People talk about NIST AI RMF, ISO 42001, and the EU AI Act as if you pick one and you are covered. That framing causes real damage, in both directions. We have seen companies spend a fortune complying with a regulation that does not apply to them, and others assess against a voluntary framework while sitting on a hard legal blocker they never saw. The three do different jobs.
NIST AI RMF: managing risk
The NIST AI Risk Management Framework is a voluntary, US-originated framework structured around four functions: Govern, Map, Measure, and Manage. It is excellent for actually understanding and reducing the risk in an AI system. It gives you a structured way to document model risks, data quality controls, and human oversight.
What it does not give you is a certificate. NIST tells you how to manage risk well. It does not produce a stamp you can show a board or a regulator. For an internal tool or an early-stage system, that is fine. NIST is often exactly the right amount of governance.
ISO 42001: certifying a management system
ISO/IEC 42001:2023 is the international standard for an AI management system. Where NIST describes good practice, ISO 42001 is certifiable. It evaluates whether your organisation has the management-system elements in place: an AI policy, risk assessment processes, lifecycle controls, defined ownership.
This matters when you need something auditable. A board that wants assurance, a partner running governance diligence on you, a regulator that expects institutional accountability. ISO 42001 also maps cleanly onto regional data protection regimes, which makes it a sensible anchor for organisations in the GCC that need a defensible, certifiable position without the obligations of a regulation built for somewhere else.
EU AI Act: deciding whether you can sell
The EU AI Act is not a best-practice framework. It is binding law with extraterritorial reach. It classifies systems into prohibited, high-risk, limited-risk, and minimal-risk categories, and high-risk systems carry specific, mandatory obligations: conformity assessment, technical documentation, human oversight, EU database registration.
The critical point for MENA companies is that the Act follows the customer, not the company's location. If you serve EU clients, your systems may fall under it regardless of where you are based. And when a system is high-risk under the Act, the question stops being "is our governance good enough" and becomes "can we legally serve this market as built."
How the choice changes the answer
We assessed a UAE fintech startup's credit-scoring models that a tech partner had pushed toward NIST AI RMF. Through a NIST lens, the work was a governance improvement exercise. But the startup planned to onboard European users, and credit scoring is explicitly high-risk under EU AI Act Annex III. The same models, assessed under the right framework, were not a governance note. They were a market access problem. We anchored on the EU AI Act for the European-facing path and used ISO 42001 as the operational layer underneath. You can read the full story in our case study on choosing an AI risk framework for a fintech startup.
The lesson runs the other way too. A UAE SME had been advised to align an internal, domestic-only workforce tool with the EU AI Act "to be safe." The Act had no jurisdiction. ISO 42001 was the right fit at a third of the cost.
The rule
No single framework gives a complete picture, and the most expensive mistakes come from applying the strictest-sounding one rather than the right one. The framework you assess against is not a formality. It decides which findings you even see, and whether you are solving the problem you actually have.
If you are weighing an AI investment, acquisition, vendor selection, or training programme, our team is happy to start with a conversation about scope and approach.
The views and findings in this article are shared for general information only. They are high-level perspectives, not legal, financial, regulatory, or other professional advice, and should not be relied upon for any specific decision or circumstance. For guidance tailored to your situation, please consult a qualified adviser.