Do we need to comply with the EU AI Act if we are not headquartered in Europe?

Yes, if the output of your AI system is used in the EU. The Act follows the output, not your jurisdiction. A US-headquartered B2B SaaS company whose lead scoring AI ranks EU prospects is a deployer under Article 3. The obligations attach regardless of where you incorporate, where you host, or where your sales team sits.

Should we follow NIST AI RMF 1.0 or the new GenAI Profile (AI 600-1)?

Both, sequenced. AI RMF 1.0 is the four-function operating model and the durable structure. AI 600-1, published July 2024 under Executive Order 14110, is a cross-sectoral companion profile that extends the framework with 12 generative-AI-specific risk categories and 200+ suggested actions. If you run any large language model in production (copilots, customer chatbots, code generation, document synthesis), lead with 600-1. It maps every risk back to the four base functions, so it is an extension, not a parallel program.

Is NIST AI RMF mandatory?

NIST AI RMF is a voluntary framework, but it is the de facto standard for US enterprise procurement and federal-adjacent work. Enterprise security teams now ask for NIST AI RMF alignment in vendor questionnaires the same way they ask for SOC 2. Treat it as mandatory in practice if you sell up-market.

Can Sophizo certify our company against ISO 42001?

No. ISO 42001 certification is issued by accredited certification bodies, not consultants. Sophizo guides readiness, builds the AI management system, runs internal audits, and prepares you for the external certification audit. We are explicit about this scope to protect the integrity of the certification process.

How long does a credible governance program take to stand up?

A defensible baseline takes 90 days. That includes the AI inventory and risk register, a written AI policy, a vendor assessment framework, board reporting cadence, and incident response runbook. ISO 42001 readiness extends the timeline to 6 to 9 months. EU AI Act high-risk system documentation depends on the number of in-scope systems and their classification gates.

Who should own AI governance inside our company?

A named person, not a committee. In most growth-stage B2B companies that is the General Counsel as accountable owner, with the CIO or VP Engineering as the day-to-day operator, and a quarterly board review. Distributed ownership without a named accountable owner is how governance fails the first incident.

What is the difference between AI governance and AI ethics?

AI ethics is a values discussion. AI governance is an operating discipline. Ethics defines what you should do. Governance defines who is accountable, what gets documented, how systems are monitored, and what happens when something fails. Sophizo works on governance. Ethics is upstream of that conversation and belongs with your leadership team.

How does AI governance connect to our existing security and privacy programs?

It extends them, it does not replace them. Your SOC 2 controls cover access and infrastructure. Your privacy program covers personal data. AI governance covers what those programs do not: model lineage, training data provenance, output explainability, automated decision review, and the operating discipline around AI-specific risks. The three programs share owners, evidence, and tooling wherever possible.

AI Governance

Your AI governance program is a binder.
Your auditors want a system.

Most AI governance shipped in the last two years is a deck and a policy. Neither survives an enterprise security review, an ISO audit, or an EU supervisory authority asking for evidence. We build the operating system instead.

NIST AI RMF aligned

ISO/IEC 42001 ready

EU AI Act mapped

AI risk operating system: hexagonal control rings mapping NIST AI RMF functions to data lineage and governance artifacts

The Shape of the NIST AI RMF

NIST Functions

Govern · Map · Measure · Manage

Three frameworks. One operating system.

They do not overlap perfectly. They overlap meaningfully. Run them as one program.

NIST AI Risk Management Framework 1.0

Published by the US National Institute of Standards and Technology on January 26, 2023. Voluntary, non-prescriptive, and built around 4 functions, 19 categories, and roughly 72 subcategories. The framework tells you what to achieve. It deliberately does not tell you how. That gap is the work, and that gap is also why it has become the de facto standard for US enterprise procurement, federal-adjacent buyers, and any vendor questionnaire that mentions AI.

Who needs it

Any company selling to US enterprise or federal-adjacent buyers. Any company whose security questionnaire from a customer references AI governance, model lineage, or automated decision-making. Treat the voluntary label as misleading: federal procurement, ISO 42001 audits, and enterprise vendor reviews all anchor to it.

Common gap

Treating Measure as a model performance exercise instead of a risk quantification exercise. The Playbook's suggested actions are the fastest route to closing this gap.

How the four functions relate to each other

Think of it as a continuous operating loop, not a linear sequence. GOVERN is the permanent foundation. It is always on and infused through everything. MAP, MEASURE, and MANAGE cycle continuously throughout the AI system's lifecycle.

Govern

Culture, policies, accountability, oversight. The only function that spans the entire organization at all times. Enables the other three to be repeatable.

Map

Scope and context. Identify which AI systems exist, who they affect, and what the risk landscape looks like before measuring anything.

Measure

Quantify and track. Use testing, evaluation, verification, and validation (TEVV) to assess identified risks with rigor. Not intuition.

Manage

Respond. Allocate resources to prioritized risks. Mitigate, transfer, avoid, or accept risk. Build incident response. Monitor continuously.

The key insight for your advisory practice: The framework is intentionally non-prescriptive. It tells organizations WHAT outcomes to achieve but rarely says HOW in concrete terms. That gap is exactly where a Sophizo engagement sits. We provide the implementation that translates NIST subcategories into board-ready procedures, controls, and KPIs.

Risk Lens

Two lenses. Same discipline.

The 12 GenAI risks tell you what can go wrong. The 7 characteristics tell you what good looks like. Both anchor every Measure and Manage decision.

NIST AI 600-1 · Generative AI Profile · July 2024

Top three for B2B operators

Confabulation

Confidently stated, factually wrong output. The number one risk for enterprise copilots and customer-facing deployments. Requires TEVV baselines, confidence flagging, and human review gates.

Value Chain & Component Integration

Third-party models, APIs, datasets, and infrastructure introduce risk the deployer does not fully control. The most systemic and underappreciated category. Invisible until failure.

Human-AI Configuration

Workflow design risk, not a model risk. Automation bias, over-automation, anthropomorphism. No model-level control fixes this. Human-in-the-loop checkpoints and override mechanisms do.

All 12 categories

CBRN Information

Confabulation

Dangerous, Violent, or Hateful Content

Data Privacy

Environmental Impacts

Harmful Bias & Homogenization

Human-AI Configuration

Information Integrity

Information Security

Intellectual Property

Obscene, Degrading, or Abusive Content

Value Chain & Component Integration

One program, not three.
Three audit-ready extensions.

NIST AI RMF, ISO/IEC 42001, and the EU AI Act are not three competing programs. They are one operating discipline with three compliance extensions. The right sequencing is the difference between framework fatigue and a program that compounds.

Build NIST AI RMF first

The four-function structure is the most flexible. It maps cleanly onto both EU AI Act obligations and ISO 42001 requirements without framework-specific constraints. This is your operating discipline.

Use ISO 42001 to formalize

The certifiable wrapper makes the program auditable and durable for enterprise sales and procurement. If you already hold ISO 27001, the shared Annex SL structure makes 42001 a meaningfully smaller lift.

Apply EU AI Act categories to triage

Run every in-scope system through the Act's risk-tier categorization. The output tells you which systems require full high-risk compliance treatment. August 2026 is the forcing function for high-risk obligations.

Layer NIST AI 600-1 wherever GenAI is in production

Twelve GenAI risk categories. 200+ suggested actions. All mapped back to the four base functions. Treat it as a modular extension, not a separate program.

The framing that lands with CFOs and General Counsel: one foundational governance program with three compliance extensions. Not three separate programs competing for the same team bandwidth and the same budget line.

Free Strategy Brief

The NIST AI Risk Strategy

A board-ready brief on operationalizing NIST AI RMF without hiring a binder writer.

How to translate four functions, 19 categories, and 12 GenAI risks into a 90-day execution plan your CFO and General Counsel will sign off on. Read it before your next AI risk committee meeting.

What is inside:

Board-ready framing. How to position AI risk to a board that does not want another binder.
Function-by-function execution plan. What Govern, Map, Measure, and Manage produce in the first 90 days.
GenAI Profile triage. Which of the 12 NIST AI 600-1 risks actually matter for your stack, and which are noise.
Vendor and procurement playbook. The questions enterprise security teams are about to start asking your AI vendors.

No paywall. No sales sequence. Email used only to send the brief.

Send me the brief.

Tell us where to send it. Opens instantly in a new tab.

Operating System

Five artifacts. One source of truth.

Build once. Maintain as discipline. Security, ISO, EU supervisory authority, LP, board: all read from the same evidence.

AI Inventory and Risk Register

Every AI system in production, shadow AI included. Risk tier, owner, review cadence. Refreshed quarterly.

Written AI Policy

Two pages. What may be used, what data is off-limits, what review is required, who escalates. Two pages is the adoption ceiling.

Vendor Assessment Framework

One-page checklist every new AI vendor signs. Data, lineage, certifications, termination return. Kills shadow procurement.

Quarterly Board Review Cadence

Standing fifteen-minute slot. Inventory delta, incidents, top use cases. Builds board literacy without burning the agenda.

Incident Response Runbook

What happens when an AI system causes harm, leaks data, or fails oversight. Owner, classification, comms, regulator triggers. Tested in a tabletop.

By Industry

The framework stack flexes by sector. HIPAA in healthcare. GLBA and FCRA in financial services. FERPA in education. Bar guidance in legal. C2PA for media. The operating discipline holds across all of them. See sector deep-dives

Engage

Pick the entry point.

Three shapes. Different commitment. Same operating discipline.

Governance Diagnostic

2 to 4 weeks

Scored gap assessment across the three frameworks. Named bottleneck, prioritized roadmap, cost-to-green estimate.

Best for: Teams that need a baseline before they invest.

Most chosen

Governance Build

90 days

The full five-artifact operating system. Inventory, policy, vendor framework, board cadence, incident runbook.

Best for: Teams preparing for enterprise sales, an ISO audit, or a board review.

Governance Operate

Ongoing retainer

Fractional AI governance ownership. Quarterly board reporting, vendor reviews, incident response, regulator-readiness.

Best for: Teams without the internal capacity to run governance as a discipline.

Deeper Reading

EU AI Act Classification Checklist Agentic Governance Overlap Matrix RevOps AI Risk Register Template

Questions operators actually ask

Make governance the operating advantage.

Book a 30-minute scoping call. We tell you which framework bites first, what 90 days looks like for your stack, and where security and privacy already do half the work.

Guidance, not legal advice. EU AI Act, NIST AI RMF, and ISO/IEC 42001 evolve. ISO 42001 certification is issued by accredited certification bodies, not by Sophizo. Engage qualified legal counsel and a certification body for jurisdiction-specific work.

Your AI governance program is a binder.Your auditors want a system.

Three frameworks. One operating system.

NIST AI Risk Management Framework 1.0

How the four functions relate to each other

Govern

Map

Measure

Manage

Two lenses. Same discipline.

Confabulation

Value Chain & Component Integration

Human-AI Configuration

One program, not three.Three audit-ready extensions.

Build NIST AI RMF first

Use ISO 42001 to formalize

Apply EU AI Act categories to triage

Layer NIST AI 600-1 wherever GenAI is in production

The NIST AI Risk Strategy

Send me the brief.

Five artifacts. One source of truth.

AI Inventory and Risk Register

Written AI Policy

Vendor Assessment Framework

Quarterly Board Review Cadence

Incident Response Runbook

Pick the entry point.

Governance Diagnostic

Governance Build

Governance Operate

Questions operators actually ask

Do we need to comply with the EU AI Act if we are not headquartered in Europe?

Should we follow NIST AI RMF 1.0 or the new GenAI Profile (AI 600-1)?

Is NIST AI RMF mandatory?

Can Sophizo certify our company against ISO 42001?

How long does a credible governance program take to stand up?

Who should own AI governance inside our company?

What is the difference between AI governance and AI ethics?

How does AI governance connect to our existing security and privacy programs?

Make governance the operating advantage.

Your AI governance program is a binder.
Your auditors want a system.

One program, not three.
Three audit-ready extensions.