We use cookies to ensure that we give you the best experience on our website. Cookies enable us to provide you core functionalities such as security, network management and accessibility. They improve usability and performance through various features such as language recognition, search results and thereby improve what we offer to you.

For more information, please visit our Privacy Policy

3 ESSENTIAL AI GOVERNANCE FRAMEWORKS

3 Essential AI Governance Frameworks
09 Jun

3 Essential AI Governance Frameworks

189 | AIGP | AI Risk Management EU AI Act IAPP certification NIST ISO/IEC 42001 OECD principles AIGP

The AIGP exam will not ask you to recite a statute when it reaches the standards material. It asks something narrower and more revealing: can you tell three voluntary AI governance frameworks apart, and can you say what each one is for? Candidates who have buried themselves in the EU AI Act often stumble here, because the NIST AI Risk Management Framework, ISO/IEC 42001 and the OECD AI Principles are not laws. They are voluntary instruments, and the marks come from knowing their shape, not from memorising any single clause.

These three AI governance frameworks anchor the standards section of the IAPP's Body of Knowledge for the AIGP exam, the document that sets out every topic candidates are tested on. They sit in Domain II, which covers how laws, standards and frameworks apply to AI. Learn the structure of each and the questions become straightforward, even when the wording is designed to mislead.

The AI governance frameworks the AIGP exam names

Each framework does a different job, and that division of labour is the thing to fix in your head first. The OECD principles set shared values; the NIST framework turns risk into a repeatable process; ISO/IEC 42001 wraps that process in a system an organisation can be audited against. Hold those three jobs in mind and the rest of the detail falls into place.

NIST AI RMF: govern, map, measure, manage

The NIST AI Risk Management Framework runs on four core functions. Govern cultivates a risk-aware culture and threads through everything else. Map establishes the context and identifies the system's risks. Measure assesses and tracks the risks you have mapped. Manage prioritises those risks and acts on them. A simple hook keeps the order steady: Govern wraps the Map, Measure, Manage loop. The framework is voluntary and outcome-based, and version 1.0 dates from 2023.

ISO/IEC 42001: a management system, not a checklist

ISO/IEC 42001 is the first international AI management system standard. It does not hand you a fixed list of controls; it sets up a system for governing AI, built on the familiar plan, do, check, act cycle for continual improvement. An organisation can be independently audited and certified against it, and that single feature separates it from the other two. Its sibling standards are worth a mental note: 22989 covers AI concepts and terminology, and 42005 covers AI system impact assessment.

The OECD AI Principles: values upstream of everything

The OECD AI Principles came first, adopted in 2019 and updated in 2024. They are value-based: inclusive growth, respect for human rights and democratic values, transparency, robustness and accountability. As the first intergovernmental AI standard, they sit upstream of many national frameworks and feed into the responsible-AI principles you meet elsewhere in the body of knowledge. When a question asks which instrument shaped a national strategy, the OECD principles are usually the answer.

How the AI governance frameworks fit together

One sentence ties the three together: principles set the goals, the risk framework turns them into a repeatable process, and the management system makes that process auditable. The OECD supplies the values. NIST supplies the method. ISO/IEC 42001 supplies the system. If you can say that aloud without notes, you can answer most questions in this part of the exam, including the ones that lean on the common principles of responsible AI. The relationship matters more than any single definition, because the examiners test whether you understand what each layer adds.

Where AI governance frameworks trip candidates up

The traps in this area are predictable, which means you can rehearse them in advance. Three patterns account for most of the marks lost here.

The first swaps the core functions. A question lists Identify, Protect, Detect, Respond and Recover and invites you to label it the AI RMF. Those belong to the Cybersecurity Framework; the AI RMF is Govern, Map, Measure, Manage. The two sets look similar enough to catch a tired reader.

The second treats a framework as binding law. A stem describes an organisation that has adopted the NIST framework and asks what it is now legally required to do. The honest answer is nothing extra; these are voluntary AI governance frameworks. Binding duties come from instruments such as the EU AI Act.

The third confuses certification with compliance. An ISO/IEC 42001 certificate shows a management system is in place. On its own it does not satisfy a statutory obligation, and a well-built question will offer "the organisation is now compliant with the law" as the tempting wrong answer.

What this means for your AIGP exam

The standards layer earns its place in your revision precisely because regulatory regimes are diverging. Frameworks give you a stable reference point that does not shift every time a jurisdiction amends its rules. Know the three by shape, keep the traps in view, and this becomes one of the more reliable scoring areas on the paper. Our notes on AI governance and risk management and on key regulations and frameworks sit alongside this, and the breakdown of cyber-capable AI shows how the same reasoning applies to newer risks. A structured AIGP study guide can help you sequence the rest.

Ready to test whether the three frameworks really do sit still in your memory? Work through a few timed questions at 22academy.com/study and find out where the gaps are.

Share this Post

Exam Question Masterclass

Exam Question Masterclass

Think Like an Examiner!

BOOK NOW!

Ready to kick-start your career?

GET STARTED NOW

Categories

About The Blog

Stay up to date with the latest news, background articles, and tips for your study.

Our latest video

22Academy

Tailored Training Solutions

Let's find the best education solution for your situation. We will contact you for Free Support!

Success! Your message has been sent to us.
Error! There was an error sending your message.
It’s for:
We will only use your email address to contact you regarding your education needs. We do not sell your personal data to third parties.