A transatlantic enterprise facing both the NIST AI Risk Management Framework in the United States and the EU AI Act in Europe will be told, often by separate advisers selling separate programmes, that it must run two AI governance functions. This is wrong, expensive, and the source of most of the duplication we are called in to unwind. The two regimes differ sharply in their legal character, but they overlap heavily in the controls they actually demand, and a single internal control catalogue can satisfy both with one set of evidence. The work is in building the catalogue once and mapping it twice, not in running two programmes.
The differences are real and worth stating plainly. The NIST AI RMF is voluntary guidance, structured around four functions, Govern, Map, Measure and Manage, and it tells you how to manage risk without telling you that you must. The EU AI Act is binding law with a risk-tiered structure, prohibited practices, specific obligations for high-risk systems, and penalties reaching the higher of 35m euro or 7 percent of global annual turnover for the most serious breaches. One is a framework you adopt; the other is a statute you obey. But underneath, both demand that you inventory your systems, assess their risk, document their design, test their performance, monitor them in production, and assign accountability. Those are the same controls.
Why one catalogue beats two programmes
The duplication trap is to stand up a NIST workstream and an EU AI Act workstream as separate efforts, each with its own inventory, its own risk assessments, its own documentation templates and its own evidence store. Within a year you have two inventories that disagree, two risk ratings for the same system, and an audit in either jurisdiction that surfaces the inconsistencies in the other. We have seen organisations spend more reconciling their two programmes than either programme cost to build, which is the worst possible outcome: double the cost and less assurance than a single coherent function would have given.
The alternative is a single internal control catalogue: one inventory of AI systems, one risk-classification method, one documentation standard, one evidence repository, one accountability map. Each control in the catalogue carries two mapping tags, one to the relevant NIST function and category, one to the relevant EU AI Act article. When a control is satisfied, it is satisfied for both regimes at once and the evidence is produced once. This is the same approach mature firms already use to run one set of security controls against ISO 27001 and SOC 2 simultaneously, and the logic transfers directly.
The practical payoff is that adding a third regime later, a sector regulator, a UK regime, a future state law, becomes a new column of mapping tags against the existing catalogue rather than a new programme. You are extending a structure rather than building another silo, and the marginal cost of each additional regime falls instead of repeating in full.
Where the mapping is clean, and where it is not
Much of the mapping is clean. NIST's Govern function maps closely onto the EU AI Act's governance, accountability and quality-management requirements. NIST Map, which covers establishing context and inventorying systems, maps onto the Act's risk-classification and system-documentation obligations. NIST Measure maps onto the Act's testing, accuracy and robustness requirements for high-risk systems. NIST Manage maps onto post-market monitoring and incident reporting. A control that satisfies a NIST category will, in most cases, produce evidence the corresponding EU AI Act article also wants.
Where the mapping is not clean, the gaps run almost entirely in one direction: the EU AI Act demands specific things NIST does not, because the Act is law and law is specific. The Act prohibits certain practices outright, such as untargeted facial-recognition scraping and most social scoring, with no NIST equivalent because a voluntary framework does not ban anything. It requires registration of certain high-risk systems in an EU database, conformity assessment before market placement, and defined transparency obligations such as labelling AI-generated content and disclosing when a person is interacting with an AI system. These are legal requirements with no NIST counterpart, and they must be added to the catalogue as EU-specific controls rather than assumed to fall out of the NIST mapping.
The honest framing for the catalogue, then, is NIST as the backbone and the EU AI Act as the binding overlay that adds specific, non-negotiable controls on top. Build the catalogue around the four NIST functions because they give you a clean, well-understood structure, then add the EU-specific controls the Act requires by law and tag everything to both. You get the coherence of a single framework and the legal coverage of the statute, run by one function producing one evidence base.
Starting the catalogue
The sequence matters and it mirrors what works for any control programme: inventory before policy. Build the single inventory of AI systems first, across both jurisdictions, because every downstream control depends on knowing the population, and most organisations overestimate the completeness of their inventory by 30 to 50 percent. Classify each system once, against a method that captures both the NIST risk framing and the EU AI Act's risk tiers, so a system is rated once and that rating drives obligations in both regimes. Only then write the controls, and write each one to a single standard with both sets of mapping tags attached.
This is roughly a one-quarter exercise to stand up for a mid-sized enterprise with a contained AI estate, and it pays for itself the first time either an EU notified body or a US model-risk function asks for evidence, because the answer is one catalogue and one repository rather than a scramble across two programmes. The firms that get this right are not the ones with the largest governance budgets. They are the ones that refused to build the second programme in the first place.