AI Governance Frameworks: NIST, ISO 42001, and EU AI Act Implementation

4–7 weeks

Typical engagement

EU · US · Global

Jurisdictions covered

SaaS · Healthtech · Consulting

Who we work with

NIST AI RMF, ISO/IEC 42001, EU AI Act, OECD AI Principles — each framework has different scope, terminology, and requirements. Companies that try to implement all of them in parallel end up with duplicated documentation and no single source of truth.

Generic frameworks don't map to your product lifecycle, your team structure, or your regulatory obligations. A framework that lives in a PDF and doesn't connect to how you actually build and deploy AI is compliance theatre, not compliance.

A US-headquartered company with EU operations needs to satisfy both NIST expectations and EU AI Act requirements — without creating parallel processes for every market. The solution is a modular framework with a global baseline and regional overlays.

Legal says it’s a product problem. Product says it’s a legal problem. Engineering says no one gave them requirements. The EU AI Act requires designated roles, documented decision procedures, and an assigned representative in the EU — none of which can exist without someone being responsible first.

EU enterprise clients now include AI Act compliance requirements in RFPs. Banks and insurers require AI governance documentation from vendors before signing contracts. Without a framework in place, the answer to “can you confirm EU AI Act compliance?” costs you the deal.

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

✓

01

We assess your current processes, AI systems, and regulatory obligations. We compare applicable frameworks and recommend the right architecture — typically a hybrid approach with a primary standard and regulatory overlays.

Week 1

02

We adapt the selected framework to your organisation: mapping it to your product lifecycle, defining risk assessment checkpoints, and designing documentation requirements that are practical, not just compliant.

Weeks 2–3

03

We produce the governance artefacts: risk registers, model cards, Annex IV templates, compliance checklists, and process documentation. For ISO 42001 paths, we prepare the management system documentation.

Weeks 3–5

04

We support implementation: team training, SDLC integration, audit trail setup, and a readiness assessment against your target standard or regulatory deadline.

Weeks 5–7

SaaS · Germany

Hybrid NIST + EU AI Act framework for a B2B SaaS company

Enterprise SaaS company using OpenAI and self-hosted Mistral in B2B products. No unified governance framework, inconsistent documentation across teams, and EU AI Act Annex IV obligations unmet.

Healthtech · Sweden

ISO 42001 implementation for high-risk clinical AI systems

Medical technology company using AI for diagnostics and clinical decision support. High-risk classification under EU AI Act, ISO certification path required, no existing audit trail or model lifecycle management.

Consulting · US/EU

Unified global framework with EU regional overlay

Global consulting firm using OpenAI, Anthropic, and open-source models across US and EU teams. Fragmented governance approaches per region, no shared standard, growing EU compliance exposure.

NIST AI RMF (Risk Management Framework) is a voluntary US-origin framework focused on managing AI risks through four functions: Govern, Map, Measure, and Manage. It is widely adopted in the US and internationally as a best-practice baseline. ISO/IEC 42001 is a certifiable international standard for AI management systems — it follows the same structure as ISO 9001 and 27001, making it familiar to organisations already certified under those standards. The key difference: ISO 42001 can be independently certified by a third party; NIST AI RMF cannot. Both can be used alongside the EU AI Act.

Not exactly. The EU AI Act is a mandatory regulation that sets legal obligations — it tells you what you must do (classify AI systems, document high-risk systems, implement human oversight) but doesn't tell you how to organise your internal governance processes to meet those obligations. A governance framework (NIST, ISO 42001, or a custom internal framework) provides the operational structure. Think of the EU AI Act as the compliance destination and the governance framework as the map to get there.

ISO 42001 certification is not currently mandatory under the EU AI Act. However, it is increasingly expected in regulated industries (healthcare, financial services, critical infrastructure) and may become a procurement requirement from enterprise clients or public sector contracts. For high-risk AI systems, ISO 42001 certification provides a credible signal of governance maturity to regulators, auditors, and partners. We advise on whether certification is appropriate for your specific situation.

Annex IV sets out the technical documentation requirements for high-risk AI systems under the EU AI Act. It requires providers to document: the system's general description and intended purpose; the design and development process; the training, validation, and testing data; performance metrics and known limitations; human oversight measures; and post-market monitoring plans. This documentation must be maintained throughout the system's lifecycle and made available to national authorities on request. We prepare Annex IV-ready documentation templates as part of our framework engagements.

The key is mapping framework requirements to decision points that already exist in your SDLC — not creating a parallel compliance process. This typically means adding risk assessment checkpoints at the start of new AI features, documentation requirements at key milestones (design review, pre-launch), and monitoring requirements post-deployment. We design integrations that are proportionate to your team size and AI complexity, so compliance doesn't become a bottleneck.

Not separate frameworks — a modular approach. The most effective structure is a global baseline (typically NIST AI RMF) that covers risk management and organisational governance universally, with a regional overlay that adds EU AI Act-specific requirements for EU operations. This means EU teams work within the same framework as the rest of the organisation, but with additional documentation and oversight requirements where the regulation demands it. We design and implement this modular structure as a single coherent system.

For a focused engagement covering framework selection, adaptation, and documentation templates, typically 4–6 weeks. Larger organisations, or those pursuing ISO 42001 certification readiness, may require 8–12 weeks. The timeline depends primarily on the number of AI systems, the complexity of existing processes, and how much documentation needs to be created from scratch versus updated.

A governance framework requires ongoing maintenance — AI systems change, regulations evolve, and new use-cases emerge. We recommend quarterly reviews of the risk register, annual framework audits, and a process for evaluating new AI deployments against the framework before launch. We can support this on a retainer basis or train your internal team to manage it independently.