If you are comparing AI governance frameworks, the useful question is not which one is best but which one fits the firm you actually run. The well-known frameworks were written for different readers, and picking the wrong one means a small firm drowning in a programme built for a multinational, or a large firm leaning on something too light for its risk.
This note walks through the main AI governance frameworks worth knowing and who each one suits, drawn from our governance report.
The frameworks worth knowing
The NIST AI Risk Management Framework is the most widely referenced. It is voluntary, principle-based, and organised around four functions: govern, map, measure, and manage. Its strength is that it is readable and adaptable. Its weakness for a small firm is that it assumes you will do the work of translating principles into your own controls.
ISO/IEC 42001 is the certifiable management-system standard for AI. If you have been through ISO 27001 for information security, this will feel familiar: a structured management system you can be audited and certified against. It suits firms that need to prove governance to clients or regulators with a recognised badge.
The EU AI Act is not a framework you adopt but a law you comply with, and it sets the floor in Europe. It classifies AI uses by risk and attaches obligations to each tier. Any framework you pick has to sit on top of meeting the Act's requirements for your use cases.
Matching the framework to the firm
A small professional-services firm is usually best served by taking the NIST functions as a mental model and implementing a proportionate version: the inventory, the owners, the vendor checks, the records. You get the structure without committing to a certifiable management system you do not need.
A firm that sells to enterprise clients or sits under heavier regulation often benefits from ISO/IEC 42001, because the certification answers the client's due-diligence question before they ask it. The cost is real, so it is worth it mainly when clients or regulators are actually demanding evidence.
Every firm in Europe, regardless of size, has to map its AI uses against the EU AI Act's risk tiers. That mapping is the non-negotiable part. The framework choice on top of it is where the proportionality judgement comes in.
How to choose without over-engineering
Start by mapping your AI uses to the EU AI Act risk tiers, because that is required and it tells you how much governance each use actually needs. For most small-firm uses the answer is limited-risk, which keeps the obligations light.
Then use NIST as the working model for the controls, and only reach for ISO/IEC 42001 certification when a client or regulator is asking for proof you can point to. Adopting a heavyweight framework nobody is asking for is a common and expensive mistake. The report behind this note turns the chosen framework into the concrete checklist a regulated firm works from.