AI Compliance Framework Crosswalk
These frameworks do not use the same language, serve the same function, or impose the same legal force. This crosswalk helps teams translate between them without pretending they are interchangeable.
Comparison limits: The EU AI Act is a legally binding regulation with prescriptive requirements. The NIST AI RMF is a voluntary risk management framework. ISO 42001 is a certifiable management system standard. Alignment notes in this table indicate conceptual correspondence, not legal equivalence.
| Concept | EU AI Act | NIST AI RMF | ISO 42001 | Practical interpretation |
|---|---|---|---|---|
| Risk management | Art. 9 — risk management system throughout lifecycle | Govern, Map Risk framing, context mapping, impact characterisation | 6.1, 6.1.2 — risk assessment and treatment | EU AI Act is prescriptive (specific steps required). NIST frames risk contextually. ISO requires a management-system approach. All three start with identifying and characterising risk. Regulatory Mapping Table → |
| Obligation / requirement | Arts. 9–15, 26–27, 50, 72–73 — statutory requirements | Govern Governance policies, accountability structures | 4.1, 5.1 — context of the organisation, leadership commitment | The EU AI Act imposes legal obligations. NIST defines governance expectations. ISO requires the organisation to define its own requirements. The LatentMesh model starts with the obligation as the first input. AI Compliance guide → |
| Control | Art. 9(2) — risk mitigation measures; Art. 14 — human oversight design | Manage Risk response, mitigation actions | 6.1.3, 8.1 — risk treatment, operational planning | The EU AI Act requires specific mechanisms. NIST expects documented risk responses. ISO requires treatment plans with controls. LatentMesh defines a control as a verifiable mechanism that produces evidence. Controls Are Not Guardrails → |
| Evaluation / verification | Art. 9(7) — testing; Art. 15 — accuracy, robustness testing | Measure Metrics, assessment, analysis, monitoring | 9.1 — monitoring, measurement, analysis, evaluation | EU AI Act requires testing appropriate to the system. NIST emphasises measurement and metrics. ISO requires systematic evaluation. All converge on: you must verify controls work, not just assert they exist. The Eval Gap → |
| Evidence artifact | Art. 11, Annex IV — technical documentation; Art. 12 — logging | Govern, Manage Documentation, provenance tracking | 7.5 — documented information | EU AI Act specifies what must be documented. NIST expects governance artefacts. ISO requires documented information to support the management system. LatentMesh treats evidence artifacts as the output of evaluations, not of compliance meetings. What Your Agent Logged vs. What the Auditor Needed → |
| Owner / accountability | Art. 9(9) — overall accountability; Art. 26 — deployer duties | Govern Roles, responsibilities, accountability structures | 5.3 — organisational roles, responsibilities, authorities | EU AI Act assigns legal accountability to providers and deployers. NIST expects defined roles. ISO requires documented responsibilities. LatentMesh requires every control to have a named owner. Regulatory Mapping Table → |
| Review cadence | Art. 72 — post-market monitoring; Art. 9(2)(b) — continuous iteration | Manage, Govern Monitoring, ongoing assessment | 9.3, 10.1 — management review, continual improvement | EU AI Act requires systematic post-market monitoring. NIST expects continuous assessment. ISO requires management review cycles. Cadence is what keeps the compliance loop alive rather than a snapshot. AI Compliance Glossary → |
| Human oversight | Art. 14 — human oversight measures during operation | Govern, Manage Human-AI teaming, human factors considerations | 6.1.2 — risk assessment including human factors | EU AI Act is the most prescriptive: the system must be designed so a human can understand, monitor, and interrupt it. NIST frames oversight as a governance consideration. ISO treats it as a risk factor. From Obligation to Evidence → |
| Logging / traceability | Art. 12 — automatic recording of events relevant to risk | Manage, Measure Provenance tracking, system monitoring | 7.5, 9.1 — documented information, monitoring | EU AI Act requires automatic logging. NIST expects traceability. ISO requires records. The LatentMesh distinction: traceability means reconstructing the full chain from input to output, not just storing logs. AI Compliance Glossary → |
| Incident response | Art. 73 — serious incident reporting within 15 days | Manage Incident management, response processes | 10.2 — nonconformity, corrective action | EU AI Act is the most specific: 15-day reporting window, 2 days for widespread incidents. NIST expects incident management processes. ISO treats incidents as nonconformities requiring corrective action. The Incident Response Gap in AI Systems → |
| Post-deployment monitoring | Art. 72 — proportionate post-market monitoring system | Manage, Measure Ongoing monitoring, retraining, decommissioning | 9.1, 10.1 — monitoring, continual improvement | All three frameworks require post-deployment monitoring. The EU AI Act is most specific about what the monitoring system must include. The key question: are you monitoring system health, or monitoring compliance health? Both are needed. Drift Is the Default → |
| Documentation | Art. 11, Annex IV — technical documentation before market placement | Govern Governance documentation, system cards, impact assessments | 7.5 — documented information, maintained and retained | EU AI Act specifies a detailed documentation package (Annex IV). NIST expects governance documentation. ISO requires a management system with documented policies. Documentation is table stakes across all three; the question is what documentation proves. Mapping the EU AI Act to Engineering Evidence → |
How to use this crosswalk
Engineering teams
Use the "Practical interpretation" column to understand what each requirement means for your implementation. Start with the controls and evaluation rows.
Governance and compliance teams
Use the framework columns to map your existing NIST or ISO program to EU AI Act requirements. Identify gaps where one framework is prescriptive and the other is silent.
Legal and audit teams
Note that this crosswalk shows conceptual alignment, not legal equivalence. Compliance with one framework does not guarantee compliance with another.
Continue through the compliance system
LatentMesh organizes AI compliance as a practical loop: obligation, control, evaluation, evidence, and response.