Which AI Governance Framework Should Your Business Use?

The right AI governance framework depends on three factors: your business size, your regulatory exposure, and what your clients or supply chain require. If you are a UK SME with no specific compliance mandate, start with theUK DSIT five AI principles and run theBSI AIME self-assessment to identify gaps. If enterprise clients require demonstrable certification, work towardsISO 42001. If you need a structured internal risk methodology, adopt theNIST AI RMF. Most businesses do not need to choose just one — the frameworks are complementary. Start with the lightest-touch option that satisfies your most pressing requirement and build from there.

Start with your requirements, not the framework

The most common mistake is choosing a framework and then trying to justify it. Instead, start with three questions:

1. Do any clients, contracts, or procurement processes require a specific framework or certification? If yes, that requirement drives your choice.
2. Are you in a regulated sector where your regulator has issued AI guidance? If yes, start with that guidance and choose a framework that supports it.
3. Do you develop AI systems, or only use them? Developers need more comprehensive frameworks. Users need proportionate governance.

If the answer to all three is "no specific requirement," you have freedom to choose the most proportionate approach — which for most UK SMEs is the DSIT five principles plus the AIME self-assessment.

Decision tree: which framework fits your situation

Follow the path that matches your situation:

• Client or contract requires ISO 42001 certification? → Pursue ISO 42001. Use NIST AI RMF as your risk methodology within it.
• Sell to or operate in the EU? → Assess EU AI Act obligations first. Use DSIT principles + NIST AI RMF for broader governance.
• Work with US clients or partners? → NIST AI RMF is the most recognised framework in US contexts. ISO 42001 provides international credibility.
• Regulated sector (FCA, ICO, CMA)?→ Start with your sector regulator's AI guidance. Layer NIST AI RMF or ISO 42001 as operational frameworks.
• UK SME with no specific requirement? → DSIT five principles + AIME self-assessment. Add NIST AI RMF when AI use becomes complex.
• Just getting started with AI governance? → Start with the AI governance checklist. It covers the basics regardless of which framework you choose later.

By business size

Micro-business (1–9 employees)

A formal framework is likely disproportionate. Focus on the basics: know what AI tools are in use, write a one-page acceptable use policy, and brief all staff. The DSIT five principles give you a policy reference. Thegovernance checklist gives you the actions.

Small business (10–49 employees)

The DSIT five principles plus the AIME self-assessment is the right level. This gives you a structured governance baseline and a gap analysis. If you handle sensitive data or serve enterprise clients, consider implementing the NIST AI RMF Govern and Map functions.

Medium business (50–249 employees)

Full NIST AI RMF implementation is proportionate and valuable. Use AIME as a maturity baseline. If client contracts require it, begin ISO 42001 implementation — your NIST work becomes the risk management evidence for the ISO management system.

Large business (250+ employees)

ISO 42001 certification is the standard expectation for enterprise AI governance. Use NIST AI RMF as your operational risk methodology. Ensure EU AI Act compliance if you have EU operations.

By regulatory exposure

• UK-only, unregulated sector: DSIT five principles + AIME. Lowest overhead, aligned with UK direction.
• UK-only, regulated sector: Sector regulator guidance + NIST AI RMF or ISO 42001 depending on formality requirements.
• EU market exposure: EU AI Act compliance is non-optional. DSIT + NIST AI RMF or ISO 42001 for UK-side governance (EU AI Act, 2024).
• Global operations: ISO 42001 provides the broadest international recognition. NIST AI RMF is strongest in US contexts.

By client requirements

• Public sector: ISO 42001 certification is increasingly referenced in government procurement. DSIT alignment is expected.
• Enterprise clients: ISO 42001 or NIST AI RMF alignment is typically part of vendor due diligence questionnaires.
• SME clients: No framework requirement is typical. Your own governance is a competitive differentiator rather than a compliance checkbox.

The phased approach: start light, formalise over time

You do not need to commit to one framework today. The recommended approach for most UK businesses:

1. Now: Complete the governance checklist. Write an acceptable use policy.
2. Month 1–2: Complete the AIME self-assessment. Close critical gaps.
3. Month 3–6: If needed, implement the NIST AI RMF for structured risk management.
4. Month 6–12: If certification is needed, begin ISO 42001 implementation.

Every activity at each phase contributes to the next. Nothing is wasted.

How Governably helps assess your starting point

Before choosing a framework, you need to know where you stand. Governably scans your business across five surfaces — email security, leaked credentials, AI tool access, file sharing, and your external footprint — and produces an exposure score in under five minutes. Run a free scan to get a baseline that informs which framework is proportionate for your current risk profile.

Frequently Asked Questions

Do I need a framework if my business only uses ChatGPT?

Yes — even if ChatGPT is the only AI tool in use, you still need governance basics: an acceptable use policy, data classification rules, and awareness of what information employees share. A full framework like NIST AI RMF may be disproportionate, but the DSIT five principles and theAI governance checklist provide a proportionate starting point.

What if my clients require a specific framework?

If a client contract or procurement process specifies a framework — typically ISO 42001 certification or NIST AI RMF alignment — that requirement drives your choice. Start implementation with the client's deadline in mind. For ISO 42001, build six to twelve months of lead time. For NIST AI RMF alignment, three to six months is typically sufficient.

Can I switch frameworks later?

Yes. The frameworks are complementary, and work done under one carries forward to another. A NIST AI RMF implementation provides most of the risk management evidence needed for ISO 42001 Clause 6 (Planning). An AIME self-assessment identifies the gaps you would need to close for any framework. You are never starting from scratch.

How long does it take to adopt a framework?

It depends on the framework. DSIT five principles and AIME can be adopted in weeks. NIST AI RMF implementation takes one to six months depending on scope. ISO 42001 certification takes six to twelve months. Start with the lightest option that meets your immediate needs, and progress from there.

Is there a free AI governance framework?

Yes. The NIST AI RMF, DSIT five principles, and BSI AIME self-assessment are all free to use. You can implement them using internal resources without purchasing anything. ISO 42001 is also free to adopt internally — the cost comes from the certification audit if you choose to pursue formal certification.