AI Governance Frameworks Comparison Matrix (2026)
A side-by-side comparison of NIST AI RMF, ISO 42001, UK DSIT five principles, BSI AIME, and the EU AI Act. Includes a detailed matrix across eight dimensions to help UK businesses choose.
The main AI governance frameworks relevant to UK businesses in 2026 are: NIST AI RMF (voluntary, US-origin, comprehensive risk management), ISO 42001 (certifiable international standard for AI management systems), the UK DSIT five AI principles (voluntary, UK-specific, regulator-interpreted), AIME (BSI self-assessment stepping stone to ISO 42001), and the EU AI Act (legally binding for businesses operating in the EU market). Each serves a different purpose and requires different levels of investment. Most UK SMEs should start with the DSIT five principles and AIME self-assessment, then progress to NIST AI RMF or ISO 42001 as governance matures.
The five frameworks at a glance
| Framework | Type | Origin | Binding? |
|---|---|---|---|
| NIST AI RMF | Risk management framework | US (NIST) | No — voluntary |
| ISO 42001 | Management system standard | International (ISO) | No — voluntary certification |
| UK DSIT Five Principles | Policy framework | UK (DSIT) | No — voluntary (regulators interpret) |
| BSI AIME | Self-assessment | UK (BSI) | No — voluntary |
| EU AI Act | Legislation | EU | Yes — for in-scope systems |
Full comparison matrix
| Dimension | NIST AI RMF | ISO 42001 | DSIT Principles | AIME | EU AI Act |
|---|---|---|---|---|---|
| Certification available | No | Yes | No | No | Conformity assessment for high-risk |
| Cost to implement (SME) | Internal only | £10k–£25k+ | Internal only | Internal only | Varies by risk tier |
| Time to implement | 1–6 months | 6–12 months | Ongoing | 1–4 weeks | Phased 2024–2027 |
| UK regulatory alignment | Recognised, not required | Recognised, not required | Official UK approach | Aligned with ISO 42001 | Applies to EU operations |
| Structure | 4 functions, categories, sub-categories | Annex SL clauses + Annex A controls | 5 principles | 5 assessment domains | Risk tiers + obligations per tier |
| Best for | Internal risk management | External proof of governance | Policy alignment with UK regulators | Starting the governance journey | EU market access |
| Scalable to SMEs | Yes — proportionate implementation | Possible but resource-intensive | Yes — principles are size-neutral | Yes — designed for it | Most SMEs are minimal/limited risk |
| Ongoing effort | Quarterly review | Annual surveillance audits | Continuous | Periodic re-assessment | Ongoing monitoring for high-risk |
Framework selection by business size
- Micro-business (1–9 employees): Start with the DSIT five principles and the AI governance checklist. AIME is optional but helpful for structured thinking. ISO 42001 is almost certainly disproportionate at this size.
- Small business (10–49 employees): DSIT five principles plus AIME self-assessment. Consider theNIST AI RMF if you have complex AI use or handle sensitive data. ISO 42001 if client contracts require it.
- Medium business (50–249 employees): Full NIST AI RMF implementation. AIME as a maturity baseline. ISO 42001 certification if you serve enterprise clients or operate in regulated sectors.
- Large business (250+ employees): ISO 42001 certification. NIST AI RMF as your operational risk methodology. EU AI Act compliance if you have EU operations.
Framework selection by regulatory exposure
- UK-only operations: DSIT five principles are the foundation. Layer NIST AI RMF or ISO 42001 based on business needs. No EU AI Act obligations unless you serve EU customers.
- EU-facing operations: EU AI Act compliance is mandatory for in-scope systems. Use the DSIT principles and NIST AI RMF or ISO 42001 for broader governance. See our EU AI Act vs UK regulation guide.
- US clients or partners: NIST AI RMF is widely recognised in US contexts. ISO 42001 provides international credibility.
- Regulated sectors (FCA, ICO, CMA):Start with your sector regulator's specific AI guidance. Use NIST AI RMF or ISO 42001 as the operational framework to implement it.
How frameworks overlap and complement each other
These frameworks are not competing alternatives — they address different aspects of AI governance and overlap significantly:
- DSIT + NIST AI RMF: The five principles tell you what to aim for. The NIST AI RMF tells you how to operationalise it through structured risk management.
- AIME + ISO 42001: AIME assesses your readiness. ISO 42001 provides the certifiable management system to build towards.
- NIST AI RMF + ISO 42001: NIST provides the risk assessment methodology. ISO 42001 provides the management system wrapper for formal certification.
- EU AI Act + everything else: The EU AI Act is law — it creates obligations. The other frameworks help you build the governance infrastructure to meet those obligations.
Building a phased governance roadmap
For most UK businesses, the recommended progression is:
- Phase 1 (Month 1–2): Adopt the DSIT five principles as your policy framework. Complete the governance checklist. Run an AI tools audit.
- Phase 2 (Month 3–4): Complete the AIME self-assessment. Identify and close critical governance gaps.
- Phase 3 (Month 5–8): Implement the NIST AI RMF for structured risk management. Establish measurement baselines.
- Phase 4 (Month 9+): If certification is needed, begin ISO 42001 implementation. Your AIME and NIST AI RMF work becomes the foundation.
Governably helps you start this journey by automating the discovery phase —run a free scan to understand your current AI tool landscape, email security posture, and credential exposures before choosing a framework.
Frequently Asked Questions
Which AI governance framework is best for UK SMEs?
For most UK SMEs, the best starting point is the UK DSIT five AI principles combined with the BSI AIME self-assessment. The five principles provide the policy direction, and AIME provides a structured way to assess your governance maturity. This combination is free, does not require certification, and aligns with UK regulatory expectations. Progress to NIST AI RMF or ISO 42001 when your governance matures or client requirements demand it.
Can I follow multiple frameworks at once?
Yes — and most well-governed organisations do. The frameworks are complementary, not competing. A common approach is to use the DSIT five principles as your policy foundation, the NIST AI RMF as your risk management methodology, and work towards ISO 42001 certification as your management system matures. Each framework addresses a different aspect of AI governance.
Which frameworks require certification?
Only ISO 42001 offers formal third-party certification. The NIST AI RMF is a voluntary self-assessment framework. The UK DSIT five principles are a policy framework with no certification pathway. AIME is a self-assessment with no external audit. The EU AI Act is legislation — compliance is mandatory for in-scope systems, but there is no "certification" in the ISO sense.
How much does AI governance framework compliance cost?
Costs range from zero to £25,000+ depending on the framework. The DSIT five principles and NIST AI RMF can be implemented with internal resources only. AIME self-assessment costs are minimal. ISO 42001 certification typically costs £10,000–£25,000 for an SME including consultancy and audit fees, plus £3,000–£8,000 annually for surveillance audits.
Which framework will UK regulators expect?
UK regulators have not mandated any specific framework. The DSIT white paper establishes the five principles as the UK's cross-sectoral approach, but regulators focus on evidence of responsible AI governance rather than adherence to a specific framework. Having any documented, systematic approach — whether based on NIST, ISO, DSIT, or a combination — is what matters.
Sources
- NIST. AI Risk Management Framework (AI RMF 1.0). nist.gov
- ISO. ISO/IEC 42001:2023 — Artificial intelligence management system. iso.org
- BSI. AI Management Essentials (AIME). bsigroup.com
- DSIT. AI regulation: a pro-innovation approach. gov.uk
- European Commission. EU Artificial Intelligence Act. artificialintelligenceact.eu