)
  • Referenced by US federal agencies and state legislation (Colorado AI Act)
  • Extensive companion resources (playbook, profiles, crosswalks)
  • No certification overhead

Limitations:

  • Voluntary — no enforcement mechanism
  • US-centric language and examples (though globally applicable)
  • Does not provide specific technical requirements
  • No certification to demonstrate compliance to third parties

ISO/IEC 42001: AI Management System Standard

Origin and Purpose

ISO/IEC 42001:2023 is the first international standard specifying requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS). Published in December 2023 by the International Organization for Standardization and the International Electrotechnical Commission, it follows the Annex SL harmonized structure used by other ISO management system standards (ISO 27001 for information security, ISO 9001 for quality management).

Structure

ISO 42001 follows the standard ISO management system structure:

Clause 4: Context of the Organization

  • Understanding the organization and its context
  • Understanding the needs and expectations of interested parties
  • Determining the scope of the AIMS
  • AI management system requirements

Clause 5: Leadership

  • Leadership and commitment
  • AI policy
  • Organizational roles, responsibilities, and authorities

Clause 6: Planning

  • Actions to address risks and opportunities
  • AI objectives and planning to achieve them
  • AI risk assessment
  • AI impact assessment
  • Planning of changes

Clause 7: Support

  • Resources
  • Competence
  • Awareness
  • Communication
  • Documented information

Clause 8: Operation

  • Operational planning and control
  • AI risk assessment (operational)
  • AI impact assessment (operational)
  • AI system lifecycle processes

Clause 9: Performance Evaluation

  • Monitoring, measurement, analysis, and evaluation
  • Internal audit
  • Management review

Clause 10: Improvement

  • Continual improvement
  • Nonconformity and corrective action

Annexes

Annex A: Reference Control Objectives and Controls Provides a set of AI-specific controls organized around:

  • AI policies
  • Internal organization
  • Resources for AI systems
  • Assessing impacts of AI systems
  • AI system lifecycle
  • Data for AI systems
  • Information for interested parties
  • Use of AI systems
  • Third-party and customer relationships

Annex B: Implementation Guidance Detailed guidance on implementing each Annex A control.

Annex C: Potential AI-Related Organizational Objectives and Risk Sources Reference material for risk assessment.

Annex D: Use of the AI Management System Across Domains and Sectors Guidance on sector-specific application.

Certification

ISO 42001 is the only major AI governance framework that offers formal third-party certification. Certification involves:

  1. Stage 1 Audit: Document review to assess readiness
  2. Stage 2 Audit: On-site assessment of AIMS implementation and effectiveness
  3. Certification Decision: Based on audit findings
  4. Surveillance Audits: Annual audits to maintain certification
  5. Recertification: Full recertification every three years

Certification bodies: Multiple accredited certification bodies worldwide offer ISO 42001 certification.

Practical Adoption

Strengths:

  • Internationally recognized standard
  • Formal certification provides third-party verification
  • Compatible with existing ISO management systems (27001, 9001)
  • Provides specific controls and objectives
  • Framework for continuous improvement

Limitations:

  • Paid standard (must purchase the document)
  • Certification is costly and time-consuming
  • Management system overhead may be excessive for small organizations
  • Relatively new — limited case studies and audit experience
  • Does not prescribe specific technical AI requirements

IEEE 7000: Standard Model Process for Addressing Ethical Concerns During System Design

Origin and Purpose

IEEE 7000-2021 provides a process for integrating ethical considerations into the design and development of autonomous and intelligent systems. Unlike NIST AI RMF (risk management) and ISO 42001 (management system), IEEE 7000 focuses specifically on the design process — how to identify, analyze, and embed ethical values into system architecture.

Structure: The Five-Phase Process

Phase 1: Concept Exploration

  • Identify the societal context of the system
  • Identify direct and indirect stakeholders
  • Establish an Ethical Review Board or equivalent oversight mechanism
  • Define the system’s ethical context and constraints

Phase 2: Ethical Requirements and Risk Analysis

  • Elicit ethical values from stakeholders
  • Prioritize values when conflicts arise
  • Analyze ethical risks associated with the system
  • Translate values into ethical requirements (EVRs — Ethical Value Requirements)
  • Document the ethical analysis in an Ethical Requirements Specification

Phase 3: Ethical Requirements into System Requirements

  • Decompose ethical value requirements into system-level requirements
  • Ensure traceability from ethical values to technical specifications
  • Validate that system requirements adequately address ethical requirements

Phase 4: Ethical Design and Development

  • Implement system requirements with ethical considerations integrated
  • Conduct ethical reviews at design milestones
  • Apply value-sensitive design methods
  • Document ethical design decisions and trade-offs

Phase 5: Ethical Verification and Validation

  • Verify that the system meets its ethical requirements
  • Validate that the system achieves its intended ethical outcomes in practice
  • Conduct stakeholder feedback sessions
  • Document verification and validation results
  • Plan for ethical monitoring during operation

Key Concepts

Value Prioritization: IEEE 7000 provides a structured method for prioritizing competing values. When transparency conflicts with privacy, or safety conflicts with autonomy, the standard provides a deliberative process for making and documenting these trade-offs.

Ethical Value Requirements (EVRs): The standard introduces EVRs as a formal artifact — a documented, traceable requirement that links an ethical value to a specific system design decision.

Transparency Portfolio: IEEE 7000 requires maintaining a transparency portfolio — a collection of documents that enables stakeholders to understand how ethical considerations shaped the system.

Practical Adoption

Strengths:

  • Unique focus on design-phase integration of ethics
  • Provides concrete process steps (not just principles)
  • Strong stakeholder engagement methodology
  • Systematic value prioritization framework
  • Emphasis on traceability from values to design

Limitations:

  • Complex and process-heavy for smaller projects
  • Less known than NIST or ISO frameworks
  • No certification program
  • Limited tooling and automation support
  • Academic orientation may challenge practical implementation teams

OECD AI Principles

Origin and Purpose

The OECD Recommendation on Artificial Intelligence was adopted in May 2019, making it the first intergovernmental standard on AI. It was updated in May 2024 to reflect developments in generative AI and advanced AI systems. As of 2026, it has been endorsed by 46 countries.

Structure

The OECD AI Principles are organized into two sections:

Section 1: Principles for Responsible Stewardship of Trustworthy AI (Five Principles)

1. Inclusive Growth, Sustainable Development, and Well-being AI should benefit people and the planet by driving inclusive growth, sustainable development, and well-being. Stakeholders should proactively engage in responsible stewardship of trustworthy AI in pursuit of beneficial outcomes for people and the planet.

2. Human-Centred Values and Fairness AI actors should respect the rule of law, human rights, democratic values, and diversity, and should include appropriate safeguards to ensure a fair and just society. AI systems should be designed to respect human autonomy and enable meaningful human oversight.

3. Transparency and Explainability AI actors should commit to transparency and responsible disclosure regarding AI systems. They should provide meaningful information about AI systems, appropriate to the context and consistent with the state of the art.

4. Robustness, Security, and Safety AI systems should function in a robust, secure, and safe way throughout their lifecycle. Potential risks should be continually assessed and managed, including through traceability and appropriate risk management.

5. Accountability AI actors should be accountable for the proper functioning of AI systems and for the respect of the above principles, based on their roles, the context, and consistent with the state of the art.

Section 2: Recommendations to Governments (Five Recommendations)

  1. Invest in AI research and development
  2. Foster a digital ecosystem for AI
  3. Shape an enabling policy environment for AI
  4. Build human capacity and prepare for labor market transformation
  5. International cooperation for trustworthy AI

OECD AI Policy Observatory

The OECD maintains the AI Policy Observatory, which tracks AI policies across member and partner countries. This database provides comparative analysis of national AI strategies, legislation, and governance approaches.

Practical Significance

Strengths:

  • Broadest international endorsement (46 countries)
  • Referenced in national legislation and policy documents worldwide
  • Provides common vocabulary for international AI governance
  • Regularly updated to reflect technological developments
  • Free and publicly accessible

Limitations:

  • High-level principles without specific implementation guidance
  • No enforcement mechanism or compliance verification
  • Non-binding on endorsing countries
  • Does not provide technical or operational requirements
  • Must be supplemented with more detailed frameworks for practical implementation

Comparative Analysis

Scope and Focus

Dimension NIST AI RMF ISO 42001 IEEE 7000 OECD
Primary Focus Risk management Management system Ethical design International principles
Lifecycle Coverage Full lifecycle Full lifecycle Design and development Not lifecycle-specific
Technical Depth Moderate Moderate High (for ethics) Low
Organizational Depth Moderate High Low Low
Regulatory Alignment US state laws, federal guidance EU AI Act, ISO ecosystem Limited direct reference Referenced in EU AI Act, national strategies

Practical Considerations

Factor NIST AI RMF ISO 42001 IEEE 7000 OECD
Cost to Adopt Low High (standard + certification) Moderate (standard purchase) Zero
Implementation Effort Moderate High High Low
Third-Party Verification No Yes (certification) No No
SME Suitability High Low-Moderate Low High
Supply Chain Value Moderate High (certifiable) Low Low
Legal Recognition Growing (US) Growing (international) Limited Broad but non-binding

Which Framework When

Use NIST AI RMF when:

  • You need a flexible, scalable risk management approach
  • Your primary regulatory exposure is the United States
  • You want a free, well-documented framework with extensive companion resources
  • You need to demonstrate responsible AI practices without formal certification

Use ISO 42001 when:

  • You need certifiable, third-party verified AI governance
  • You already operate ISO management systems (27001, 9001)
  • Your customers or regulators require formal certification
  • You operate internationally and need a globally recognized standard
  • EU AI Act conformity assessment is a priority

Use IEEE 7000 when:

  • You are building new AI systems and want ethics integrated into the design process
  • You need structured methods for resolving value conflicts in system design
  • Your organization has a strong engineering culture and wants process-oriented ethical guidance
  • Stakeholder engagement in system design is a priority

Use OECD Principles when:

  • You need a high-level framework for organizational AI policy
  • You are engaging with international governance or policy discussions
  • You want to align your principles with the broadest international consensus
  • You need a starting point before adopting a more detailed framework

Using Multiple Frameworks Together

These frameworks are not mutually exclusive. Organizations with mature AI governance often use multiple frameworks in combination:

Common combinations:

  1. OECD Principles + NIST AI RMF: Adopt OECD Principles as organizational policy; implement NIST AI RMF as the operational risk management methodology
  2. NIST AI RMF + ISO 42001: Use NIST AI RMF for risk assessment methodology within an ISO 42001 management system
  3. ISO 42001 + IEEE 7000: Implement ISO 42001 as the organizational management system; apply IEEE 7000 processes during AI system design and development
  4. All four: Use OECD Principles as the policy foundation, IEEE 7000 during design, NIST AI RMF for risk management, and ISO 42001 as the certifiable management system wrapper

Crosswalk resources: NIST has published crosswalks mapping the AI RMF to ISO 42001, the EU AI Act, and other frameworks. These crosswalks identify where the frameworks overlap and where each adds unique requirements.

Relationship to Regulation

None of these frameworks is a law or regulation. However, they increasingly interact with binding legislation:

  • EU AI Act: References harmonised standards (developed through CEN/CENELEC, informed by ISO standards). Conformity with harmonised standards or common specifications provides a presumption of compliance with the Act’s requirements. ISO 42001 is positioned to support conformity assessment.
  • Colorado AI Act: References NIST AI RMF. Compliance with recognized frameworks provides an affirmative defense.
  • Singapore AI Verify: Testing framework that maps to NIST AI RMF and ISO standards.
  • UK AI Safety Institute: Evaluation methodologies informed by NIST and ISO approaches.

The trend is clear: voluntary frameworks are becoming the technical backbone of binding regulation. Organizations that adopt these frameworks now are positioning themselves for regulatory compliance in the future.

This comparison is maintained by INHUMAIN.AI. For related coverage, see our Global AI Regulation Tracker, EU AI Act Complete Guide, AI Audit Guide, and US AI Regulation Guide.

In This Article
Key Data Points
Frameworks Compared 4 major
Most Adopted NIST AI RMF
Only Certifiable ISO 42001
Most Endorsed OECD (46 countries)
Related Articles