ISO 23894 vs ISO 42001 vs NIST AI RMF: which AI risk standard do you need?

The short answer

These three get compared as if you have to pick one. You don't. They do different jobs, and most mature programs end up using more than one.

• ISO/IEC 23894 tells you how to assess and treat AI risk. It is a guidance document, not certifiable.
• ISO/IEC 42001 is the management system that runs your whole AI governance program. It is certifiable, so an accredited body can audit you and issue a certificate.
• NIST AI RMF is a voluntary framework from the US government that organizes the work into four functions: Govern, Map, Measure and Manage.

If you only read one line: 42001 is the system of record you can get certified against, 23894 is the risk methodology that feeds it, and the NIST AI RMF is the free framework many US teams start with before they commit to certification.

Side-by-side comparison

| | ISO/IEC 23894 | ISO/IEC 42001 | NIST AI RMF | |---|---|---|---| | What it is | AI risk management guidance | AI management system standard | Voluntary risk framework | | Published | 2023 | 2023 | 2023 (GenAI profile added 2024) | | Certifiable | No | Yes, by an accredited body | No | | Built on | ISO 31000 | ISO management-system structure | Its own Govern, Map, Measure, Manage functions | | Main output | A documented AI risk process | A running, auditable governance program | A common language for AI risk | | Cost to obtain | Paid ISO document | Paid ISO document plus audit fees | Free to download | | Best for | Teams that need a defensible risk method | Organizations that want a certificate buyers trust | US teams and anyone wanting a free starting point |

How they fit together

They are layers, not competitors.

42001 is the container. It asks you to run AI governance as a managed system with policies, roles, objectives and continual improvement. One of the things it expects you to have is a real risk process. It does not spell that process out in detail.

23894 fills that gap. It takes the well-worn ISO 31000 risk method and extends it for the risks that are specific to AI, such as bias, model drift, explainability and societal impact. If 42001 asks you to manage AI risk, 23894 is a ready-made answer for how.

The NIST AI RMF sits across both. Its Govern, Map, Measure and Manage functions map cleanly onto what 42001 and 23894 ask for, which is why teams often use it as the plain-language frame and then reach for the ISO standards when they need something auditable.

Which one should you start with?

Start with the NIST AI RMF if you are early, you are US-based, or you want to organize the work without spending anything yet. It gives you a shared vocabulary and a sensible order of operations, and nothing you do here is wasted if you certify later.

Start with ISO 23894 if your immediate problem is risk. You have AI in production, someone has asked how you assess it, and a spreadsheet is no longer a good answer. 23894 gives you a method you can defend in front of an auditor or a customer.

Go for ISO 42001 when you need the certificate. Enterprise buyers, regulators and procurement teams increasingly ask for it, and it is the only one of the three you can actually be certified against. Most teams reach this stage after they already have a risk process and some governance habits in place.

A common path

A typical sequence looks like this: use the NIST AI RMF to frame the program and get everyone speaking the same language, adopt ISO 23894 to put a real risk method underneath it, then pursue ISO 42001 certification once the buyers you sell to start asking for proof. You are not choosing one standard over the others. You are deciding what to do first.

How VerifyWise helps

VerifyWise maps a single set of controls across all three so you do not maintain three parallel programs. Evidence you collect for the NIST AI RMF carries over to 23894 and 42001, and when an auditor asks for proof against any of them, it is already in one place.

Related reading

• ISO 23894 AI risk management: how it extends ISO 31000
• ISO/IEC 42001:2023 AI Management System
• NIST AI Risk Management Framework