AI Frameworks → Business Frameworks
Major AI frameworks are built on top of business frameworks you already operate. These matrices show which ones map, how strongly, and what that means in practice.
Hover or tap any cell for details. Hover a framework name for its definition.
Note: These mappings represent an interpretation of structural correspondence between frameworks. “Strong” means direct structural overlap in scope and controls; “Partial” means shared principles with different structure. Organizations should consult their compliance and legal teams for authoritative guidance.
Risk, Governance & Compliance
Are we protected? Are we governed? Are we compliant?
| AI Framework ↓ | COSO ERM | ISO 27001 | SOX | NIST CSF | GDPR | COBIT |
|---|---|---|---|---|---|---|
| NIST AI RMF (AI 100-1) | • | • | ◒ | • | ◒ | • |
| ISO/IEC 42001 (AIMS) | • | • | ◒ | ◒ | • | • |
| EU AI Act | • | ◒ | ◒ | ◒ | • | ◒ |
| OECD AI Principles | • | ◒ | ◒ | ◒ | ◒ | ◒ |
| IEEE 7000 Series | ◒ | • | — | • | • | ◒ |
| US Executive Order 14110 (Rescinded Jan 2025) | • | ◒ | ◒ | • | ◒ | ◒ |
| Singapore Model AI Gov | • | ◒ | — | ◒ | ◒ | • |
| ISO/IEC 23894 | • | ◒ | ◒ | ◒ | ◒ | ◒ |
Operations, Quality & Delivery
How do we build, deliver, and improve?
| AI Framework ↓ | ISO 9001 | ITIL | CMMI | PMBOK | TOGAF | Prosci |
|---|---|---|---|---|---|---|
| NIST AI RMF (AI 100-1) | • | ◒ | • | ◒ | — | ◒ |
| ISO/IEC 42001 (AIMS) | • | ◒ | • | ◒ | ◒ | ◒ |
| EU AI Act | ◒ | — | ◒ | — | — | ◒ |
| OECD AI Principles | ◒ | — | — | — | — | ◒ |
| IEEE 7000 Series | • | ◒ | ◒ | ◒ | ◒ | — |
| US Executive Order 14110 (Rescinded Jan 2025) | ◒ | — | ◒ | — | — | — |
| Singapore Model AI Gov | ◒ | ◒ | ◒ | ◒ | — | ◒ |
| ISO/IEC 23894 | ◒ | — | ◒ | ◒ | — | — |
Tap any framework name above for details below.
AI Framework Reference
NIST AI RMF (AI 100-1)
NIST AI 100-1 — Artificial Intelligence Risk Management Framework
A voluntary U.S. government framework for managing AI risks across four functions — Govern, Map, Measure, Manage — designed to help organizations build trustworthy AI systems.
How It Maps
COSO ERM: Each trustworthiness characteristic (validity, safety, fairness, accountability) defines a risk category that COSO ERM should assess. This framework tells you WHAT to measure for AI risk; COSO ERM tells you HOW to manage the risks you find.
NIST CSF: Same NIST family. AI 100-1's security and resilience characteristics extend CSF's cybersecurity functions to AI-specific concerns — adversarial robustness, model integrity, and secure deployment. Your security team can read both.
ISO 27001: AI 100-1's security and privacy characteristics map to ISO 27001 control objectives. If you're 27001 certified, you have the management system — AI 100-1 tells you which AI-specific security risks to plug into it.
ISO 9001: AI 100-1's validity, reliability, and accuracy characteristics ARE quality management applied to AI. Same measurement rigor, same continuous improvement discipline, same documentation requirements — applied to model outputs instead of manufacturing outputs.
COBIT: AI 100-1's accountability and transparency characteristics align with COBIT's governance objectives. Both require clear roles, oversight structures, and documentation for technology-driven decisions.
CMMI: AI 100-1's systematic approach to defining and measuring trustworthiness maps naturally to CMMI maturity levels. You can assess your organization's AI trustworthiness maturity using the same progression: initial, managed, defined, quantitatively managed, optimizing.
ISO/IEC 42001 (AIMS)
ISO/IEC 42001 — Artificial Intelligence Management System
The international standard for establishing and maintaining an AI management system, following the same Plan-Do-Check-Act structure as ISO 27001 and ISO 9001. Certifiable.
Strong Mappings
COSO ERM: ISO 42001's AI management system (Plan-Do-Check-Act) integrates naturally with COSO ERM. Both use risk-based governance with assessment, treatment, and monitoring cycles.
ISO 27001: Same ISO management system structure (PDCA). If you've implemented ISO 27001, you know exactly how to implement 42001 — same certification model applied to AI instead of information security.
ISO 9001: Quality management system structure mirrors AIMS. Continuous improvement, process control, documentation, management review — all the same disciplines, applied to AI management.
COBIT: Both are governance frameworks with complementary scope. COBIT governs IT broadly; ISO 42001 governs AI specifically. Nest ISO 42001 AI governance within your COBIT IT governance structure.
GDPR: Data protection requirements within the AI management system map directly to GDPR principles. Same data handling, consent, purpose limitation, and individual rights frameworks.
CMMI: Process maturity model for AI capabilities. Same maturity progression: initial, managed, defined, quantitatively managed, optimizing. CMMI provides the maturity assessment framework for 42001 implementation.
EU AI Act
European Union Artificial Intelligence Act
The world's first comprehensive AI regulation, classifying AI systems into risk tiers (unacceptable, high, limited, minimal) with mandatory requirements for high-risk applications.
Applies to providers placing AI systems on the EU market or putting them into service in the EU, deployers located in the EU, and providers or deployers outside the EU where the AI system output is used within the EU.
Strong Mappings
COSO ERM: EU AI Act's risk classification tiers (unacceptable, high, limited, minimal) directly feed COSO ERM risk assessment. Organizations already doing ERM can classify AI systems within their existing risk taxonomy.
GDPR: Same regulatory jurisdiction, same enforcement philosophy (risk-based, rights-focused), same DPA oversight. If you've built GDPR compliance, you have the regulatory framework for the AI Act.
OECD AI Principles
OECD Principles on Artificial Intelligence
International principles adopted by 40+ countries promoting AI that is innovative, trustworthy, respects human rights, and operates with transparency, accountability, and safety.
Strong Mappings
COSO ERM: OECD's accountability, robustness, and transparency principles inform what risks COSO ERM should cover for AI. Both emphasize governance structures and executive accountability.
IEEE 7000 Series
IEEE 7000 Series — Standards for Ethical AI and Autonomous Systems
Standards addressing transparency, bias, privacy, safety, and ethical design of AI and autonomous systems — focused on engineering ethics into systems at the design stage.
Strong Mappings
ISO 27001: Security and privacy standards for autonomous systems map directly to information security management. Same control families applied to AI-specific threats and design requirements.
ISO 9001: IEEE's quality-by-design principles for AI mirror ISO 9001 quality management requirements. Same design control discipline applied to ethical AI system engineering.
NIST CSF: IEEE's safety and security standards align directly with NIST CSF's cybersecurity framework functions. Same security posture management applied to AI-specific systems.
GDPR: IEEE's privacy and data agency principles map directly to GDPR's data protection rights. Both emphasize individual control over personal data in automated systems.
US Executive Order 14110 (Rescinded Jan 2025)
Executive Order on Safe, Secure, and Trustworthy AI (October 2023)
Presidential executive order requiring federal agencies to manage AI risks through safety testing, transparency, and equity protections — with directives to NIST, DHS, and other agencies.
How It Maps
COSO ERM: EO 14110 requires federal agencies to conduct AI risk assessments and establish governance structures — the same risk identification, assessment, and response cycle COSO ERM prescribes. If you already run enterprise risk management, the EO's requirements slot into your existing risk framework.
NIST CSF: The EO directs NIST to develop AI safety and security standards, building directly on NIST's existing cybersecurity work. CSF's Identify/Protect/Detect/Respond/Recover functions extend naturally to the AI security requirements the EO mandates.
ISO 27001: EO 14110's security requirements for AI systems (particularly dual-use foundation models) align with ISO 27001 controls. Your existing ISMS covers many of the security expectations — extend it to AI-specific threats.
SOX: For publicly traded AI companies, the EO's transparency and reporting requirements create additional disclosure considerations that complement SOX's financial control framework.
Singapore Model AI Gov
Singapore Model AI Governance Framework
Practical, sector-agnostic guidance for responsible AI deployment, focused on accountability structures, transparency, and human oversight — widely adopted in APAC.
How It Maps
COSO ERM: Singapore's governance framework mirrors COSO ERM's structure: establish governance, assess risk, implement controls, monitor performance. The framework's four focus areas (internal governance, determining AI decision-making, operations management, stakeholder communication) map to COSO's governance, risk assessment, control activities, and monitoring components.
COBIT: Both are governance-focused. Singapore's accountability structures, role definitions, and oversight mechanisms parallel COBIT's governance objectives. If you've implemented COBIT IT governance, Singapore's AI governance slots into the same structure.
ITIL: Singapore's operations management guidance (monitoring, retraining, incident handling for AI) overlaps with ITIL's service operation and continual improvement practices. Your IT service management practices extend to AI operations.
PMBOK: Singapore includes practical implementation guidance — stakeholder analysis, risk assessment, resource planning — that aligns with PMBOK knowledge areas. Useful for organizations treating AI governance implementation as a program.
Prosci: Singapore's emphasis on stakeholder communication and organizational readiness for AI aligns with Prosci's change management approach. The framework recognizes that governance adoption requires the same people-side management as any organizational change.
ISO/IEC 23894
ISO/IEC 23894 — Guidance on AI Risk Management
Extends ISO 31000 enterprise risk management principles to AI-specific contexts — the bridge between your existing risk management framework and AI-specific risk categories.
How It Maps
COSO ERM: ISO 23894 explicitly extends ISO 31000 risk management to AI. COSO ERM and ISO 31000 are the two dominant enterprise risk frameworks globally — they share the same DNA (risk identification, analysis, evaluation, treatment, monitoring). If you run COSO ERM, ISO 23894 tells you which AI-specific risks to add to your existing registers and assessments.
ISO 27001: ISO 23894's AI security risk categories plug into ISO 27001's security controls. Your existing security risk assessment process gains AI-specific risk scenarios: model tampering, training data poisoning, adversarial inputs.
ISO 9001: ISO 23894's quality-related AI risks (accuracy, reliability, validity) complement ISO 9001's quality management. Both use the ISO management system structure — same documentation, review, and improvement rhythms.
SOX: When AI systems participate in financial processes, ISO 23894's risk assessment approach helps identify which AI risks could impact financial reporting integrity — feeding directly into SOX risk assessment.
PMBOK: Both ultimately derive from ISO 31000 risk management principles. PMBOK's risk management knowledge area uses similar probability-impact assessment methodologies. Same risk language, different scope (project vs. AI system).
Reverse Lookup
Already run one of these business frameworks? Here's every AI framework that maps to it.
Risk, Governance & Compliance
COSO ERM
Committee of Sponsoring Organizations Enterprise Risk Management
ISO 27001
ISO/IEC 27001 — Information Security Management System
SOX
Sarbanes-Oxley Act
NIST CSF
NIST Cybersecurity Framework
GDPR
General Data Protection Regulation
COBIT
Control Objectives for Information and Related Technologies
Operations, Quality & Delivery
ISO 9001
ISO 9001 — Quality Management System
ITIL
Information Technology Infrastructure Library
CMMI
Capability Maturity Model Integration
PMBOK
Project Management Body of Knowledge
TOGAF
The Open Group Architecture Framework
Prosci
Prosci ADKAR Change Management Model
Related Standards & Frameworks
These standards don't map 1:1 into the matrices above, but practitioners working with AI governance need to know they exist. Each one connects to frameworks in the matrix.
WCAG
Web Content Accessibility Guidelines
W3C standards for making web content accessible to people with disabilities — covering perceivable, operable, understandable, and robust design principles. Relevant to AI systems with user-facing interfaces.
AI interfaces must be accessible. Screen readers need to work with AI-generated content. Voice interfaces need alternatives. Section 508 (government) mandates WCAG compliance.
HITRUST CSF
Health Information Trust Alliance Common Security Framework
A certifiable security framework that harmonizes requirements from HIPAA, NIST, ISO 27001, and other standards — widely used in healthcare and by organizations handling health data.
Healthcare AI systems handling PHI often need HITRUST certification. HITRUST provides the bridge between HIPAA requirements and operational security controls.
NIST 800-53
NIST Special Publication 800-53 — Security and Privacy Controls
The comprehensive catalog of security and privacy controls used by U.S. federal agencies and many private sector organizations — over 1,000 controls organized into 20 families.
Federal AI systems must comply with NIST 800-53 controls. The control catalog includes AI-relevant controls for system integrity, audit, access control, and risk assessment.
FedRAMP
Federal Risk and Authorization Management Program
The U.S. government's standardized approach to security assessment, authorization, and monitoring for cloud services used by federal agencies — based on NIST 800-53 controls.
Cloud-based AI services sold to federal agencies must be FedRAMP authorized. The authorization process evaluates the AI system's security posture against NIST 800-53 controls.
SOC 2
System and Organization Controls 2
An audit framework assessing an organization's controls against five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. The de facto standard for SaaS vendor security assurance.
AI SaaS vendors need SOC 2 reports for enterprise sales. AI systems that process customer data must be included in the SOC 2 scope — covering data handling, model security, and access controls.
PCI DSS
Payment Card Industry Data Security Standard
Security standard for organizations that handle credit card data — covering network security, encryption, access control, monitoring, and testing requirements.
AI systems that process, store, or transmit payment card data must comply with PCI DSS. Fraud detection models, payment processing AI, and customer-facing payment interfaces are all in scope.
Section 508
Section 508 of the Rehabilitation Act
U.S. federal law requiring that electronic and information technology developed, procured, or maintained by federal agencies be accessible to people with disabilities — referencing WCAG standards.
Federal AI systems with user interfaces must be Section 508 compliant. This includes chatbots, dashboards, decision support tools, and any AI-powered interface used by federal employees or the public.
GDPR
All industriesGeneral Data Protection Regulation
The EU's comprehensive data protection regulation governing the collection, processing, and storage of personal data — including rights to explanation for automated decision-making (Article 22).
GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing, including profiling. AI systems making decisions about EU residents must provide meaningful information about the logic involved.
CCPA/CPRA
All industriesCalifornia Consumer Privacy Act / California Privacy Rights Act
California's comprehensive privacy law giving consumers rights over their personal data — including the right to opt out of automated decision-making technology (CPRA addition).
CPRA added specific provisions for automated decision-making that affect AI deployments. Businesses must disclose when they use automated decision-making and honor opt-out requests.
BCBS 239
Basel Committee on Banking Supervision — Principles for Risk Data Aggregation and Risk Reporting
International banking standard requiring systemically important banks to have strong data governance, accurate risk data aggregation, and timely risk reporting capabilities.
AI models used for risk management in banking must be built on data infrastructure that meets BCBS 239 principles. Data quality, lineage, and aggregation capabilities are prerequisites for reliable AI risk models.
NAIC Model Laws & AI Bulletins
National Association of Insurance Commissioners Model Laws and AI Guidance
NAIC model laws and bulletins governing the use of AI/ML in insurance — including requirements for transparency, fairness testing, and governance of predictive models used in underwriting, rating, and claims.
State insurance regulators are adopting NAIC guidance on AI governance. Insurers using AI in rating, underwriting, or claims must demonstrate fairness, transparency, and appropriate governance.
See the Full Picture
Three contextual references: universal concepts, industry-specific mappings, and governance frameworks.