Framework Mapping — Connecting Laws, Standards, and Controls — AIGP Certification Prep

You've now studied the EU AI Act, NIST AI RMF, ISO 42001, and the OECD Principles. Today you'll learn to map across frameworks — a practical skill the AIGP exam tests and one you'll use in real governance work.

Cross-walk mapping between EU AI Act, NIST AI RMF, and ISO 42001

Mapping across frameworks reveals overlaps and identifies gaps — essential for building a unified compliance program.

Why Framework Mapping Matters

Most organizations must comply with multiple AI governance frameworks simultaneously. Without mapping:

- Teams duplicate effort by implementing the same control multiple times under different framework labels

- Gaps go unnoticed because each framework covers slightly different ground

- Audit preparation becomes a nightmare of redundant documentation

- Resources are wasted on overlapping assessments

A compliance matrix maps requirements across frameworks to controls, enabling a "comply once, satisfy many" approach.

Cross-Walk Example: Risk Management

Let's trace how risk management maps across three frameworks:

EU AI Act (Article 9) — Providers of high-risk AI must establish a continuous, iterative risk management system that identifies, estimates, evaluates, and mitigates risks throughout the lifecycle.

NIST AI RMF (Map + Measure + Manage) — Map identifies risks in context. Measure assesses them quantitatively and qualitatively. Manage implements treatment. Govern provides the organizational structure.

ISO 42001 (Clause 6 + Annex A) — Planning requires risk assessment for AI systems, including impact assessment. Operational controls implement risk treatment. Performance evaluation monitors effectiveness.

The mapping: A single risk management process can satisfy all three if it:

1. Is continuous and lifecycle-oriented (EU AI Act)

2. Contextualizes risks to specific use cases (NIST Map)

3. Uses quantitative and qualitative metrics (NIST Measure)

4. Implements proportionate controls (all three)

5. Is documented and auditable (ISO 42001)

Knowledge Check

An organization implements a risk management process for its high-risk AI systems that satisfies EU AI Act Article 9 requirements. Does this automatically satisfy NIST AI RMF requirements?

There's significant overlap in risk management requirements, but the NIST AI RMF's Govern function covers organizational culture, stakeholder engagement, and diversity considerations that go beyond Article 9's technical risk management requirements. Framework mapping identifies both overlaps and gaps.

Cross-Walk Example: Documentation

EU AI Act (Article 11, Annex IV) — Technical documentation with specific contents: general description, development process, monitoring information, risk management documentation.

NIST AI RMF (Transparency) — Documentation is embedded across all functions as "transparency" artifacts. The Playbook suggests specific documentation actions.

ISO 42001 (Clause 7.5) — Documented information requirements covering policies, procedures, records, and assessments.

Practical consolidation: Create a unified documentation framework that satisfies all three:

- Model card → Satisfies Annex IV general description + NIST transparency + ISO documented information

- Risk assessment report → Satisfies Article 9 documentation + NIST Map/Measure outputs + ISO risk assessment records

- Data governance documentation → Satisfies Article 10 + NIST data quality + ISO operational controls

Building Your Compliance Matrix

A practical compliance matrix has these columns:

|---|---|---|---|---|---|---|

This matrix becomes your single source of truth for AI governance compliance.

Knowledge Check

When building a compliance matrix across EU AI Act, NIST AI RMF, and ISO 42001, what is the PRIMARY benefit?

The primary benefit is efficiency — identifying overlaps allows a single control to satisfy requirements from multiple frameworks ("comply once, satisfy many"). It doesn't eliminate controls, guarantee legal compliance, or remove the need for framework-specific audits.

Mini Capstone Exercise

Consider this scenario: Your organization is deploying a high-risk AI lending model in the EU. Map these governance actions to the relevant framework requirements:

1. Conduct a bias audit across demographic groups → EU AI Act (Art. 10, data governance) + NIST (Measure, fairness metrics) + ISO 42001 (AI system impact assessment)

2. Document model architecture, training data, and limitations → EU AI Act (Art. 11, Annex IV) + NIST (Transparency) + ISO 42001 (documented information)

3. Establish human review for high-value decisions → EU AI Act (Art. 14, human oversight) + NIST (Govern, human oversight) + ISO 42001 (operational controls)

4. Monitor for data drift in production → EU AI Act (Art. 9, ongoing risk management) + NIST (Measure, monitoring) + ISO 42001 (performance evaluation)

This is exactly the type of mapping exercise the AIGP exam may present in scenario-based questions.

Final Check

Your organization has implemented ISO 42001 and wants to demonstrate compliance with the EU AI Act for its high-risk AI systems. What ADDITIONAL steps are most likely needed beyond ISO 42001?

While ISO 42001 covers many substantive AI governance requirements, the EU AI Act includes specific procedural requirements — conformity assessment procedures, CE marking, registration in the EU database, and specific Annex IV documentation formats — that go beyond any management system standard. ISO 42001 provides a strong foundation but doesn't eliminate EU AI Act-specific compliance steps.

🎯

Day 17 Complete

"Framework mapping enables 'comply once, satisfy many.' A compliance matrix maps requirements to controls across frameworks, identifying overlaps and gaps. Build one source of truth for your AI governance program."