Contributing Authors
Summary
The EU AI Act and NIST AI RMF represent two foundational approaches to AI governance—one regulatory, one voluntary. Understanding their differences is critical for enterprises operating across jurisdictions.
Key Takeaways:
- The EU AI Act carries enforcement power with fines up to €35 million; NIST AI RMF is voluntary but increasingly referenced in litigation
- Both frameworks are converging on post-deployment monitoring as a critical requirement
- Pre-deployment testing alone is no longer sufficient for AI systems
- ISO 42001 is becoming the "SOC 2 of AI"—a baseline expectation in vendor contracts
- Documentation written before an incident is worth far more than documentation written after
For enterprises deploying AI at scale, the regulatory landscape has shifted from theoretical to operational. Two frameworks now dominate the conversation: the EU AI Act, which carries binding enforcement power, and NIST’s AI Risk Management Framework (AI RMF), which is shaping legal standards even without statutory mandate. Understanding how these frameworks differ—and where they converge—is essential for any organization building a defensible AI governance program.
The Fundamental Difference: Regulation vs. Standard of Care
The EU AI Act is law. It applies to any organization deploying AI systems that affect European users, customers, or partners—regardless of where the organization is headquartered. Non-compliance carries maximum fines of €35 million, and enforcement timelines are already active. This isn’t a future concern; it’s a present obligation.
NIST’s AI RMF, by contrast, is a voluntary framework. But that distinction is eroding faster than many organizations realize. As Richard Purdy, General Counsel at Airia, noted in a recent discussion: “We’ve seen courts already using NIST’s AI RMF to define the standard of care in negligence cases without even a statute requiring it.”
In the United States alone, three states are simultaneously pulling NIST standards into law with different legal weight: Texas offers safe harbor for compliance, Washington creates legal obligations to align, and California mandates disclosure. The same framework now carries different legal implications depending on where your users are located.
The practical implication is clear: treating NIST AI RMF as merely “nice to have” is becoming a liability.
Where the Frameworks Converge: Post-Deployment Monitoring
Perhaps the most significant shift both frameworks are driving is the move from pre-deployment gates to continuous post-deployment monitoring. Traditional AI governance focused on the deployment decision—impact assessments, risk classifications, and approval gates you pass through before launch. But as Andrew Clearwater, Chief Trust Officer at Airia, explains: “The governance function of the future isn’t a gate that you pass through. It’s a continuous process that runs the entire life of the system.”
A recent NIST report on post-deployment monitoring makes this case bluntly: pre-deployment evaluations conducted in controlled environments are failing. The reasons are structural:
- AI models are non-deterministic. They behave differently under the same conditions over time.
- Models can detect when they’re being evaluated and behave differently in testing than in production.
- Human factors are impossible to fully test pre-deployment. How people actually use AI systems often diverges from intended use cases.
This reality is reshaping what “monitoring” means from both a legal and operational standpoint. From a legal perspective, monitoring must be documented and systematic—capable of demonstrating what you knew, when you knew it, and what you did about it. The EU AI Act’s post-market obligations and impact assessment requirements are treating monitoring as a legal requirement, not an optional best practice.
Six Categories of Monitoring You Need to Address
NIST’s framework organizes post-deployment monitoring into six categories that provide a practical roadmap for governance teams:
- Functionality monitoring – Is the system performing as intended?
- Operational monitoring – Are there failures, latency issues, or performance degradation?
- Human factors monitoring – How are people actually using the system versus how it was designed to be used?
- Security monitoring – Is the system protected against adversarial attacks and misuse?
- Compliance monitoring – Does ongoing operation align with regulatory requirements?
- Large-scale impacts monitoring – What are the broader societal effects of the system?
Most organizations are reasonably equipped for the first two categories. The challenge lies in human factors and large-scale impacts—areas that are difficult to measure but increasingly important to regulators and courts.
There’s also what NIST calls the “privacy monitoring paradox”: the more data you collect for effective governance, the more you may conflict with privacy principles that encourage minimal data collection and retention. Resolving this tension requires deliberate decisions about what to monitor and documented rationale for those choices.
ISO 42001: The Emerging Baseline
As enterprises navigate both frameworks, ISO 42001 is emerging as the connective tissue. One of the more underused resources available is NIST’s crosswalk documentation, which maps alignment between NIST AI RMF, ISO 42001, and OECD AI principles. This enables organizations to build governance programs that satisfy multiple frameworks simultaneously.
“I think 42001 is on track to be sort of the table stakes framework,” Clearwater observes. “Where you hear today in the security space, ‘your SOC 2 report’—pretty standard request—I think it’s going to look like that in the vendor space for AI with 42001.”
This trend is already visible in procurement. ISO 42001 is showing up in RFPs, enterprise contracts, and vendor assessments in the same way SOC 2 did five years ago. Organizations without documented alignment will increasingly find themselves at a disadvantage in competitive evaluations.
The Documentation Imperative
From a legal standpoint, the most common gap in enterprise AI programs isn’t policy—it’s evidence. Most organizations have governance principles and well-drafted policies. Far fewer can demonstrate systematic, documented practice that would hold up in an audit or deposition.
The practical starting point is straightforward: run an audit against NIST’s six monitoring categories for a single AI use case. If you can’t articulate what you would say today about functionality, security, human factors, and compliance for that system, you certainly won’t be able to say anything meaningful in six months—or in response to a regulatory inquiry.
Key documentation priorities include:
- Assigning ownership, cadence, and documentation standards for each monitoring category
- Developing an incident taxonomy with clear triggers and definitions (your privacy and security taxonomies may not map directly to AI-specific incidents)
- Establishing behavioral cadence for auditing model behavior and verifying alignment with documented intentions
The risk of building against a moving regulatory target is materially smaller than the risk of having no documented program at all. As Purdy emphasizes: “Documentation written after an incident is worth a fraction of something that was written before it.”
How to Navigate Both Frameworks
For organizations subject to both the EU AI Act and operating in U.S. markets where NIST AI RMF is increasingly referenced, the path forward involves several practical steps:
Start with risk assessments and impact assessments. Under ISO 42001, this dual approach addresses both inward-looking risks (what could happen to our organization) and outward-looking impacts (what could happen to others and society).
Use NIST’s crosswalk documentation to map your governance program against multiple frameworks simultaneously. This “build once, comply many” approach reduces redundant effort while ensuring comprehensive coverage.
Don’t over-pivot to compliance at the expense of risk management. Standards like ISO 42001 offer both compliance benefits and genuine risk management value. Organizations that treat these frameworks purely as checkbox exercises miss the opportunity to align their governance programs with actual risks.
Document continuously, not reactively. The time to build your governance program is before you need it—before the audit, before the incident, before the regulatory inquiry.
Moving From Principles to Practice
The regulatory landscape for AI governance is no longer theoretical. The EU AI Act is live. NIST AI RMF is being imported into litigation as the standard of care. ISO 42001 is becoming table stakes for vendor relationships. And the shift from pre-deployment gates to continuous post-deployment monitoring is redefining what governance programs must deliver.
The organizations that will navigate this environment successfully are those building the infrastructure to govern AI continuously—with complete visibility into what’s running, real-time enforcement of policies, and automated documentation mapped to the frameworks regulators care about.
Learn More
This piece pulls from a live conversation we hosted with Richard Purdy (General Counsel) and Andrew Clearwater (Chief Trust Officer) on post-deployment governance, behavioral drift, and what audit readiness really requires. Watch the full session on demand: Your AI is in Production. Do You Know What It’s Doing?
Ready to operationalize AI governance across frameworks? If your enterprise needs to move from compliance principles to continuous governance in production, request a demo to see how Airia provides automated compliance mapping, real-time policy enforcement, and audit-ready documentation for the EU AI Act, NIST AI RMF, and ISO 42001—so regulatory alignment is built into how your AI operates by default.
