ISO/IEC 42001 is an auditable management system standard: you build the system, an accredited body certifies it. The NIST AI RMF is guidance, four functions that structure how you think about AI risk, with no certificate at the end. Many teams use one to run the program and the other to prove it.
| Dimension | ISO/IEC 42001 | NIST AI RMF |
|---|---|---|
| Type | Management system standard | Voluntary risk framework |
| Origin | International (ISO/IEC) | United States (NIST) |
| Certifiable | Yes, by an accredited body | No, self-attested |
| Structure | Management system clauses plus AI controls | Four functions: Govern, Map, Measure, Manage |
| Best when | Customers or regulators want a certificate | You want a practical structure for AI risk |
| Northbeams role | Evidence layer for the controls | Real data for each function |
They are not rivals. A common pattern is to run the NIST AI RMF as the operating model and pursue ISO 42001 when a customer or regulator wants proof on paper.