Getty Images
Compare AI risk management frameworks from NIST and beyond
While NIST is the most widely used, it's just one of the frameworks available today that can help manage the risks associated with AI.
More organizations than ever are using AI, but for those who want to incorporate it responsibly, it can be difficult to identify emerging risks. Luckily, several frameworks are available for assessing and managing AI risks.
Today, the framework most often used in AI system planning was created by the National Institute of Standards and Technology (NIST). The NIST AI Risk Management Framework can be used in conjunction with other frameworks, but some organizations might opt out of using the NIST AI RMF completely.
It is important to note that the NIST AI RMF is voluntary and serves more as guidance for managing AI risk. Depending on the industry, some organizations might be obligated to follow other frameworks to meet specific compliance requirements. While the NIST AI RMF is designed for government applications, it can be applied to private sector organizations as well.
NIST is currently the industry standard, but it's not the only option. To get a better idea of which AI risk management framework is best for your organization, consider the options below in addition to—or in lieu of—NIST.
Key criteria in the NIST AI RMF
There are four core functions of the NIST AI RMF: Govern, Map, Measure and Manage. This article will use these elements as a baseline to compare NIST with other frameworks.
- The Govern function includes the creation of a culture of risk management directed at AI systems and technology, procedures to manage risk in AI systems, guidelines to align risk with business requirements, guidance on deploying AI systems and managing the AI system lifecycle.
- Map defines how to identify and address risks to AI systems across the AI lifecycle.
- Measure describes qualitative, quantitative and other methods of assessing, evaluating and monitoring AI risks, including testing and performance assessments.
- Manage defines how to monitor, evaluate and respond to AI risks as defined in the Govern function.
Standards, regulations and frameworks for AI
The following are standards, regulations and frameworks that address AI risk. Included frameworks can either be closely or peripherally aligned with the NIST AI RMF functions. Each is designed to establish an optimum environment for deployment of AI systems and technology.
1. ISO/IEC 42001:2023
The ISO/IEC 42001:2023 Information Technology – Artificial Intelligence – Management System standard defines the requirements for building an AI management system and has specific compliance requirements. It is similar in structure to ISO 27001 (information security) and ISO 9001 (quality management). Its requirements include developing policies, governance rules, and incident response activities.
This standard is structured to be audited, addresses risk, provides a management system and aligns with NIST’s four cornerstones.
2. EU AI Act
Adopted in 2024, the EU AI Act is the first risk-based regulation specifically aimed at AI systems and technology that affect people in the EU, regardless of where the technology was developed. Risk is organized into four tiers based on the impact of the technology in a variety of situations. It aligns with GDPR and the EU Cyber Resilience Act. Penalties for non-compliance can include fines and litigation.
Unlike NIST, the EU AI Act mandates compliance. However, the NIST AI RMF can provide guidance for achieving compliance with the EU AI Act.
3. Financial Services AI Risk Management Framework
Developed by the Cyber Risk Institute (CRI), this sector-specific framework addresses risks associated with AI systems for banks, insurance companies and other financial entities. It aligns with financial regulations from the OCC, FDIC and Federal Reserve.
The framework maps closely to the NIST AI RMF, but with a focus on financial institutions.
4. IEEE Ethically Aligned Design (EAD)
This framework emphasizes accountability and an ethics focus for AI system development, and less focus on risk issues.
The IEEE EAD framework maps most closely to the NIST Govern function.
5. MITRE’s Sensible Regulatory Framework for AI Security
This risk-based framework has a specific focus on managing cybersecurity risks associated with AI, and addresses data protection, resilience and technology integrity.
The framework is complementary to the NIST Measure and Manage functions.
6. Google Secure AI Framework (SAIF)
This vendor-developed risk-based framework has a specific focus on managing AI-based cybersecurity risks across the AI lifecycle.
SAIF is complementary to the NIST Manage function and has a greater emphasis on technology and engineering requirements.
7. COSO Enterprise Risk Management framework
This risk-based framework from COSO (Committee of Sponsoring Organizations) focuses on risks associated with AI systems as part of an overall enterprise risk management program.
This framework is complementary to the NIST Govern function and places more emphasis on AI governance issues.
Paul Kirvan, FBCI, CISA, is an independent consultant and technical writer with more than 35 years of experience in business continuity, disaster recovery, resilience, cybersecurity, GRC, telecom and technical writing.
Dig Deeper on Disaster recovery planning and management
-
![]()
Alation bids to close AI governance gap with board-ready compliance posture
By: Adrian Bridgwater
-
![]()
Why a risk management framework is critical for AI initiatives
By: Paul Kirvan
-
![]()
Build an ethical AI framework: 12 top resources
By: George Lawton
-
![]()
AI risk management: A strategic guide for enterprise leaders
By: Nihad Hassan
