Framework Mapping — Connecting Laws, Standards, and Controls

You've now studied the EU AI Act, NIST AI RMF, ISO 42001, and the OECD Principles. Today you'll learn to map across frameworks — a practical skill the AIGP exam tests and one you'll use in real governance work.

Most organizations must comply with multiple AI governance frameworks simultaneously. Without mapping:

- Teams duplicate effort by implementing the same control multiple times under different framework labels

- Gaps go unnoticed because each framework covers slightly different ground

- Audit preparation becomes a nightmare of redundant documentation

- Resources are wasted on overlapping assessments

A compliance matrix maps requirements across frameworks to controls, enabling a "comply once, satisfy many" approach.

Let's trace how risk management maps across three frameworks:

EU AI Act (Article 9) — Providers of high-risk AI must establish a continuous, iterative risk management system that identifies, estimates, evaluates, and mitigates risks throughout the lifecycle.

NIST AI RMF (Map + Measure + Manage) — Map identifies risks in context. Measure assesses them quantitatively and qualitatively. Manage implements treatment. Govern provides the organizational structure.

ISO 42001 (Clause 6 + Annex A) — Planning requires risk assessment for AI systems, including impact assessment. Operational controls implement risk treatment. Performance evaluation monitors effectiveness.

The mapping: A single risk management process can satisfy all three if it:

1. Is continuous and lifecycle-oriented (EU AI Act)

2. Contextualizes risks to specific use cases (NIST Map)

3. Uses quantitative and qualitative metrics (NIST Measure)

4. Implements proportionate controls (all three)

5. Is documented and auditable (ISO 42001)

EU AI Act (Article 11, Annex IV) — Technical documentation with specific contents: general description, development process, monitoring information, risk management documentation.

NIST AI RMF (Transparency) — Documentation is embedded across all functions as "transparency" artifacts. The Playbook suggests specific documentation actions.

ISO 42001 (Clause 7.5) — Documented information requirements covering policies, procedures, records, and assessments.

Practical consolidation: Create a unified documentation framework that satisfies all three:

- Model card → Satisfies Annex IV general description + NIST transparency + ISO documented information

- Risk assessment report → Satisfies Article 9 documentation + NIST Map/Measure outputs + ISO risk assessment records

- Data governance documentation → Satisfies Article 10 + NIST data quality + ISO operational controls

A practical compliance matrix has these columns:

| Requirement | EU AI Act | NIST AI RMF | ISO 42001 | Control | Owner | Status |

|---|---|---|---|---|---|---|

| Risk assessment | Art. 9 | Map, Measure | 6.1 | AI-RM-001 | Risk team | Implemented |

| Documentation | Art. 11 | Transparency | 7.5 | AI-DOC-001 | Governance | In progress |

| Human oversight | Art. 14 | Govern 1.4 | A.8 | AI-HO-001 | Operations | Planned |

This matrix becomes your single source of truth for AI governance compliance.

Consider this scenario: Your organization is deploying a high-risk AI lending model in the EU. Map these governance actions to the relevant framework requirements:

1. Conduct a bias audit across demographic groups → EU AI Act (Art. 10, data governance) + NIST (Measure, fairness metrics) + ISO 42001 (AI system impact assessment)

2. Document model architecture, training data, and limitations → EU AI Act (Art. 11, Annex IV) + NIST (Transparency) + ISO 42001 (documented information)

3. Establish human review for high-value decisions → EU AI Act (Art. 14, human oversight) + NIST (Govern, human oversight) + ISO 42001 (operational controls)

4. Monitor for data drift in production → EU AI Act (Art. 9, ongoing risk management) + NIST (Measure, monitoring) + ISO 42001 (performance evaluation)

This is exactly the type of mapping exercise the AIGP exam may present in scenario-based questions.

In 2024, Airbus undertook a comprehensive framework mapping exercise for its AI systems used in aircraft maintenance prediction, supply chain optimization, and cabin crew scheduling. Operating across multiple jurisdictions, Airbus needed to simultaneously comply with the EU AI Act (as a European manufacturer deploying high-risk AI in safety-critical aviation contexts), demonstrate alignment with the NIST AI RMF (required by US defense and aviation procurement contracts), and pursue ISO 42001 certification (demanded by airline customers as a governance assurance mechanism).

Airbus built a unified compliance matrix that mapped each governance control to requirements across all three frameworks. For example, their AI risk assessment process for predictive maintenance systems satisfied EU AI Act Article 9 (continuous risk management), NIST AI RMF Map and Measure functions (contextual risk identification and quantitative assessment), and ISO 42001 Clause 6.1 (planning for risks and opportunities) — all through a single documented process. Their technical documentation templates were designed to satisfy EU AI Act Annex IV requirements while simultaneously serving as NIST transparency artifacts and ISO 42001 documented information. This "comply once, satisfy many" approach reduced their compliance burden by an estimated 40% compared to maintaining three separate governance tracks.

For the AIGP exam, Airbus's approach illustrates practical framework mapping at enterprise scale. The key lesson is that framework mapping is not a theoretical exercise — it directly reduces compliance costs, prevents gaps, and creates a single source of truth. Exam questions may present scenarios where an organization must comply with multiple frameworks and ask you to identify overlaps, gaps, or the most efficient compliance strategy.

Want to see these concepts applied to full case studies? Check out AIGP Scenarios — 10 real-world governance simulations mapped to the AIGP exam domains.