Map NIST AI RMF 1.0 functions to EU AI Act 2024/1689 compliance requirements, enabling organizations with AI systems in both US and EU contexts to build a unified AI governance documentation architecture.
NIST AI RMF 1.0 (GOVERN, MAP, MEASURE, MANAGE) mapped to EU AI Act requirements for high-risk AI systems including technical documentation (Article 11), risk management (Article 9), data governance (Article 10), human oversight (Article 14), and accuracy/robustness (Article 15).
NIST AI RMF and EU AI Act address the same governance problem from different angles. NIST AI RMF is voluntary and defines how organizations should govern AI risk. EU AI Act is binding regulation defining what documentation high-risk AI systems must have. For organizations subject to both: NIST AI RMF provides the governance architecture; EU AI Act specifies the mandatory documentation artifacts that architecture must produce.
| NIST AI RMF | EU AI Act | |
|---|---|---|
| NIST AI RMF GOVERN | ↔ | EU AI Act Arts. 9, 17, 26, 28 |
| NIST AI RMF MAP | ↔ | EU AI Act Arts. 9, 10 |
| NIST AI RMF MEASURE | ↔ | EU AI Act Arts. 9, 15, 72 |
| NIST AI RMF MANAGE | ↔ | EU AI Act Arts. 9, 26, 72 |
Selected high-overlap control mappings. Full crosswalk documentation available on request.
| NIST AI RMF Control | EU AI Act Control | |
|---|---|---|
AI RMF GOVERN GV.OC (Organizational Context) | → | EU AI Act Art. 9 (Risk Management System) |
AI RMF GOVERN GV.PO (Policy) | → | EU AI Act Art. 17 (Quality Management System) |
AI RMF MAP MP.1 (Categorize) | → | EU AI Act Annex III (High-Risk Classification) |
AI RMF MAP MP.2 (Scientific Basis) | → | EU AI Act Art. 10 (Data Governance) |
AI RMF MEASURE MG.2 (Risk Evaluation) | → | EU AI Act Art. 15 (Accuracy & Robustness) |
AI RMF MANAGE MG.4 (Risk Residual) | → | EU AI Act Art. 14 (Human Oversight) |
AI RMF MANAGE MG.5 (Post-Deployment) | → | EU AI Act Art. 26 (Post-Market Monitoring) |