Standards at a glance¶
A one-screen comparison of everything tracked in this library. Use it to decide which standard applies to a given concern, then open the standard's page for detail. Plain-language explanations and audit checklists live on each page.
| Standard | Type | Binding? | Body / jurisdiction | Current status | What it governs |
|---|---|---|---|---|---|
| NIST AI RMF | Voluntary framework | No | NIST · USA | RMF 1.0 (2023) + GenAI Profile (2024) | AI risk across the lifecycle (GOVERN · MAP · MEASURE · MANAGE) |
| ISO/IEC 42001 | Management-system standard | Voluntary, certifiable | ISO/IEC · international | 2023, current | How your organisation runs AI responsibly (an AIMS) |
| ISO/IEC 23894 | Guidance standard | No (guidance) | ISO/IEC · international | 2023, current | How to manage AI risk (companion to ISO 31000) |
| EU AI Act | Regulation (law) | Yes | EU | Reg. 2024/1689; phased — high-risk deferred to 2027/28 (Digital Omnibus) | Risk-tiered obligations on AI systems + GPAI models |
| DORA | Regulation (law) | Yes | EU · financial sector | Reg. 2022/2554; applies since 2025-01-17 | Digital operational resilience; ICT & third-party risk |
| UK AI White Paper | Policy framework | No (principles, sector-led) | United Kingdom | 2023 White Paper + 2024 response | Five cross-cutting principles applied by existing regulators |
| CSA Agentic Profile | Profile (draft) | No (voluntary) | Cloud Security Alliance | Lab Space draft v1 (early 2026) | Agentic-AI extension of the NIST AI RMF |
| Berkeley CLTC | Research / thresholds | No (research) | UC Berkeley | White papers 2025–2026 | "Intolerable-risk" and AI-enabled cyber-threat thresholds |
| NIST ITL Standards Landscape | Meta-source / inventory | — | NIST | Ongoing (2026 briefing) | A map of the global AI standards landscape |
How to read this¶
- Binding law (EU AI Act, DORA) carries hard obligations and penalties. The others are voluntary — but they are how you demonstrate you meet the law, and clients and regulators increasingly expect them.
- Management system vs framework vs guidance: ISO/IEC 42001 certifies the organisation; NIST AI RMF gives the risk vocabulary; ISO/IEC 23894 gives the how-to. Most programmes use all three together.
- One control set, many standards: in practice you map a single set of controls (risk classification, model cards, oversight, monitoring) onto whichever standards apply — see each page's Cross-Framework Mapping.
Scope & disclaimer
This comparison tracks metadata and structure, not the standards' full text. It is general information, not legal advice; confirm against each primary source (linked on every page).