For most U.S. enterprises, the practical question isn't whether to align with the NIST AI Risk Management Framework (AI RMF) or ISO/IEC 42001 — it's how to do both without duplicating work, fragmenting controls, or running two parallel governance programs.
At Cichocki Advisory, we routinely help boards and risk committees crosswalk these two frameworks. The short version: NIST AI RMF gives you the operational language and risk taxonomy; ISO/IEC 42001 gives you the auditable management system. They're complementary, not competitive — but the integration is non-trivial.
What each framework actually does
NIST AI RMF is a voluntary risk-management framework organized around four functions: Govern, Map, Measure, Manage. Its strength is granularity at the risk and control level — the framework provides explicit profiles, characteristics of trustworthy AI, and crosswalks to other standards. It does not prescribe a management-system architecture.
ISO/IEC 42001:2023 is a certifiable AI management system standard. It uses the same Annex SL high-level structure as ISO 27001 and ISO 9001, which means it's optimized for organizations that already operate certified management systems and want a third-party-attestable AI governance layer. It prescribes how the management system should be governed, but is intentionally light on the AI-specific risk taxonomy.
Where they overlap
Both frameworks converge on the same fundamentals:
- Leadership accountability. Both require explicit AI governance ownership at the executive layer with documented decision rights.
- Risk identification and treatment. Both require systematic identification of AI-specific risks and documented treatment plans.
- Lifecycle controls. Both require controls that span data acquisition, model development, deployment, monitoring, and decommissioning.
- Stakeholder engagement. Both require structured engagement with affected parties — internal and external.
- Continual improvement. Both require feedback loops from operational AI back into governance.
Where they diverge
The divergence is where Cichocki Advisory engagements spend most of their time:
| Dimension | NIST AI RMF | ISO/IEC 42001 |
|---|---|---|
| Form | Voluntary risk framework + profiles | Certifiable management system |
| Adoption signal | Internal practice; no third-party attestation | Audit-ready certification |
| Risk granularity | High — explicit categories & subcategories | Lower — refers to risk; doesn't enumerate |
| Management-system overhead | Low | High (documented procedures, internal audits, management review) |
| U.S. regulatory traction | Strong (referenced by federal guidance) | Growing (especially regulated industries) |
| EU traction | Recognized | Strong (frequently cited in EU AI Act conformity discussions) |
How Cichocki Advisory recommends boards sequence the two
For most U.S. enterprises starting their AI governance journey, our recommendation is sequenced rather than parallel:
- Start with NIST AI RMF. Use it to build the internal vocabulary, identify your highest-risk AI use cases, and design controls with operational granularity. This is the work that makes board reporting credible.
- Layer ISO/IEC 42001 when you need third-party attestation. Most organizations don't need certification on day one. They need it when customers, regulators, or insurers start asking. Building the management-system architecture early — with ISO 42001 in mind — costs less than retrofitting.
- Crosswalk continuously. Maintain a single control library that maps each control to both frameworks. This is the artifact that prevents drift and lets you respond to either an internal NIST AI RMF self-assessment or an external ISO 42001 audit without rebuilding evidence.
Where the Cichocki Advisory governance framework fits
Our framework explicitly maps each control to both NIST AI RMF subcategories and ISO/IEC 42001 clauses. This crosswalk lives at the control level — not the framework level — because every real engagement we run reveals organization-specific gaps that one framework catches and the other misses.
Boards that adopt the Cichocki Advisory 90-day implementation roadmap reach a state where they can credibly answer either framework's questions in a board meeting — without needing the audit team to re-do the work.
What to do this week
If you're an executive or board member trying to figure out where to start:
- Inventory your AI use cases by risk tier — not just sensitivity, but autonomy and consequence.
- Map your existing controls to both NIST AI RMF subcategories and ISO/IEC 42001 clauses. You'll find more coverage than you expected, and very specific gaps.
- Decide on attestation timing. If you need ISO certification within 12 months, the management-system work has to start now. If you don't, NIST AI RMF self-assessment is enough for this fiscal year.
- Document the decision. Whatever you choose, make sure the board has it on record with rationale, success criteria, and review cadence.
If you'd like to discuss how this maps to your specific environment, book a discovery call.
Work with Cichocki Advisory
Cichocki Advisory provides board-ready AI governance, AI strategy, and platform architecture for executives navigating enterprise AI transformation. Engagements work under NDA with scoped, time-limited credentials.
Book Advisory Call →