Compliance professionals working on AI governance frequently encounter both the NIST AI Risk Management Framework and the EU AI Act in the same conversation. They address overlapping concerns, use similar language in places, and both have become reference points for what responsible AI governance looks like. But they are very different in nature, and the question of whether an organisation needs to engage with both is worth answering carefully.
The fundamental distinction
The EU AI Act is a regulation. It is legally binding on organisations within its scope. Non-compliance carries enforceable penalties including fines, market access restrictions, and — for the most serious violations — bans on deploying specific AI systems. It is prescriptive in important ways: it defines specific obligations for specific risk categories, sets out documentation requirements in technical annexes, and establishes timelines by which certain obligations must be met.
The NIST AI RMF is a voluntary framework. Published by the US National Institute of Standards and Technology, it provides a structured approach to identifying, assessing, and managing AI risks, but it does not impose legal obligations. No regulator will fine an organisation for not following NIST AI RMF. The value of the framework is in its architecture and the shared vocabulary it provides for thinking about AI risk management.
This distinction matters for prioritisation. An organisation subject to the EU AI Act has non-negotiable compliance obligations. NIST AI RMF alignment is a choice — albeit an increasingly valued one.
What the EU AI Act requires that NIST AI RMF does not
The EU AI Act imposes specific, legally required obligations that have no direct equivalent in NIST AI RMF. These include the formal classification of AI systems against Annex III risk categories, the preparation of technical documentation meeting specific requirements, conformity assessments for high-risk systems before market placement, registration of high-risk systems in an EU-maintained public database, mandatory post-market monitoring, and serious incident reporting to national supervisory authorities.
NIST AI RMF does not require any of these. An organisation could be fully aligned with NIST AI RMF and still face significant EU AI Act non-compliance.
What NIST AI RMF offers that EU AI Act does not
The EU AI Act is primarily a compliance instrument. Its strength is in setting clear, enforceable minimum standards. Its limitation is that compliance with the Act does not, by itself, produce a mature AI governance programme. Organisations that focus exclusively on EU AI Act compliance risk building a documentation programme rather than a genuine risk management capability.
NIST AI RMF fills this gap. Its four core functions — GOVERN, MAP, MEASURE, MANAGE — provide a comprehensive lifecycle approach to AI risk management that goes beyond compliance documentation. The GOVERN function addresses the organisational infrastructure of AI governance — policies, roles, accountability structures, risk appetite — in ways that the EU AI Act's prescriptive requirements do not fully capture.
Do you need both?
For organisations with EU operations or EU customers: yes, in practical terms. The EU AI Act defines your minimum obligations. NIST AI RMF provides the framework for building the governance programme that makes sustainable compliance possible. Treating the EU AI Act as the ceiling rather than the floor is a strategic mistake.
For US-based organisations without EU exposure: the EU AI Act may not be directly applicable, but NIST AI RMF alignment is increasingly being requested by enterprise clients, the federal government, and financial sector buyers. ISO 42001, the international management system standard for AI, provides a third framework that aligns closely with NIST AI RMF and is gaining traction globally.
A practical alignment approach
The good news is that NIST AI RMF and the EU AI Act are largely complementary, and building governance around NIST AI RMF's architecture tends to generate much of what EU AI Act compliance requires as a byproduct.
A practical approach starts with the EU AI Act for organisations in scope — completing the classification and gap analysis that determines your specific obligations — and then uses NIST AI RMF as the operational framework for building the governance programme that will sustain and improve compliance over time. ISO 42001 can serve as the management system layer that integrates both, providing an auditable framework with a certification pathway for organisations that need to demonstrate AI governance credentials.
Book a discovery call to discuss which frameworks apply to your organisation and how to approach them efficiently.
About author
Sonia is a technology risk and AI governance leader with 12+ years of international consulting experience across PwC, EY, and KPMG, spanning London, East Africa, and the Middle East. She has led complex IT audit, controls testing, and data analytics engagements for major regulated institutions including Lloyds Banking Group, Prudential PLC, Shell, RELX Group, McDonald's, and Tesco. She founded VeridianTech Co. to make enterprise-quality AI governance accessible to mid-market organisations — the companies that need it most and have historically been priced out of it.
Sonia Kentaro
Founder & Principal AI Governance Advisor
Subscribe to our newsletter
Sign up to get the most recent blog articles in your email every week.
