Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

AI governance framework

An AI governance framework is a structured set of principles, controls and processes for managing AI risks consistently across the AI lifecycle.

CASRAI research-methods explainer — AI governance framework

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What a framework provides

A governance framework supplies three things an organisation would otherwise have to invent: a shared vocabulary for AI risk, a defined structure of functions or clauses to work through, and repeatable processes that produce evidence. Rather than each team deciding ad hoc what "responsible" means, a framework fixes the categories — for example NIST’s Govern, Map, Measure and Manage functions, or the management-system clauses of ISO/IEC 42001. This consistency lets an organisation compare risk across systems, demonstrate diligence to third parties, and onboard new teams without relearning the basics each time.

The main frameworks

The NIST AI Risk Management Framework (2023) is a voluntary US framework organised around four functions and accompanied by a Generative AI Profile. ISO/IEC 42001 (2023) is an international, certifiable management-system standard specifying requirements for an AI management system. The OECD AI Principles and the UNESCO Recommendation on the Ethics of AI provide values-level foundations adopted internationally. Many organisations layer these: a principle set for values, NIST AI RMF for risk practice, and ISO/IEC 42001 when external certification is required. They are designed to complement rather than contradict each other.

Choosing and combining frameworks

Selection depends on purpose. Where an organisation needs a flexible, voluntary structure to build internal risk practice, the NIST AI RMF is a common starting point. Where it needs a certifiable, auditable system that customers or regulators recognise, ISO/IEC 42001 fits. Sector-specific guidance and regional regulation such as the EU AI Act may also shape the choice. Crucially, frameworks are not mutually exclusive: NIST AI RMF’s functions can populate the operational practice inside an ISO/IEC 42001 management system, with ethical principles supplying the high-level commitments both serve.

Key facts

At a glance

  • Definition: a structured set of principles, controls and processes for managing AI risk across the lifecycle
  • Examples: NIST AI RMF, ISO/IEC 42001, OECD AI Principles
  • Purpose: consistent, repeatable, evidence-producing AI risk management
  • NIST AI RMF: voluntary, four functions (Govern, Map, Measure, Manage)
  • ISO/IEC 42001: certifiable international AI management-system standard
  • Use: frameworks are complementary and often combined

Common misconceptions

What people often get wrong

Often heard: You must pick a single AI governance framework and use only that.

Actually: Frameworks are designed to complement each other. Organisations commonly combine a principle set, the NIST AI RMF for operational risk practice, and ISO/IEC 42001 where certification is needed, mapping controls across them.

Often heard: A framework guarantees an AI system is safe.

Actually: A framework structures how risks are identified and managed; it does not by itself make a system safe. Outcomes depend on how rigorously the framework is applied, evidenced and maintained over the system lifecycle.

Often heard: An AI governance framework is the same as a law you must obey.

Actually: Most frameworks are voluntary standards, not statutes. They can support legal compliance and may be referenced by regulation, but adopting a framework is a management choice distinct from a legal obligation.

Going deeper

Related CASRAI guidance

AI governanceNIST AI RMFISO/IEC 42001NIST AI RMF vs ISO/IEC 42001Standards comparedStandards dictionary

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →