Is AI governance aligned to the EU AI Act and NIST AI RMF the same as being certified?

No. The EU AI Act is a law you comply with by operating the required controls (and, for high-risk systems, passing a conformity assessment), and the NIST AI RMF is voluntary guidance with no certificate. Templates give you the documentation those efforts expect; certification to a standard like ISO/IEC 42001 comes only from an accredited body after auditing a working AI management system.

We only use third-party AI tools like ChatGPT — do we still need AI governance?

Yes. The EU AI Act applies to deployers and users of AI, not only developers, and most enterprise security questionnaires now include AI-use questions. You need acceptable-use, human-oversight, data-governance, and disclosure policies even if you never train a model yourself.

When do EU AI Act obligations actually apply?

They phase in. The Article 5 prohibitions on unacceptable-risk practices and the Article 4 AI-literacy obligation have applied since February 2, 2025, and general-purpose AI (GPAI) model obligations since August 2, 2025. Under the law as currently in force, most high-risk obligations apply from August 2, 2026 (stand-alone Annex III systems) and August 2, 2027 (AI embedded in regulated products), and the Article 50 transparency rules apply from August 2, 2026. A proposed Digital Omnibus simplification package — provisionally agreed in May 2026 but not yet formally adopted or published — would postpone the high-risk dates to December 2, 2027 and August 2, 2028; confirm the current dates for your specific use case.

What are the penalties for getting it wrong under the EU AI Act?

Fines are tiered and can be severe — up to EUR 35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited practices, up to EUR 15 million or 3% of turnover for most other breaches, and up to EUR 7.5 million or 1% for supplying incorrect information. For SMEs and startups the lower of the fixed amount or percentage applies. This is one reason documented governance and a clear AI inventory matter even for smaller deployers.

How is the AI Governance Policy Pack different from the ISO 42001 toolkit?

The AI Governance Policy Pack ($49) is a focused, fast-to-deploy set of policies, an AI risk register, and an audit-evidence checklist aligned to EU AI Act deployer obligations and the NIST AI RMF GOVERN function. The ISO 42001 toolkit ($99) is a full AI Management System aligned to ISO/IEC 42001:2023, with an Annex A Statement of Applicability, for organizations pursuing that certification.

AI Governance: A Practical Guide to the EU AI Act and NIST AI RMF

AI governance is the set of policies, roles, and controls an organization uses to deploy and use AI responsibly and to meet emerging AI regulation. The two reference points most teams build to are the EU AI Act (Regulation (EU) 2024/1689) — the first comprehensive AI law, which classifies systems into four risk tiers: unacceptable/prohibited, high-risk, limited (transparency), and minimal — and the NIST AI Risk Management Framework (AI RMF 1.0), a voluntary US framework organized around four functions: Govern, Map, Measure, and Manage. Buying documents does not by itself make you "compliant": compliance comes from operating the controls, and EU AI Act conformity for high-risk systems requires a formal assessment — well-structured templates simply accelerate the documentation, which is the longest part.

What is AI Governance (EU AI Act & NIST AI RMF)?

AI governance is how an organization decides which AI systems it allows, who is accountable for them, how AI risks are assessed and monitored, and how use is disclosed to people affected. The EU AI Act (Regulation (EU) 2024/1689) takes a risk-based approach: it bans a short list of "unacceptable-risk" practices (Article 5), imposes strict obligations (risk management, data governance, logging, human oversight, transparency) on "high-risk" systems such as those used in hiring, credit, or education (Annex III), requires basic transparency for limited-risk systems like chatbots and AI-generated content (Article 50), and leaves minimal-risk uses largely unregulated. The NIST AI RMF 1.0 (January 2023) is a voluntary, technology-neutral framework whose four functions — Govern, Map, Measure, Manage — and companion Generative AI Profile (NIST-AI-600-1, July 2024) help organizations build trustworthy AI regardless of jurisdiction. The two are complementary: the AI Act sets legal obligations, while the NIST AI RMF gives you an operating model to meet them.

Who needs it?

Almost any organization that builds, deploys, or merely uses AI tools now needs documented AI governance — not just AI developers. The EU AI Act reaches deployers (organizations using AI), not only providers, and its Article 4 AI-literacy obligation and Article 5 prohibitions have applied since February 2, 2025 to organizations placing AI on, or using it within, the EU market. Beyond the law, enterprise buyers increasingly send AI-use and AI-risk questions alongside SOC 2 security questionnaires, so startups, SaaS vendors, MSPs, and professional-services firms that adopted ChatGPT, Copilot, or similar tools need acceptable-use, human-oversight, and disclosure policies to clear procurement. If you operate higher-risk uses (employment screening, credit decisioning, biometric or safety-related systems), the obligations are substantially heavier: under the AI Act as currently in force they apply from August 2, 2026 for stand-alone Annex III systems and August 2, 2027 for AI embedded in regulated products, though a proposed "Digital Omnibus" simplification package (provisionally agreed in May 2026, not yet adopted) would postpone those dates.

What does AI Governance (EU AI Act & NIST AI RMF) readiness cost?

Option	Typical cost	Time to ready
ComplianceDocs AI Governance templates	$49–$99 one-time	Same day to a few weeks (you tailor and adopt)
AI governance / privacy consultant	~$1,250–$2,750+ for a policy set	2–6 weeks
AI governance / GRC automation platform	~$7,000–$30,000+ per year	4–12 weeks to onboard
Draft policies fully in-house	Staff time (often the most expensive)	1–3+ months

Typical timeline

Inventory and classify your AI systems — List every AI tool you build, embed, or use (including third-party tools like ChatGPT or Copilot) and classify each against the EU AI Act's four risk tiers and your own risk register.
Stand up governance and accountability — Assign ownership, adopt an AI Governance Policy and Acceptable Use Policy, and meet the Article 4 AI-literacy expectation with basic staff training — this maps to the NIST AI RMF GOVERN function.
Assess and document risk — Run AI risk and vendor/tool assessments, document data governance and privacy, and define human-oversight and transparency/disclosure controls (NIST MAP and MEASURE).
Operationalize controls and monitoring — Put incident-response, logging, and ongoing monitoring into practice and capture evidence (NIST MANAGE). For high-risk EU systems, prepare the technical documentation a conformity assessment requires.
Conformity assessment / attestation where applicable — High-risk EU AI Act systems require a conformity assessment before deployment; organizations seeking certification pursue ISO/IEC 42001 via an accredited body. Templates do not replace these steps.
Review and keep current — Re-assess at least annually and whenever you add AI systems or the regulatory timeline advances — high-risk obligations begin August 2, 2026 (Annex III) / August 2, 2027 (embedded products) unless the proposed Digital Omnibus postponement is adopted.

How editable templates speed this up

ComplianceDocs templates give you the AI governance documentation regulators, auditors, and enterprise clients expect — the part that otherwise takes weeks to draft. The AI Governance Policy Pack ($49) includes ten editable Word documents (AI Governance Policy, AI Acceptable Use Policy, AI Risk Assessment Procedure, AI Vendor and Tool Assessment Procedure, AI Data Governance and Privacy Policy, AI Transparency and Disclosure Standard, Human Oversight and Accountability Standard, AI Incident and Model Failure Response Procedure, an AI System Inventory and Classification Standard, and an EU AI Act Readiness Checklist) plus two Excel workbooks — an AI risk register and an audit-evidence checklist — all reflecting EU AI Act deployer obligations and the NIST AI RMF GOVERN function. For organizations pursuing a certifiable management system, the ISO 42001 AI Management System Toolkit ($99) adds an Annex A Statement of Applicability. Templates accelerate readiness; you still tailor them to your systems, operate the controls, and — for high-risk EU systems — complete the required conformity assessment.

Recommended AI Governance (EU AI Act & NIST AI RMF) toolkits

AI Governance (EU AI Act + NIST AI RMF)

AI Governance Policy Pack

10 editable AI policies aligned to the EU AI Act and NIST AI RMF, plus an AI risk register — govern workplace AI before regulators and clients ask.

$4930% off with codeView toolkit

ISO/IEC 42001:2023 AI Management System

ISO 42001 AI Management System Toolkit

14 editable ISO/IEC 42001:2023 policies and procedures — impact assessments, AI lifecycle, data governance, third-party AI — plus the Annex A Statement of Applicability, an AI risk register, and an audit evidence checklist.

$9930% off with codeView toolkit

SOC 2 + AI Governance

Startup Trust Pack — SOC 2 + AI Governance

25 editable documents bundling the SOC 2 Core policy set with the full AI Governance pack — answer enterprise security questionnaires AND the new AI-policy questions in one purchase.

$8930% off with codeView toolkit

Compare AI Governance (EU AI Act & NIST AI RMF) with other frameworks

ISO/IEC 42001 vs EU AI Act: What's the Difference, and Which Do You Need?

Frequently asked questions

Is AI governance aligned to the EU AI Act and NIST AI RMF the same as being certified?: No. The EU AI Act is a law you comply with by operating the required controls (and, for high-risk systems, passing a conformity assessment), and the NIST AI RMF is voluntary guidance with no certificate. Templates give you the documentation those efforts expect; certification to a standard like ISO/IEC 42001 comes only from an accredited body after auditing a working AI management system.
We only use third-party AI tools like ChatGPT — do we still need AI governance?: Yes. The EU AI Act applies to deployers and users of AI, not only developers, and most enterprise security questionnaires now include AI-use questions. You need acceptable-use, human-oversight, data-governance, and disclosure policies even if you never train a model yourself.
When do EU AI Act obligations actually apply?: They phase in. The Article 5 prohibitions on unacceptable-risk practices and the Article 4 AI-literacy obligation have applied since February 2, 2025, and general-purpose AI (GPAI) model obligations since August 2, 2025. Under the law as currently in force, most high-risk obligations apply from August 2, 2026 (stand-alone Annex III systems) and August 2, 2027 (AI embedded in regulated products), and the Article 50 transparency rules apply from August 2, 2026. A proposed Digital Omnibus simplification package — provisionally agreed in May 2026 but not yet formally adopted or published — would postpone the high-risk dates to December 2, 2027 and August 2, 2028; confirm the current dates for your specific use case.
What are the penalties for getting it wrong under the EU AI Act?: Fines are tiered and can be severe — up to EUR 35 million or 7% of total worldwide annual turnover (whichever is higher) for prohibited practices, up to EUR 15 million or 3% of turnover for most other breaches, and up to EUR 7.5 million or 1% for supplying incorrect information. For SMEs and startups the lower of the fixed amount or percentage applies. This is one reason documented governance and a clear AI inventory matter even for smaller deployers.
How is the AI Governance Policy Pack different from the ISO 42001 toolkit?: The AI Governance Policy Pack ($49) is a focused, fast-to-deploy set of policies, an AI risk register, and an audit-evidence checklist aligned to EU AI Act deployer obligations and the NIST AI RMF GOVERN function. The ISO 42001 toolkit ($99) is a full AI Management System aligned to ISO/IEC 42001:2023, with an Annex A Statement of Applicability, for organizations pursuing that certification.