Skip to content

Standards at a glance

A one-screen comparison of everything tracked in this library. Use it to decide which standard applies to a given concern, then open the standard's page for detail. Plain-language explanations and audit checklists live on each page.

Standard Type Binding? Body / jurisdiction Current status What it governs
NIST AI RMF Voluntary framework No NIST · USA RMF 1.0 (2023) + GenAI Profile (2024) AI risk across the lifecycle (GOVERN · MAP · MEASURE · MANAGE)
ISO/IEC 42001 Management-system standard Voluntary, certifiable ISO/IEC · international 2023, current How your organisation runs AI responsibly (an AIMS)
ISO/IEC 23894 Guidance standard No (guidance) ISO/IEC · international 2023, current How to manage AI risk (companion to ISO 31000)
EU AI Act Regulation (law) Yes EU Reg. 2024/1689; phased — high-risk deferred to 2027/28 (Digital Omnibus) Risk-tiered obligations on AI systems + GPAI models
DORA Regulation (law) Yes EU · financial sector Reg. 2022/2554; applies since 2025-01-17 Digital operational resilience; ICT & third-party risk
UK AI White Paper Policy framework No (principles, sector-led) United Kingdom 2023 White Paper + 2024 response Five cross-cutting principles applied by existing regulators
CSA Agentic Profile Profile (draft) No (voluntary) Cloud Security Alliance Lab Space draft v1 (early 2026) Agentic-AI extension of the NIST AI RMF
Berkeley CLTC Research / thresholds No (research) UC Berkeley White papers 2025–2026 "Intolerable-risk" and AI-enabled cyber-threat thresholds
NIST ITL Standards Landscape Meta-source / inventory NIST Ongoing (2026 briefing) A map of the global AI standards landscape

How to read this

  • Binding law (EU AI Act, DORA) carries hard obligations and penalties. The others are voluntary — but they are how you demonstrate you meet the law, and clients and regulators increasingly expect them.
  • Management system vs framework vs guidance: ISO/IEC 42001 certifies the organisation; NIST AI RMF gives the risk vocabulary; ISO/IEC 23894 gives the how-to. Most programmes use all three together.
  • One control set, many standards: in practice you map a single set of controls (risk classification, model cards, oversight, monitoring) onto whichever standards apply — see each page's Cross-Framework Mapping.

Scope & disclaimer

This comparison tracks metadata and structure, not the standards' full text. It is general information, not legal advice; confirm against each primary source (linked on every page).