AI Governance Frameworks Compared: NIST AI RMF, ISO 42001, and UK DSIT

The three main AI governance frameworks relevant to UK businesses are the NIST AI Risk Management Framework (US-origin, voluntary, comprehensive), ISO 42001 (international standard, certifiable, resource-intensive), and the UK DSIT AI Governance Framework (UK-specific, non-certifying, SME-accessible). For most UK SMEs, the DSIT framework is the right starting point. ISO 42001 is worth pursuing if enterprise clients require it. NIST AI RMF is best used as a reference document rather than an implementation target.

NIST AI Risk Management Framework

The NIST AI RMF was published by the US National Institute of Standards and Technology in January 2023. It organises AI risk management around four core functions:

• Govern: Establish the policies, processes, and accountability structures that create context for AI risk management across the organisation.
• Map: Identify and categorise AI risks relative to your specific context, use cases, and stakeholders.
• Measure: Analyse, assess, and track AI risks using quantitative and qualitative tools.
• Manage: Prioritise and address identified risks, and maintain risk responses over time.

The framework is thorough, well-structured, and widely referenced in academic and enterprise AI governance literature. Its weakness for UK SMEs is that it is primarily US-centric — it does not map directly onto UK GDPR obligations, the ICO's guidance on AI, or the UK's regulatory landscape. Implementing it in full is also a significant undertaking: the companion "Playbook" runs to hundreds of actions across the four functions.

Best used as: a comprehensive reference to benchmark your governance maturity, or as a framework if you have US enterprise clients who specifically require NIST alignment.

ISO 42001: AI Management Systems

ISO 42001 was published in December 2023 as the first international standard specifically for AI management systems. It follows the same "Annex SL" high-level structure used by ISO 27001 (information security) and ISO 9001 (quality management), which means businesses already certified to those standards will find the structure familiar.

The standard covers: AI governance and accountability, AI risk assessment, responsible AI development and deployment, supplier management, and continuous improvement. Certification requires a third-party audit by an accredited certification body — the same process as ISO 27001.

The main advantage of ISO 42001 is that certification is verifiable by external parties. If you supply large enterprise clients or public sector organisations that are starting to require AI governance certification in procurement, ISO 42001 provides that evidence. The disadvantage is cost and effort: preparing for and maintaining certification is substantially more demanding than implementing a self-assessed framework.

Best used as: a target if you are pursuing enterprise sales or public sector contracts where third-party verified AI governance is becoming a requirement. Not a practical starting point for a first-time governance programme.

UK DSIT AI Governance Framework

The UK Department for Science, Innovation and Technology published its AI Governance Framework as part of the government's pro-innovation approach to AI regulation. Unlike the EU AI Act, which imposes statutory obligations, the UK framework is currently non-statutory — it provides guidance aligned with the UK government's five AI principles:

• Safety, security, and robustness
• Appropriate transparency and explainability
• Fairness
• Accountability and governance
• Contestability and redress

The framework is designed to work alongside existing sector regulators (the ICO for data protection, the FCA for financial services, and so on) rather than creating a new AI-specific regulator. This makes it more accessible for SMEs — compliance with your existing regulatory obligations, plus some AI-specific documentation and risk assessment, covers most of the framework's requirements.

Best used as: the primary framework for UK SMEs. It is proportionate, does not require certification, and aligns with the regulatory environment you are already operating in.

EU AI Act: What UK businesses need to know

The EU AI Act is not a governance framework — it is regulation. But UK businesses need to understand it because it applies extraterritorially: if you deploy AI systems that affect EU residents, or if you sell AI-powered products or services into the EU market, you may be in scope regardless of being based in the UK.

The Act classifies AI systems by risk tier:

• Unacceptable risk: Prohibited outright (e.g., social scoring, real-time biometric surveillance in public spaces)
• High risk: Subject to significant requirements including conformity assessments, technical documentation, human oversight, and registration in an EU database (e.g., AI used in recruitment, credit scoring, biometric identification)
• Limited risk: Transparency obligations — for example, chatbots must disclose they are AI
• Minimal risk: No specific obligations, but good governance is recommended

Most SMEs using AI tools internally (drafting, summarising, coding assistance) will fall into the minimal or limited risk categories and have minimal direct obligations under the Act. If you use AI in HR decisions, credit assessment, or customer-facing automated decision-making, you need to assess your risk tier more carefully.

Decision table: which framework is right for you?

Use this to decide where to focus:

• UK SME, first governance programme, no certification pressure: UK DSIT framework + our 12-step checklist
• Selling to large enterprise or public sector clients: Start with DSIT, plan a path to ISO 42001 certification
• US-based or US-facing business: NIST AI RMF as primary framework
• Operating in or selling into the EU: Assess EU AI Act risk tier first, then layer DSIT or ISO 42001 on top
• Already ISO 27001 certified: ISO 42001 is a natural extension — the management system structure is identical

How Governably maps to these frameworks

Governably's exposure scanning and remediation engine is built around the controls that appear across all three frameworks: AI tool inventory (Govern/Map), data access assessment (Measure), policy enforcement and OAuth control (Manage), and credential exposure monitoring (safety and security). Running Governably gives you the evidence base needed to demonstrate compliance with whichever framework you choose — without manually building that evidence from scratch.

Frequently asked questions

What is the NIST AI Risk Management Framework?

The NIST AI RMF is a voluntary framework published by the US National Institute of Standards and Technology. It organises AI risk management into four functions: Govern, Map, Measure, and Manage. It is comprehensive but US-centric and requires significant effort to implement in full.

What is ISO 42001?

ISO 42001 is an international standard for AI management systems, published in 2023. It requires third-party certification and follows the same structure as ISO 27001, making it relevant for businesses already certified to that standard or pursuing enterprise procurement requirements.

What is the UK DSIT AI Governance Framework?

The UK DSIT AI Governance Framework is a non-statutory guidance framework published by the UK government. It is aligned with UK regulatory principles and does not require certification, making it the most accessible starting point for UK SMEs.

Does the EU AI Act apply to UK businesses?

The EU AI Act applies to businesses that place AI systems on the EU market or deploy AI systems affecting EU residents — regardless of where the business is based. UK businesses selling into the EU or operating there may be in scope and should assess their AI systems against the Act's risk classification system.