NIST AI RMF 1.0 and ISO/IEC 42001:2023 are the two most widely adopted AI governance frameworks. These guides translate both from specification language into practical sprint-team actions and auditable artefacts.
Unlike the EU AI Act, NIST AI RMF and ISO 42001 are voluntary frameworks—but in practice they are increasingly referenced in procurement requirements, enterprise contracts, and regulatory guidance. The NIST AI RMF has been adopted as the de facto US standard and is referenced in US executive orders on AI. ISO/IEC 42001:2023 is the first certifiable AI management system standard and is being adopted by enterprise procurement as a baseline supplier requirement.
Both frameworks suffer from a documentation problem: they are written for senior governance audiences and organisational policy-setters, not for the engineers and product managers who have to implement them. These guides fix that.
The four NIST AI RMF functions translated into sprint-cycle artefacts. What the AI policy document must contain, how to write a context card per system, what metrics to actually track, and how a risk register integrates with your existing engineering workflow.
MEASURE is the most technically complex and least documented NIST AI RMF function. Concrete metrics for accuracy, fairness, robustness, and drift. Tools, threshold-setting methodology, monitoring cadence, and an AI System Scorecard template.
The complete clause-by-clause checklist for the seven operational clauses (4–10), common audit findings, Annex A AI-specific controls, and the typical 6–12 month certification timeline from gap assessment to Stage 2 audit.
Both use the Annex SL framework. What carries over from your existing 27001 programme (risk methodology, audit, management review, document control) and what is genuinely new in 42001 (impact assessments, AI data quality controls, human oversight requirements).