ISO 42001 vs NIST AI RMF vs Australia’s GfAA: which AI governance framework should your business adopt

Three AI governance frameworks dominate the conversation right now. ISO 42001. NIST AI RMF. Australia’s Guidance for AI Adoption. Most Australian businesses cannot tell them apart, and the consultancies selling implementation services are not helping anyone with the distinction.

The honest answer is that they do different things, for different audiences, with different consequences if you ignore them. Picking the wrong one wastes a six-figure investment. Picking none of them is becoming indefensible. Picking the right combination is straightforward once you understand what each one is built for.

We work with Australian businesses on AI governance every week, and we have implemented all three at varying depths across our client base. This is the comparison we wish someone had given us two years ago.

Why this comparison matters now

Australia made a decision in December 2025 that most businesses still have not fully absorbed. The National AI Plan confirmed that Australia will not legislate AI directly through a standalone Act. Instead, the country will rely on existing laws, sector regulators, and voluntary guidance.

That decision moved the burden onto businesses. Without a single mandatory framework to comply with, every organisation now has to choose its own AI governance baseline. The choice will be inspected later by insurers underwriting cyber and professional indemnity policies, by auditors reviewing financial statements that depend on AI-influenced controls, by enterprise procurement teams running supplier due diligence, and by regulators applying existing laws like the Privacy Act to AI-driven decisions.

“We use AI responsibly” will not survive any of those conversations. A defensible answer requires pointing to a recognised framework, evidence of implementation, and a continuous improvement record. That is what these three frameworks provide, each in a different way.

ISO 42001 in plain terms

ISO/IEC 42001:2023 is an AI management system standard. It was published in December 2023 and is the first international standard specifically for managing AI within an organisation.

The mental model to start with is ISO 27001, the information security management standard most enterprises already know. ISO 42001 borrows the same structure. It defines an AI management system, prescribes how an organisation should plan, operate, evaluate, and improve that system, and provides controls that map to AI-specific risks across the lifecycle.

What ISO 42001 actually requires is a documented set of policies, procedures, and controls covering how the organisation develops, procures, deploys, and uses AI. It demands a defined scope, an AI risk assessment methodology, controls for fairness, transparency, accountability, and data quality, and a continuous improvement cycle that produces evidence of ongoing operation.

The certification path is the differentiator. ISO 42001 can be audited by an accredited body, and an organisation can be formally certified. That certification carries weight with enterprise buyers, regulators, and insurers in ways that voluntary internal frameworks do not. It is the closest thing to a globally recognised seal of AI governance maturity that currently exists.

ISO 42001 is well suited to organisations that already operate ISO 27001 or other ISO management systems, organisations selling AI-driven products or services to enterprise or government buyers, organisations subject to procurement processes that may require certification within the next two years, and organisations that want a single, audited baseline they can point to in any conversation.

The downside is cost and effort. ISO 42001 implementation is a project, not a memo. A typical mid-market certification effort runs nine to fifteen months and costs well into six figures when consulting, internal time, and audit fees are included. It is not the right starting point for a business with no existing management system discipline.

NIST AI RMF in plain terms

The NIST AI Risk Management Framework is a US government publication, first released in January 2023 and continually updated since. It is voluntary, free, and globally adopted across both public and private sectors.

AI RMF is structured around four functions. Govern covers culture, policies, accountability, and risk management as an organisational practice. Map covers context, scope, and identifying which AI risks apply to a given system. Measure covers analysing and tracking those risks quantitatively. Manage covers prioritising and treating the risks identified.

The framework does not prescribe specific technical controls. It describes outcomes and the questions an organisation should be able to answer. That makes it flexible and broadly applicable, but it also means AI RMF on its own does not produce an implementation. It produces an assessment.

This is what most Australian businesses get wrong about AI RMF. They read the framework, agree with the principles, and assume that is the work. The actual value comes from running the four functions against every meaningful AI system in the organisation and documenting the outputs as evidence. That evidence is what insurers and regulators ask for.

AI RMF pairs naturally with technical control frameworks. The new NIST Cyber AI Profile, NIST IR 8596, and the underlying COSAiS control overlays are designed to slot underneath AI RMF as the technical implementation layer. We have written separately about how the Cyber AI Profile works alongside AI RMF for organisations wanting the full NIST stack.

AI RMF is well suited to organisations that want a free, flexible, globally recognised starting point, organisations that need to demonstrate AI risk management to a board or auditor without committing to certification, organisations already using NIST CSF 2.0 for cybersecurity, and organisations whose AI program is still early-stage and needs a framework to grow into.

Australia’s Guidance for AI Adoption in plain terms

The Guidance for AI Adoption, GfAA for short, was published in October 2025 by the Department of Industry, Science and Resources and the National AI Centre. It replaced the previous Voluntary AI Safety Standard (VAISS) that had been in place since 2024.

The GfAA is the Australian government’s official position on what good AI adoption looks like. It is voluntary. It is non-binding. It is also the framework that any Australian regulator, court, or government procurement process will reference first when assessing whether an organisation has acted reasonably with AI.

The content of the GfAA is structured around practical guidance for different AI maturity levels and use cases. It covers governance, risk assessment, data quality, transparency, human oversight, contestability, and accountability. The shape will be familiar to anyone who has read AI RMF or ISO 42001, because all three frameworks address similar concerns from different angles.

The critical thing to understand about the GfAA is what it replaces and what it foreshadows. It replaced the September 2024 proposals paper for mandatory AI guardrails in high-risk settings, which the government effectively walked away from in late 2025. Whether mandatory guardrails return depends entirely on whether the new Australian AI Safety Institute, launched in early 2026, identifies gaps that voluntary guidance cannot close.

The GfAA is well suited to Australian organisations that need to demonstrate alignment with the Australian government’s official position, organisations that primarily serve the Australian market and have no international procurement pressure, organisations starting their AI governance program and needing an accessible entry point, and organisations whose risk appetite is to follow the local regulator’s stated expectations rather than international best practice.

The limit of the GfAA is depth. It is guidance, not a standard. It does not provide a certification path, does not prescribe specific controls, and is not detailed enough to anchor a complete AI risk management program in a complex enterprise. For most mid-market businesses, the GfAA is a starting point, not the destination.

Side by side

The three frameworks are easier to compare directly across a few dimensions that matter for the implementation decision.

Which one fits which business

The framework choice should follow the business reality, not the other way around. Five patterns cover most of the Australian mid-market.

An Australian SMB just starting to govern AI should begin with the GfAA. It is the lowest-friction way to establish an AI governance baseline that aligns with Australian regulator expectations. We typically pair this with a shadow AI discovery exercise so the baseline reflects what is actually happening in the business, not what leadership assumes is happening. Most clients in this category stay on the GfAA for twelve to eighteen months before considering a step up.

An Australian business selling to enterprise or government buyers should look at ISO 42001 seriously. Procurement teams at large corporates and government departments will start asking about AI governance in supplier due diligence within the next twelve months, and the question will sound similar to how cyber security questions sounded five years ago. ISO 27001 certification became the de facto answer for cyber. ISO 42001 is on the same trajectory for AI.

An Australian business with a sophisticated AI program but no enterprise procurement pressure should use NIST AI RMF, paired with the Cyber AI Profile and ISO 42001 reference where useful. This combination gives the most depth without the cost of formal certification. It is what we recommend to professional services firms, internal product teams, and businesses where AI is deeply embedded in operations but not directly sold as a product.

An Australian business with international clients in the United States or Europe needs either ISO 42001 or NIST AI RMF, depending on which market is more important. US and global enterprises increasingly reference NIST. European buyers increasingly reference ISO and the EU AI Act. The GfAA on its own will not be enough in either market.

An Australian business already certified to ISO 27001 has a structural advantage. The management system discipline already exists. ISO 42001 layers on the existing 27001 framework with much less effort than a cold start. We would consider this the default upgrade path for any ISO 27001 organisation with a meaningful AI program.

The integrated approach

The framing of this article as a choice between three frameworks is slightly misleading. In practice, mature AI governance programs use all three, with one as the primary anchor and the others as supporting references.

The typical pattern we recommend looks like this. ISO 42001 sits at the top as the certifiable management system. AI RMF provides the operational risk discipline that feeds into the management system. The Cyber AI Profile provides the technical security controls underneath AI RMF. The GfAA provides the Australian regulatory alignment that runs alongside, ensuring the program is defensible against local expectations.

Most Australian businesses are not at that level of maturity yet, and forcing the full stack at year one is the wrong move. The starting question is which framework anchors your program. The follow-on question is which frameworks you reference for specific gaps. The bad answer is treating any of the three as a tick-box exercise.

What we recommend

For most Perth and Western Australian mid-market businesses we work with, the practical entry point is the GfAA, paired with a focused shadow AI discovery exercise and a defined risk tier methodology. This produces an AI governance baseline in eight to twelve weeks that aligns with Australian regulator expectations and gives the board, insurer, and audit conversations something to point to.

For businesses with an existing ISO 27001 program, the upgrade path is ISO 42001, ideally started before procurement teams begin asking the question.

For businesses already running a sophisticated AI program internally, the NIST stack (AI RMF plus Cyber AI Profile plus COSAiS) provides the depth without the certification cost.

What we do not recommend is delay. Australia’s choice not to legislate AI directly does not mean the regulatory pressure has gone away. It means the pressure has shifted to procurement, insurance, audit, and existing laws like the Privacy Act. All four of those channels will ask the same question over the next twelve months. Organisations without a framework answer will lose contracts, pay higher premiums, fail audits, and end up on the wrong side of Privacy Act enforcement actions.