Skill Guide

Compliance and governance frameworks for AI (NIST AI RMF, EU AI Act, ISO 42001)

The systematic application of international standards (ISO 42001), national risk frameworks (NIST AI RMF), and binding legislation (EU AI Act) to ensure AI systems are developed, deployed, and operated in a trustworthy, risk-managed, and legally compliant manner.

This skill mitigates existential regulatory and reputational risk for organizations by proactively embedding legal and ethical guardrails into the AI lifecycle. It directly protects revenue streams, maintains market access-particularly in the EU-and builds durable stakeholder trust.

1 Careers

1 Categories

9.2 Avg Demand

15% Avg AI Risk

How to Learn Compliance and governance frameworks for AI (NIST AI RMF, EU AI Act, ISO 42001)

1. Master the foundational taxonomy: Understand the definitions of AI risk, fairness, transparency, and accountability. 2. Perform a high-level comparative mapping of the three frameworks' core objectives (NIST: risk management, EU AI Act: legal compliance, ISO 42001: management system). 3. Read the official summaries and one-page guides published by NIST, the European Commission, and ISO.

1. Conduct a practical gap analysis of a hypothetical or internal AI project against the EU AI Act's risk classification tiers. 2. Draft a NIST AI RMF 1.0 'Profile' for a specific AI use case, defining target outcomes for the 'Map', 'Measure', 'Manage', and 'Govern' functions. 3. Avoid the common mistake of treating these as static checklists; focus on iterative integration into the SDLC and risk management processes.

1. Architect an integrated governance model that harmonizes NIST RMF controls with ISO 42001's Annex A requirements, mapping them to internal audit procedures. 2. Lead the development of an organization-wide AI Policy and Risk Appetite Statement, translating high-level framework requirements into enforceable engineering and procurement standards. 3. Mentor cross-functional teams (Legal, Engineering, Product) on interpreting and implementing framework-specific requirements.

Practice Projects

Beginner

Case Study/Exercise

AI System Risk Classification Drill

Scenario

You are presented with three AI system proposals: 1) An AI for medical diagnosis, 2) A chatbot for customer service, 3) A CV screening tool for hiring. Your task is to classify each according to the EU AI Act's risk tiers.

How to Execute

1. List the four risk tiers (Unacceptable, High, Limited, Minimal) with one defining example each. 2. Analyze each proposal against the Annex III high-risk criteria (e.g., 'employment, workers management'). 3. Document the rationale for each classification, citing specific articles or recitals from the Act. 4. Propose one mandatory compliance step for the high-risk system identified.

Intermediate

Project

NIST AI RMF Profile Development

Scenario

Your company is deploying a high-stakes, internal AI model for credit risk assessment. You need to create a structured risk management profile for it.

How to Execute

1. Select the relevant AI RMF 1.0 'Core' outcomes from the 'Govern', 'Map', 'Measure', and 'Manage' functions. 2. For each selected outcome (e.g., 'GOVERN 1.2'), define a concrete, measurable organizational practice (e.g., 'Credit risk policy is reviewed quarterly against model performance drift metrics'). 3. Document this as a 'Target Profile'. 4. Draft a 'Current Profile' assessment to identify gaps against this target.

Advanced

Case Study/Exercise

Integrated Compliance Architecture Design

Scenario

A multinational firm is launching a new, high-risk AI product globally. Legal requires EU AI Act compliance, the board demands a NIST-aligned risk framework, and procurement needs an ISO 42001 certification path.

How to Execute

1. Create a master mapping document cross-walking requirements from the EU AI Act (legal obligations), NIST AI RMF (process controls), and ISO 42001 (management system). 2. Design a unified control framework, assigning each integrated control to an internal owner (e.g., 'Model Validation' owned by Engineering). 3. Develop a phased implementation roadmap that prioritizes controls for EU market entry (legal) while building the long-term management system (ISO). 4. Draft the audit evidence requirements that satisfy both internal governance and future external certification.

Tools & Frameworks

Regulatory & Standards Texts

NIST AI Risk Management Framework 1.0EU AI Act (Official Legal Text & Recitals)ISO/IEC 42001:2023 (Artificial Intelligence Management System)

The primary source documents. Use them for definitive requirements, definitions, and audit criteria. NIST for process guidance, EU Act for legal obligations, ISO for certifiable management systems.

Implementation & Mapping Tools

NIST AI RMF PlaybookEU AI Act Compliance Toolkit (e.g., from law firms or consultancies)ISO 42001 Gap Analysis Checklists

Practical workbooks and checklists derived from the core documents. Use them to translate high-level requirements into actionable tasks, conduct gap assessments, and prepare for audits.

Governance & Documentation Platforms

GRC (Governance, Risk, Compliance) Software (e.g., ServiceNow, Archer)AI/ML Experiment Tracking Platforms (MLflow, Weights & Biases)Model Cards & System Cards Templates

Software for operationalizing compliance. GRC platforms manage policies and risk registers. Experiment trackers log development data for reproducibility (key for EU Act). Model cards document performance and bias metrics for transparency.

Interview Questions

Answer Strategy

The core competency is applying the Act's broad scope (including internal systems) and risk-based classification. First, counter the assumption by citing the Act's definition of an AI system and its applicability to systems used in the 'supply chain' or that affect natural persons indirectly. Your first action would be to conduct a preliminary risk assessment based on Annex III, focusing on whether the tool's output influences employment conditions or access to essential services for customers.

Answer Strategy

This tests the ability to move from theory to practice. Answer by outlining concrete activities: 1. **Context & Stakeholder Mapping**: Document the business objective, the physical assets involved, and all stakeholders (operations, safety, legal). 2. **Risk Identification**: Brainstorm potential harms (e.g., false negatives leading to equipment failure, safety incidents, production loss). 3. **Benefit Analysis**: Quantify expected benefits like reduced downtime. 4. **Risk Framing**: Draft a risk statement that contextualizes the identified harms within the organization's risk tolerance and the specific deployment environment.