AI Governance Frameworks

The world's first comprehensive legal framework for AI, establishing binding obligations based on risk classification.

The EU AI Act categorises AI systems into four risk tiers — unacceptable, high, limited, and minimal — and imposes obligations proportionate to that risk. High-risk systems (used in areas such as healthcare, credit, employment, and law enforcement) must meet requirements around data governance, transparency, human oversight, robustness, and accuracy before they can be deployed in the EU market. Providers must register their systems, maintain technical documentation, and conduct post-market monitoring. The Act also introduces requirements around general-purpose AI models, including transparency obligations and, for the most capable models, systemic risk assessments.

The first international standard for AI management systems, providing a structured framework for responsible AI governance within organisations.

ISO/IEC 42001:2023 defines requirements for establishing, implementing, maintaining, and continually improving an Artificial Intelligence Management System (AIMS). Modelled on the structure of ISO 27001 (information security) and ISO 9001 (quality), it gives organisations a systematic, auditable approach to managing AI risk across the full lifecycle — from development and procurement through deployment and decommissioning. Certification to ISO 42001 provides independent assurance to customers, regulators, and partners that an organisation governs its AI responsibly.

A voluntary but widely adopted framework from the US National Institute of Standards and Technology for managing AI risk across four core functions.

The NIST AI Risk Management Framework (AI RMF 1.0), published in January 2023, is designed to help organisations incorporate trustworthiness considerations into the design, development, use, and evaluation of AI systems. It organises AI risk management into four core functions — Govern, Map, Measure, and Manage — and is designed to be flexible, measurable, and adaptable across different contexts and sectors. It is increasingly referenced by US federal agencies and regulators, and is complementary to international standards including ISO 42001.

Emerging guidance from the UK Financial Conduct Authority on the responsible use of AI in financial services, grounded in existing principles-based regulation.

The FCA has signalled that AI in financial services is subject to its existing regulatory framework — including the Consumer Duty, Senior Managers and Certification Regime (SM&CR), and operational resilience requirements — and has indicated it will continue to develop targeted guidance. Firms using AI in customer-facing decisions (credit, insurance pricing, fraud detection, advice) must be able to demonstrate that outcomes are fair, explainable, and free from harmful bias. The FCA expects boards and senior managers to maintain oversight and accountability for AI systems, and has engaged with industry through its AI Lab and data-led regulatory initiatives.