NIST AI RMF, ISO 42001 & the EU AI Act: what a finance leader actually has to do

By Barry Middlebrook · Middlebrook Data & AI Governance

Three names dominate every AI-governance conversation, and they're easy to conflate. Here's the plain-English version, and — more usefully — what they actually require you to do.

The three, demystified

• NIST AI RMF — a voluntary U.S. framework for managing AI risk, organized around four functions: Govern, Map, Measure, Manage. Think of it as the recipe.
• ISO/IEC 42001 — an international, certifiable standard for running an "AI management system" (the AI cousin of ISO 27001). Think of it as the gold-star checklist you can be audited against.
• EU AI Act — an actual law that sorts AI by risk (prohibited / high / limited / minimal) and imposes obligations accordingly. Think of it as the rules you must follow if you're in scope.

Two are voluntary maps; one is law. But they converge on the same handful of disciplines — which is good news, because you can satisfy all three with one program.

What you actually have to do

Strip away the acronyms and the practical work is consistent:

• Inventory your AI — you can't govern what you haven't catalogued.
• Risk-tier each use — not every model needs the same scrutiny; the ones touching credit, reporting, or customers do.
• Govern the data — quality, lineage, lawful basis, and a semantic layer so outputs are trustworthy.
• Keep humans in the loop for high-stakes decisions, and make outputs transparent.
• Document and evidence as you go — the audit trail that proves all of the above.

Do that, and you're substantially aligned to all three at once. The frameworks aren't five separate projects — they're one governance program, described in three vocabularies.