The chief risk officer at a US-headquartered insurer opened her laptop on a Monday morning in February 2026 to three questions from the audit committee:
Are we compliant with the NIST AI RMF? Are we compliant with the EU AI Act? And if a regulator in Dublin subpoenaed our AI inventory tomorrow, would the answers align?
She had been running an AI governance program for eighteen months based on the NIST AI Risk Management Framework 1.0.
What she did not yet have was a traceable crosswalk from those four functions to the specific articles of the EU AI Act that her claims-triage model would be judged against six months later.
| What risk leaders need to remember |
| NIST AI RMF is voluntary guidance; the EU AI Act is binding law with fines up to EUR 35M or 7% of global annual turnover, so treating them as interchangeable invites regulatory exposure. |
| Map your AI inventory to Annex III categories first, because high-risk classification under the EU AI Act triggers conformity assessment, CE marking, EU database registration, and post-market monitoring duties the NIST AI RMF does not prescribe. |
| Use the NIST AI RMF Govern-Map-Measure-Manage functions as your internal operating system, then layer EU AI Act articles on top to close gaps in transparency (Art. 13), human oversight (Art. 14), and incident reporting (Art. 73). |
| August 2, 2026 is the compliance cliff: enforcement of Annex III high-risk obligations and GPAI penalties both activate, so US multinationals with EU customers should be in conformity-assessment execution mode by Q2 2026. |
| A joint NIST AI RMF vs EU AI Act readiness program pays for itself when you design a single control library that maps to both the four RMF functions and to EU Articles 9 through 17, cutting duplicative audit work by 30 to 50%. |
| Generative AI warrants its own profile: the NIST AI 600-1 GenAI Profile addresses 13 unique risks and 400-plus recommended actions, most of which also satisfy EU AI Act duties for general-purpose AI model providers under Articles 53 through 55. |
| Board reporting should present both frameworks side by side: one column for NIST AI RMF maturity, one for EU AI Act conformity, one for residual risk, so directors can see US voluntary posture and EU legal exposure on a single page. |
The NIST AI RMF vs EU AI Act comparison is the most consequential AI governance question facing US companies in 2026. The two regimes share vocabulary and some structure, yet they differ in legal force, risk classification method, conformity assessment, incident reporting, and enforcement.
Treating them as interchangeable is the fastest path to a regulatory finding. Treating them as complementary, with a single control library mapped to both, is the fastest path to a defensible program.
This article explains the NIST AI RMF vs EU AI Act distinction, walks through the real compliance mechanics, and provides a crosswalk practitioners can use against Annex III, Articles 9 through 17, and the NIST Generative AI Profile (AI 600-1).
The context matters. The EU AI Act entered into force in August 2024, with obligations phasing in across 2025, 2026, and 2027.
The NIST AI RMF has been in production since January 2023 and is referenced explicitly by the Office of Management and Budget, the Department of Defense, and several US state laws.
Organizations that build a joint NIST AI RMF vs EU AI Act program today inherit a structure they can extend to ISO/IEC 42001:2023, Colorado, California, Texas, and whatever comes next.
NIST AI RMF vs EU AI Act: Legal Force, Scope, and Who Has to Comply
Start with what your general counsel will ask first. The NIST AI RMF is voluntary guidance published by the US National Institute of Standards and Technology. It has no statutory penalty attached to it.
The EU AI Act, Regulation (EU) 2024/1689, is a directly applicable regulation of the European Union. It carries administrative fines, market restrictions, and criminal exposure at national level. That single difference drives almost every downstream decision in a NIST AI RMF vs EU AI Act program. For internal framing on voluntary standards posture, cross-reference our companion piece on the NIST AI RMF implementation guide.
Who is in scope under the EU AI Act
The EU AI Act binds providers, deployers, importers, and distributors of AI systems placed on the EU market or whose output is used in the EU, regardless of where the provider is established.
A US insurer using an AI model to triage claims for EU policyholders is in scope even if every server sits in Iowa. See the European Commission overview of the regulatory framework.
Scope under the NIST AI RMF is whoever chooses to adopt it. The incentive is contractual, reputational, and increasingly statutory: federal agencies reference it in procurement, and insurers are starting to price around it.
Extraterritorial reach and the Brussels effect
The EU AI Act has strong extraterritorial reach. Any AI output used inside the EU can trigger obligations, which is why the law is already functioning as a de facto global baseline.
US companies planning a NIST AI RMF vs EU AI Act program should assume the stricter rule applies to any model whose predictions cross an EU border. For a jurisdictional overview, see the OECD AI Principles and internal guidance on key components of a risk management policy.
| Dimension | NIST AI RMF (US) | EU AI Act (EU) |
| Legal nature | Voluntary guidance | Binding regulation (EU 2024/1689) |
| Scope trigger | Adoption by choice | AI system placed on EU market or output used in EU |
| Jurisdiction | US-centric, globally referenced | Directly applicable in all 27 EU member states |
| Governing body | NIST / NIST AI Safety Institute | EU AI Office + national market surveillance authorities |
| Primary enforcement | Indirect (contracts, sector regs, state AI laws) | Administrative fines, product recalls, market withdrawal |
| Maximum penalty | None directly | EUR 35M or 7% of global annual turnover |
| Revision cycle | Living document; profiles updated biannually | Statutory; amendment requires EU legislative process |
Prescriptiveness compared across six core dimensions
The NIST AI RMF vs EU AI Act comparison shows the EU regime is uniformly more prescriptive, especially on conformity assessment and penalty exposure.
Risk Classification: Flexible Profiles vs Fixed Legal Tiers
The second structural difference is how each regime classifies risk. The NIST AI RMF expects organizations to define risk tolerance based on their own context, stakeholder values, and use cases. It is deliberately open.
The EU AI Act imposes four fixed legal tiers, and placement in those tiers is not negotiable. See the high-level summary of the AI Act for the official tier structure, and our complete guide to the risk assessment process for the underlying ISO 31000:2018 posture both frameworks inherit.
The EU AI Act’s four tiers
The four EU tiers are prohibited (Article 5), high-risk (Article 6 and Annex III), limited-risk with transparency duties (Article 50), and minimal-risk.
Prohibited practices include social scoring, real-time remote biometric identification in public spaces for law enforcement (with narrow exceptions), manipulative techniques, and predictive policing based solely on profiling.
Prohibited AI cannot be placed on the EU market at all, no matter how good your NIST AI RMF controls look. See Annex III of the EU AI Act for the full high-risk list.
How NIST AI RMF handles risk classification
The NIST AI RMF asks organizations to identify, analyze, and prioritize AI risks using the MAP function, then measure them (MEASURE) and treat them (MANAGE) against tolerance thresholds set in GOVERN. There is no pre-defined list of prohibited systems and no legal tier.
Most mature organizations end up defining tiers internally: unacceptable, high, medium, low. The practical move in a NIST AI RMF vs EU AI Act program is to align your internal tiers to the EU tiers, so that a high-risk EU system automatically maps to your highest internal tier and inherits the strictest controls. See the NIST AI RMF Playbook for the official suggested actions.
| Annex III category | Example systems | Practitioner flag |
| 1. Biometrics | Remote biometric ID, emotion recognition, biometric categorization | Almost always high-risk; check narrow exemptions under Art. 6(3) |
| 2. Critical infrastructure | Grid management, water supply, road traffic safety | Safety component test is usually satisfied; assume high-risk |
| 3. Education and vocational training | Admissions scoring, exam proctoring, placement allocation | High-risk if it materially influences access to education |
| 4. Employment and workforce management | Resume screening, performance eval, worker task allocation | High-risk by default; trade union consultation may apply |
| 5. Essential private and public services | Credit scoring, life/health insurance pricing, social benefits eligibility | Includes consumer credit-decisioning models; overlaps with fair lending |
| 6. Law enforcement | Risk of offending, evidence reliability assessment, profiling | Heavily restricted; assume full conformity assessment required |
| 7. Migration, asylum, border control | Visa risk scoring, document authentication | High-risk; carve-outs for pure IT security use narrow |
| 8. Administration of justice | Legal research assistance, judicial decision support | High-risk if used in judicial or democratic processes |
Crosswalk: NIST AI RMF Functions Against EU AI Act Articles
A successful NIST AI RMF vs EU AI Act program treats one as the internal operating system and the other as the legal overlay. The four NIST functions (Govern, Map, Measure, Manage) cover roughly 60 to 70% of what the EU AI Act requires for high-risk AI systems.
The remaining 30 to 40% are EU-specific: conformity assessment under Article 43, CE marking under Article 48, EU database registration under Article 49, and post-market monitoring plus serious incident reporting under Articles 72 and 73.
For the official NIST mapping see the NIST AI RMF Core, and for EU obligations see Article 9 on risk management and Article 14 on human oversight. Pair that reading with our own cyber security risk management framework reference, since much of the control vocabulary carries over.
Mapping each RMF function to EU AI Act articles
| NIST AI RMF function | EU AI Act articles covered | EU-specific gap to close separately |
| Govern (policies, culture, accountability) | Arts. 9, 17 (QMS), 26 (deployer duties), 55 (GPAI codes of practice) | Designate authorized representative in EU (Art. 22) for non-EU providers |
| Map (context, intended use, stakeholders) | Arts. 6, 10 (data governance), 13 (transparency), 26 | Fundamental rights impact assessment for deployers in Art. 27 |
| Measure (metrics, testing, bias, robustness) | Arts. 10, 15 (accuracy/robustness/cybersecurity), 72 (post-market monitoring) | Conformity assessment evidence under Art. 43 in dossier format |
| Manage (treatment, incident response, retirement) | Arts. 14, 17, 72, 73 (serious incident reporting) | CE marking (Art. 48), EU database (Art. 49), 15-day incident reporting clock |
Put the crosswalk on a single page for the audit committee. The goal is not to translate every NIST subcategory into every EU article, it is to demonstrate coverage and gaps.
See our risk management process overview for the broader risk lifecycle that both frameworks inherit, and PwC’s AI Predictions analysis for market context.
Visual crosswalk: how NIST functions cover each EU AI Act article
The red segments are the EU-specific gap every NIST AI RMF vs EU AI Act program must close separately.
Conformity Assessment, CE Marking, and Incident Reporting: The EU-Only Stack
Conformity assessment is the largest structural obligation the EU AI Act adds on top of a NIST AI RMF posture. It has no NIST equivalent.
Under Article 43, providers of most high-risk AI systems can self-assess using an internal quality management system (Annex VI procedure), but biometric systems generally require third-party conformity assessment by a notified body (Annex VII procedure).
The outputs are an EU declaration of conformity, CE marking affixed to the AI system or its documentation, and registration in the EU database under Article 49.
For an authoritative walkthrough see WilmerHale’s analysis of high-risk obligations, and align internally with our ISO 27001 risk assessment methodology for the underlying QMS mechanics.
Post-market monitoring and serious incident reporting
Providers of high-risk AI systems must operate a post-market monitoring system proportional to the nature of the AI technologies and the risks of the system (Article 72).
Serious incidents must be reported to the relevant market surveillance authority within 15 days of awareness, reduced to 2 days for widespread infringements and 10 days for deaths.
That clock does not exist in the NIST AI RMF, and it is the single most common surprise for US risk teams.
Build a dedicated AI incident response runbook; a generic cybersecurity incident response plan will not meet the AI Act’s specificity, timing, or content requirements. Our seven-step guide to monitoring risk can anchor the monitoring cadence.
EU AI Act penalty tiers at a glance
Penalty tiers under the EU AI Act. In the NIST AI RMF vs EU AI Act comparison, this is the cost of getting the EU side wrong.
Generative AI: How NIST and the EU AI Act Handle Foundation Models Differently
Generative AI is where the NIST AI RMF vs EU AI Act divergence becomes most visible. NIST responded with the AI 600-1 Generative AI Profile in July 2024, built with input from a 2,500-participant public working group, centered on 13 generative AI-specific risks and over 400 recommended actions.
The EU AI Act instead created a new category of general-purpose AI (GPAI) models with its own obligations under Articles 51 through 56, and an additional tier for GPAI models with systemic risk (training compute exceeding 10^25 FLOPs being the default trigger).
NIST AI 600-1 GenAI Profile at a glance
The Profile maps each of its 13 risks (including confabulation, dangerous content, data privacy harms, environmental impact, harmful bias, human-AI configuration risks, information integrity, information security, intellectual property, obscene sexual content, toxicity, value chain risk, and CBRN uplift) to the existing Govern-Map-Measure-Manage functions.
It is not a new framework; it is a concrete overlay. Organizations should use it as the vocabulary for defining tolerances and control tests for any system that generates text, code, images, audio, or video.
See our model risk management primer for connective tissue between traditional model risk management and the Profile.
EU AI Act GPAI duties after August 2025
Providers of GPAI models placed on the EU market must maintain technical documentation, provide information to downstream providers, comply with Union copyright law, and publish a sufficiently detailed summary of training data.
GPAI models with systemic risk additionally must perform model evaluations including adversarial testing, assess and mitigate systemic risks, report serious incidents, and ensure cybersecurity protection (European Commission guidelines for GPAI providers).
Penalties for GPAI-specific breaches can reach EUR 15M or 3% of global turnover under Article 101. For context on market dynamics see McKinsey’s State of AI report.
| Concern | NIST AI 600-1 GenAI Profile response | EU AI Act GPAI response |
| Training data provenance | MAP 4.1-4.2 actions on documentation and third-party rights | Art. 53(1)(c) copyright compliance + public training data summary |
| Model evaluations | MEASURE 2.5 adversarial testing and red-teaming actions | Art. 55 mandatory for systemic-risk GPAI including adversarial testing |
| Incident reporting | MANAGE 4.1 tracking and disclosure | Art. 55(1)(c) + Art. 73 within 15/10/2-day windows |
| Systemic risk trigger | Organization-defined | 10^25 FLOPs training compute (presumption) |
| Downstream transparency | MAP 2.1 intended use documentation | Art. 53 detailed information to downstream providers |
| Bias and fairness | MEASURE 2.11 bias testing | Arts. 10 (data governance) + 15 (accuracy) in integrated systems |
Building a Joint NIST AI RMF vs EU AI Act Program: Practical Steps
Pragmatism first. Most US organizations already have some combination of a model governance committee, a vendor risk program, and an incident response function. A NIST AI RMF vs EU AI Act program should extend those, not replace them.
Use the Cloud Security Alliance crosswalk on NIST, ISO 42001, and the EU AI Act as a reference artifact. Pair it with our five-step risk management process so the governance cadence is familiar to the audit committee.
Foundation: inventory and classify
Start with an AI inventory that records: system name, owner, intended use, training data source, deployment location, users, downstream consumers, and a binary flag for whether any output reaches the EU.
Classify each system against Annex III first (EU legal tier), then against your internal NIST-aligned tier.
A simple rule works: if Annex III is a hit, the internal tier is automatically your highest. See our risk assessment templates for a starter inventory layout, and the Gartner AI insights hub for market benchmarks.
Controls library: one set, two mappings
Design one control library — aligned to your existing information security management system so AI controls inherit the same governance rigor as ISMS controls — covering documentation, data governance, human oversight, transparency, accuracy, robustness, cybersecurity, post-market monitoring, incident reporting, and retirement.
Tag each control with the NIST subcategory (for example MEASURE 2.7) it addresses and the EU article (for example Art. 15) it satisfies.
This avoids running two parallel control catalogs, which always drifts out of sync. The IIA Three Lines Model assigns who owns each control in first, second, and third line; treat second line as the owner of the control library itself. Link internally to the three components of risk management.
Testing and evidence
For every high-risk system, schedule annual conformity assessment refresh, quarterly bias and performance testing, monthly monitoring metric review, and weekly incident triage.
Keep evidence in a single repository indexed to both NIST AI RMF vs EU AI Act taxonomies. When a regulator requests technical documentation (Annex IV), the repository should produce a complete dossier within 72 hours. See Deloitte’s regulatory outlook for benchmarking.
Rollout timeline every NIST AI RMF vs EU AI Act program must track
The compliance cliff in August 2026 is non-negotiable for any NIST AI RMF vs EU AI Act program serving EU customers.
Frequently Asked Questions About NIST AI RMF vs EU AI Act
Is the NIST AI RMF mandatory for US companies?
The NIST AI RMF is not mandatory at the federal level for private-sector US companies. Federal agencies must align with it under Executive Order 14110 and related OMB guidance, and several states (Colorado, California, Texas) have incorporated parts of it into binding law effective 2025 and 2026.
Contract terms from federal customers and insurers also increasingly reference it, which makes it mandatory in practice for many organizations. A NIST AI RMF vs EU AI Act comparison in 2026 should assume NIST is de facto required even where it is de jure voluntary. See the official NIST AI RMF page.
Does implementing NIST AI RMF make me compliant with the EU AI Act?
No. A mature NIST AI RMF implementation covers roughly 60 to 70% of EU AI Act substance but misses the EU-specific stack: conformity assessment under Article 43, CE marking under Article 48.
EU database registration under Article 49, serious incident reporting within 15 days under Article 73, and designation of an authorized representative under Article 22 for non-EU providers. Treat the NIST AI RMF vs EU AI Act relationship as “complementary, not interchangeable.” Pair your NIST program with a gap analysis against Annex III and Articles 9 through 17.
What is the biggest practical difference between NIST AI RMF and EU AI Act?
Legal force. The NIST AI RMF cannot fine you. The EU AI Act can fine you up to EUR 35M or 7% of global annual turnover.
Every other difference (fixed vs flexible risk tiers, prescribed conformity assessment, mandatory incident timelines, extraterritorial scope) flows from that.
For risk-adjusted resource allocation, budget for the EU AI Act like a GDPR-scale program, and budget for the NIST AI RMF like a voluntary but consequential standard.
Which AI systems are classified as high-risk under the EU AI Act?
Two categories are high-risk: (a) AI systems that are safety components of products covered by Annex I Union harmonization legislation (medical devices, machinery, toys, and similar) and must already undergo third-party conformity assessment; and
(b) standalone AI systems in the eight Annex III areas (biometrics; critical infrastructure; education; employment; essential services including credit scoring and life/health insurance; law enforcement; migration; administration of justice).
A narrow exemption under Article 6(3) exists when the system performs only a procedural or preparatory task, but the burden of proof sits with the provider. See the EU AI Act Service Desk summary of Annex III.
How does ISO/IEC 42001 relate to NIST AI RMF and the EU AI Act?
ISO/IEC 42001:2023 is the first certifiable AI management system standard and sits structurally between the NIST AI RMF and the EU AI Act.
It uses Plan-Do-Check-Act aligned to the NIST Govern-Map-Measure-Manage functions and provides evidence a regulator will accept toward EU AI Act quality management system obligations under Article 17.
Organizations pursuing a multi-framework posture typically certify to ISO 42001, map their NIST AI RMF subcategories into it, and layer EU-specific controls on top. See ISO/IEC 42001 standard page and our guide to developing a risk assessment policy.
What happens on August 2, 2026 for the NIST AI RMF vs EU AI Act timeline?
August 2, 2026 is the single most important date in the NIST AI RMF vs EU AI Act landscape for US multinationals.
On that day, the obligations for high-risk AI systems listed in Annex III become enforceable, and the European Commission gains supervisory and enforcement powers over GPAI model providers, including the power to impose fines up to EUR 15M or 3% of global turnover under Article 101.
Organizations should be in final remediation by Q2 2026 and in conformity-assessment execution mode by July. NIST AI RMF adoption alone will not be enough. See the official implementation timeline.
Do I need a separate AI incident response plan?
Yes for any high-risk AI system serving the EU market. The EU AI Act defines “serious incident” broadly (Articles 3 and 73) and imposes strict reporting windows: 15 days in general, 10 days for death of a person, 2 days for widespread infringement. Your existing cybersecurity incident response plan will not meet this.
You need a plan that classifies AI-specific incidents (model drift causing harm, bias causing discriminatory outcomes, confabulation in safety-critical contexts), names the EU market surveillance authority as a notification target, and prescribes evidence preservation for post-market monitoring under Article 72.
Are small and medium-sized enterprises (SMEs) exempt?
Not exempt, but proportionally accommodated. The EU AI Act directs member states and the AI Office to provide priority access to regulatory sandboxes, simplified technical documentation formats, and reduced fees.
Penalties under Article 99(6) must also be proportional to the SME’s size and economic viability. That said, a US SME placing an AI system on the EU market remains fully subject to Annex III classification and Articles 9 through 17. See the AI Office support for SMEs.
Common Pitfalls in NIST AI RMF vs EU AI Act Programs
| Pitfall | Root cause | Remedy |
| Treating NIST AI RMF implementation as EU AI Act compliance | Both frameworks share vocabulary; leadership assumes interoperability | Build an explicit crosswalk and tag each control with both a NIST subcategory and an EU article |
| Missing Annex III classification in AI inventory | Inventory templates designed pre-EU AI Act focus only on technical attributes | Add mandatory EU tier flag and Annex III subcategory field to every inventory record |
| Generic cyber incident response used for AI serious incidents | No one noticed the 15-day AI Act clock until the dry run | Write a dedicated AI incident response runbook with tier-specific escalation paths and named EU authority contacts |
| No authorized representative designated for non-EU providers | Article 22 duty overlooked because it reads like a notary step | Designate and document EU authorized representative before first EU market placement; refresh annually |
| GPAI transitional period misunderstood | Providers of pre-August 2025 models think they are grandfathered indefinitely | Track the August 2, 2027 deadline for pre-existing GPAI and build remediation plan now |
| Single controls library but no evidence index | Controls are documented but audit dossier cannot be produced under 72-hour regulator request | Build an Annex IV-aligned evidence index and run quarterly dry-runs |
| Using internal risk tolerance to de-classify Annex III systems | Business units argue their use is “low risk” regardless of EU tier | Enforce the rule that Annex III presence locks the tier; document Article 6(3) exemption claims with legal review |
| Ignoring US state laws while focused on EU AI Act | Global program energy absorbed by Brussels timeline | Maintain a US state law tracker alongside the EU AI Act crosswalk; Colorado, California, Texas effective 2026 |
Looking Ahead: The NIST AI RMF vs EU AI Act Landscape in 2026 and 2027
Three things will define the NIST AI RMF vs EU AI Act conversation across 2026 and 2027. First, the European Commission will start testing enforcement mechanics.
Expect early high-profile GPAI cases in late 2026 or 2027 as the AI Office exercises its Article 101 powers. Second, NIST will continue releasing sector-specific profiles, with cybersecurity (via NIST IR 8596) and healthcare profiles already in development. US organizations should assume the voluntary frame is eroding toward de facto mandatory.
Second, ISO/IEC 42001 certification demand will accelerate. Early adopters (Microsoft, AWS, several enterprise SaaS vendors) now certify to it, and insurers are starting to ask about it in cyber and E&O underwriting.
Certifications will become the easiest way to demonstrate both NIST AI RMF alignment and readiness for EU AI Act Article 17 quality management obligations. Our risk management process overview and cloud risk mitigation piece both anchor to the same underlying posture.
Third, the US federal picture will continue to shift. Executive orders may change, but state laws are now on the books in Colorado, California, and Texas, each with its own definition of “high-risk AI” that does not fully align with either NIST AI RMF or EU AI Act categories.
The practical implication: a NIST AI RMF vs EU AI Act crosswalk is necessary but not sufficient. Maintain a third column in your control library for US state law, and treat it as a living document. For a wider view see Harvard Business Review’s analysis of AI regulation direction.
By late 2027, the mature posture will be a single AI management system certified to ISO/IEC 42001, operated via the NIST AI RMF Govern-Map-Measure-Manage cadence, with overlays for the EU AI Act, US state laws, and sector-specific rules (financial services model risk management, healthcare FDA pathways).
Organizations that build this now spend less in aggregate than those that bolt compliance on after first enforcement. Deloitte, PwC, and McKinsey practice materials all point in the same direction: consolidate AI governance around a single framework and map everything else into it.
Building a NIST AI RMF vs EU AI Act program is not a weekend project, and the August 2026 compliance cliff leaves little slack. If you want hands-on help designing an AI governance program, building a controls crosswalk, or preparing for conformity assessment, explore our risk management services or contact us directly to scope the work.
Whether you are starting from a blank page or retrofitting a mature program, a single integrated approach to NIST AI RMF vs EU AI Act compliance is more affordable and more defensible than running parallel tracks.
Related AI Governance and AI Risk Resources
NIST AI RMF and the EU AI Act are the two anchor frameworks, but practical AI governance also requires enterprise policy design, sector-specific compliance checklists, and emerging guardrails for generative and agentic systems. The companion guides below extend the comparison above into the operational layer of AI governance.
- AI Governance Framework: Building an Enterprise AI Risk Policy walks through the structure, roles, and policy artifacts needed to operationalise either NIST AI RMF or the EU AI Act inside a company.
- EU AI Act Compliance Checklist for US Companies translates the EU AI Act’s extraterritorial requirements into concrete steps for US-headquartered providers and deployers.
- How to Build a Generative AI Acceptable Use Policy: Template and Guide offers a ready-to-tailor AUP for generative AI tools that maps to both NIST AI RMF Govern and EU AI Act transparency obligations.
- Agentic AI Risk Management: How to Govern Autonomous AI Systems covers the new control questions raised by autonomous, tool-using agents that go beyond traditional model-risk frames.
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.