AMIVADIS vs ISO 42001 vs NIST AI RMF Which AI Governance Framework Is Right for You?
AMIVADIS, ISO/IEC 42001, and NIST AI RMF are not competing frameworks. They serve different audiences, operate at different layers, and produce fundamentally different outputs. Understanding the distinction is the starting point for choosing the right instrument for your organisation.
Framework Comparison
Updated June 2026
Plansix GmbH
At a Glance
The three frameworks answer three different questions. Before comparing features, understanding the core question each was built to answer makes the rest of the comparison obvious.
NIST AI RMF
AI Risk Management Framework
National Institute of Standards and Technology (US) · 2023
Core question: How should our organisation manage AI risk across the lifecycle? Four functions: Govern, Map, Measure, Manage. Voluntary methodology with no scoring and no certification.
Technical & risk teams
ISO/IEC 42001:2023
AI Management System Standard
International Organization for Standardization · 2023
Core question: Does our AI management system meet an internationally recognised standard? Certifiable by accredited auditors. Pass/fail outcome — a company is certified or it is not.
Compliance & quality teams
AMIVADIS
AI Maturity Rating Standard
Plansix GmbH · 2026
Core question: Where does our AI governance stand, in a single number, compared to where it needs to be? Scored rating 0–100, five bands, EU AI Act anchored. Designed to be presented to a board or PE investor.
Boards & PE investors
The Three-Layer Model
The most useful way to understand the relationship between the three frameworks is as a stack — each operating at a different layer of the governance architecture, each addressing a different audience.
Layer 3
AMIVADIS
Measurement and communication layer. Scores the maturity of the combined result and communicates it to boards, PE sponsors, and investors as a single auditable rating.
Boards · PE · Investors
Layer 2
ISO/IEC 42001
Implementation and certification layer. Defines what a complete AI management system looks like and certifies that it has been built to that standard.
Compliance · Quality · Audit
Layer 1
NIST AI RMF
Risk methodology layer. Provides the conceptual framework for identifying, assessing, and managing AI risks across the full development and deployment lifecycle.
Technical · Risk · Engineering
This layered view explains why the three frameworks are complementary rather than competing. A mature AI governance program uses all three: NIST AI RMF to design the risk management approach, ISO 42001 to certify that the management system is built correctly, and AMIVADIS to measure and report the resulting maturity to governance and investment audiences.
Detailed Feature Comparison
Feature
NIST AI RMF
ISO/IEC 42001
AMIVADIS
Published by
NIST (US Government)
ISO/IEC
Plansix GmbH
Produces a score
No
No — pass/fail
Yes — 0 to 100
Rating bands
No
No
5 bands: Foundation → Platinum
Board-readable output
No
Partial — certification mark only
Yes — primary purpose
EU AI Act article mapping
No
General alignment
Article-level (Art. 4, 9, 10, 14, 17, 26, 72)
Certifiable
No — voluntary framework
Yes — accredited auditors
Self-assessed (v1.0); assurance tier planned
Cost
Free
€5,000–€30,000 (certification)
Free
Time to complete
Weeks–months
Months (certification cycle)
~20 minutes
No login required
Yes (public document)
No — requires auditor
Yes
PE / M&A due diligence use
No
Partial — certification status only
Yes — portfolio dashboard included
Cross-company comparability
No
Certified / not certified only
Yes — single numeric scale
Evidence weighting model
No
Pass/fail per clause
P-A-R multiplier (0.80 / 1.00 / 1.30)
Floor rules (anti-gaming)
No
No
Yes — minimum scores in D2, D3, D4
Sector calibration
No
Sector guidance available
v1.1 (planned): SaaS / Industrial / PE / PS
Recommended cadence
Ongoing
3-year certification cycle
Annual (AMI) + Quarterly (Evidence Intelligence)
Primary audience
Technical / risk teams
Compliance / quality teams
Boards, PE investors, corporate groups
When to Use Each Framework
You need to present AI governance status to your board at the annual review
Use AMIVADIS. It produces a single score, a dimension radar chart, and an improvement roadmap — all board-presentation ready. ISO 42001 certification status ("we are certified") is not a governance review; AMIVADIS is.
AMIVADIS
Your PE sponsor asks for an AI governance score across the portfolio
Use AMIVADIS. Each portfolio company completes the assessment and exports a JSON file. The AMIVADIS Portfolio Dashboard aggregates scores, dimension heat maps, and trend tracking in a single view — in one afternoon.
AMIVADIS
Your compliance team needs to demonstrate AI governance to customers and regulators
Pursue ISO 42001 certification. A certificate from an accredited auditor is the externally verifiable artefact that procurement and regulatory audiences require. AMIVADIS is complementary — the board review instrument above the certification.
ISO 42001
Your engineering team needs a methodology for managing AI risk in development
Use NIST AI RMF. Its Govern–Map–Measure–Manage structure maps directly onto the AI development and deployment lifecycle. AMIVADIS D4 and D8 measure whether the NIST AI RMF approach has produced mature execution — but NIST AI RMF is the implementation guide.
NIST AI RMF
You are conducting M&A due diligence on an AI-intensive acquisition target
Use AMIVADIS as the 20-minute screening instrument before investing in deeper technical due diligence. Ask the target to complete the assessment and share the JSON results. Scores below Silver (40) in D2 or D3 are hard-risk signals that warrant further investigation.
AMIVADIS
You want to demonstrate EU AI Act Article 4 literacy compliance to an auditor
Use both: AMIVADIS D5 identifies the literacy gap and provides the improvement roadmap; ISO 42001 provides the certifiable management system that documents the literacy program. AMIVADIS alone is self-assessed — for auditor-grade evidence, a documented literacy program with completion records is required.
Both
How the Three Frameworks Work Together
The most effective AI governance programs use all three frameworks in sequence, each at the appropriate stage of maturity:
Stage 1 — Design: Use NIST AI RMF to structure your AI risk management approach. The four core functions (Govern, Map, Measure, Manage) provide the conceptual architecture for everything that follows.
Stage 2 — Build and certify: Use ISO 42001 to implement a certifiable AI management system. The certification process forces the documentation, process design, and QMS discipline that turns the NIST AI RMF methodology into operational reality.
Stage 3 — Measure and report: Use AMIVADIS annually to score the maturity of the combined result and communicate it to your board, PE sponsor, or investor audience. The AMIVADIS Gold rating (60–79) is the target band for an organisation that has completed both Stage 1 and Stage 2 with genuine operational depth.
A company at Stage 3 — ISO 42001 certified, NIST AI RMF adopted, AMIVADIS Gold rated — has a governance posture that would withstand regulatory scrutiny, PE due diligence, and a serious board challenge. That is the standard worth building toward.
Other AI Governance Frameworks
Beyond the three primary frameworks, several other instruments are commonly referenced. Each serves a specific purpose but does not replace AMIVADIS, ISO 42001, or NIST AI RMF for governance or compliance use cases.
OECD AI Principles (2019)
High-level principles for responsible AI adopted by 46 countries. Not a management system or a scoring framework — a policy reference document. Widely cited in regulatory contexts but not directly implementable as a governance instrument.
EU AI Act (2024/1689)
Not a framework — a binding EU regulation with legal obligations. AMIVADIS maps to it at article level. ISO 42001 and NIST AI RMF inform compliance but do not constitute it. See our EU AI Act Board Obligations guide.
Cisco AI Readiness Index (annual)
Annual vendor-commissioned survey producing market-level benchmark data. Not independently assessable by an individual company. Useful for understanding where the market stands — not for governance reporting or board review.
Singapore AI Governance Framework
Voluntary framework published by IMDA and PDPC. Practical implementation guidance well-aligned with NIST AI RMF. No scoring or certification. Primarily relevant for organisations operating in the Singapore jurisdiction or seeking APAC-compliant governance posture.
ISO/IEC 23894:2023 (AI Risk Management)
Guidance standard for AI risk management published by ISO/IEC. Provides guidance on how to integrate AI risk into an organisational risk management system. Not independently certifiable. Complementary to ISO 42001 — 42001 is the management system; 23894 is the risk guidance.
Frequently Asked Questions
Does completing AMIVADIS replace ISO 42001 certification?
No. AMIVADIS is a self-assessed, scored rating instrument — not a third-party certified standard. ISO 42001 certification requires an independent audit by an accredited certification body. They serve different purposes: AMIVADIS produces a governance communication tool for boards and investors; ISO 42001 produces an externally verifiable compliance artefact for customers, regulators, and procurement processes. A company can have an AMIVADIS Gold rating without being ISO 42001 certified, and vice versa — though genuine ISO 42001 certification strongly correlates with Silver to Gold AMIVADIS scores.
Which framework should we implement first?
Start with AMIVADIS — it takes 20 minutes and immediately tells you where your governance gaps are across all nine dimensions. That baseline score determines whether to prioritise ISO 42001 certification (if D2 Governance and D3 Data are weak), NIST AI RMF adoption (if D4 Execution and D8 Foresight are weak), or cultural and strategic work (if D1 Strategy, D7 Culture, and D9 Financial Impact are weak). AMIVADIS is the fastest way to triage the right next step.
Is NIST AI RMF relevant for European companies?
Yes, despite being a US framework. NIST AI RMF is widely referenced by European organisations as a risk methodology because it is practically structured and freely available. The EU AI Act and ISO 42001 define what compliance and certification look like; NIST AI RMF fills the gap on how to actually manage AI risk in development and deployment. For European companies, the priority hierarchy is: EU AI Act compliance first, ISO 42001 certification for external credibility, NIST AI RMF as an internal methodology, and AMIVADIS for board-level measurement and reporting.
How much does ISO 42001 certification cost?
ISO 42001 certification costs vary by company size, scope, and the certification body selected. Indicative ranges: small companies (under 100 staff, limited AI scope) €5,000–€10,000; mid-size companies €10,000–€20,000; large organisations with complex AI portfolios €20,000–€50,000+. These are recurring costs — certification requires annual surveillance audits and a full re-certification audit every three years. AMIVADIS is free and takes 20 minutes — the two operate at different points in the governance investment curve.
See Where You Stand on AMIVADIS in 20 Minutes
Free self-assessment. No login. Instant score across 9 dimensions — with a board-ready PDF scorecard and prioritised improvement roadmap.