AI Regulation Tracker / Standards
NIST hosts a community-contributed crosswalk mapping the AI RMF to ISO/IEC 42001
A crosswalk hosted on NIST's Trustworthy and Responsible AI Resource Center lines up each AI Risk Management Framework outcome with the clauses and controls of ISO/IEC 42001, the first certifiable AI management system standard. Compliance teams can use it to run one governance program instead of two.
NIST's Trustworthy and Responsible AI Resource Center publishes a crosswalk that lines up its AI Risk Management Framework with ISO/IEC 42001, the first certifiable AI management system standard. The document, titled "NIST AI RMF to ISO/IEC FDIS 42001 AI Management system Crosswalk," is a two-column mapping table. On the left sit the AI RMF outcomes. On the right sit the matching clauses and Annex controls of ISO/IEC 42001. For a compliance leader, the practical value is direct. The two most cited AI governance references now have a published translation layer between them.
What the crosswalk actually is
The crosswalk is a mapping table, not a regulation and not a new framework. It takes each AI RMF outcome, such as Govern 1.1, "Legal and regulatory requirements involving AI are understood, managed, and documented," and points to the ISO/IEC 42001 provisions that cover the same ground. In that example the mapping cites clause 4.1, "Understanding the organization and its context," clause 6.2 on AI objectives and planning, and Annex controls B.2.2, "AI policy," and B.2.4, "Review of the AI policy." Risk management outcomes map similarly. Govern 1.3 points to clause 6.1.2, "AI risk assessment," and clause 6.1.3, "AI risk treatment." The mapping is community-contributed and provided by Microsoft, and NIST hosts it alongside its other AI RMF crosswalks.
Why the pairing matters
The AI RMF is voluntary guidance. An organization can adopt it, but no one issues a certificate for doing so. ISO/IEC 42001 is different in kind. It is a management system standard, structured like ISO/IEC 27001 for information security, and an accredited body can audit an organization against it and issue a certificate. That certification is the piece the AI RMF cannot provide on its own. The crosswalk connects the framework many US teams already use to the standard that produces an auditable, third-party credential. It also gives a US-centered program a defensible line to an international standard, which matters for firms selling into markets where buyers expect a recognized certification rather than an internal attestation.
The consolidation case
Running separate programs for the AI RMF, ISO/IEC 42001, and the EU AI Act creates duplicate documentation, duplicate reviews, and conflicting evidence. Each program tends to grow its own policies, its own risk register, and its own reporting cadence, which multiplies the work of every audit. Because the crosswalk shows where the AI RMF and ISO/IEC 42001 overlap, a compliance team can treat them as one control set with one audit trail. Work done for the RMF, including risk assessments, policies, and monitoring records, becomes reusable evidence toward certification. In market terms, ISO/IEC 42001 certification is starting to function as a contractual and insurance prerequisite in enterprise procurement, a reading that reflects vendor and buyer behavior rather than any statement by NIST. That analysis, not the crosswalk itself, is what should drive the decision to consolidate.
What it does not do
The crosswalk does not make either reference mandatory, and it does not certify anything. Mapping an AI RMF outcome to an ISO/IEC 42001 clause shows conceptual alignment. It does not prove your implementation satisfies the standard, which only an accredited audit can establish. The mapping also carries a version note. Its title references FDIS 42001, the final draft that preceded the published ISO/IEC 42001:2023, so users should confirm each cited clause against the final text before relying on it. And because the mapping is community-contributed rather than a formal NIST standard, it should be checked against your own reading of both references rather than accepted line for line. Treat the document as a planning aid, not as compliance evidence.
The practical standard for teams
For a compliance or risk leader, the takeaway is a sequence, not a slogan. Start from the AI RMF work you already have. Use the crosswalk to see which ISO/IEC 42001 clauses that work already touches. Identify the gaps the standard adds, most notably a formal AI policy, defined management responsibilities, and periodic management review. Then build one evidence set that can support self-attestation today and third-party certification when a customer or insurer asks for it. Running the AI RMF and ISO/IEC 42001 as a single stack, rather than as siloed projects, is the efficient path, and the crosswalk is the map that makes it workable.
Frequently Asked Questions
What did NIST publish?
NIST's AI Resource Center hosts a crosswalk that maps each outcome of the AI Risk Management Framework to the matching clauses and Annex controls of ISO/IEC 42001. It is a two-column mapping table, community-contributed and provided by Microsoft. It is a planning reference, not a rule.
Who is affected by this?
Compliance and governance leaders, CISOs, risk officers, internal audit teams, and vendors that need an AI certification to win procurement or enterprise deals. Any organization that already uses the AI RMF and is weighing ISO/IEC 42001 certification is the core audience.
Is ISO/IEC 42001 really the first certifiable AI standard?
Yes. ISO/IEC 42001, published in December 2023, is the first AI management system standard against which an accredited body can audit an organization and issue a certificate. The AI RMF, by contrast, is voluntary guidance with no certification mechanism.
Does using the crosswalk mean my organization is compliant or certified?
No. The crosswalk shows where the two references align conceptually. It does not prove your controls meet the standard. Only an accredited third-party audit can certify conformity to ISO/IEC 42001. Confirm the cited clauses against the published ISO/IEC 42001:2023 text, since the crosswalk references the earlier final draft.
What is the single most useful first step?
Download the crosswalk and map your current AI RMF evidence to the ISO/IEC 42001 clauses it lists. That inventory shows which certification requirements you already satisfy and which gaps, such as a formal AI policy and management review, you still need to close.
Sponsored Training
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any rule applies to your situation with qualified counsel.