{"id":4381,"date":"2026-04-17T14:02:52","date_gmt":"2026-04-17T14:02:52","guid":{"rendered":"https:\/\/wearehandson.de\/nist-ai-rmf-der-blinde-fleck-des-mittelstands\/"},"modified":"2026-04-17T14:21:32","modified_gmt":"2026-04-17T14:21:32","slug":"nist-ai-rmf-der-blinde-fleck-des-mittelstands","status":"publish","type":"post","link":"https:\/\/wearehandson.de\/en\/nist-ai-rmf-der-blinde-fleck-des-mittelstands\/","title":{"rendered":"NIST AI RMF: The blind spot of German Mittelstand"},"content":{"rendered":"<style>.kb-row-layout-id4381_8c7bb0-7c > .kt-row-column-wrap{align-content:start;}:where(.kb-row-layout-id4381_8c7bb0-7c > .kt-row-column-wrap) > .wp-block-kadence-column{justify-content:start;}.kb-row-layout-id4381_8c7bb0-7c > .kt-row-column-wrap{column-gap:var(--global-kb-gap-md, 2rem);row-gap:var(--global-kb-gap-md, 2rem);padding-top:20px;padding-right:20px;padding-bottom:60px;padding-left:20px;grid-template-columns:minmax(0, 1fr);}.kb-row-layout-id4381_8c7bb0-7c{background-color:#FFFFFF;}.kb-row-layout-id4381_8c7bb0-7c > .kt-row-layout-overlay{opacity:0.30;}@media all and (max-width: 1024px){.kb-row-layout-id4381_8c7bb0-7c > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}@media all and (max-width: 767px){.kb-row-layout-id4381_8c7bb0-7c > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}body:not(.block-editor-page) .kb-row-layout-id1685_ne01a1-01 { position:relative; overflow:hidden; }body:not(.block-editor-page) .kb-row-layout-id1685_ne01a1-01::before { content:''; position:absolute; top:-20%; right:-10%; width:55%; height:120%; background:radial-gradient(ellipse at center,rgba(158,0,210,0.12) 0%,transparent 65%); pointer-events:none; z-index:0; }body:not(.block-editor-page) .kb-row-layout-id1685_ne01a1-01 > .kt-row-column-wrap { position:relative; z-index:1; }<\/style><div class=\"kb-row-layout-wrap kb-row-layout-id4381_8c7bb0-7c alignnone kt-row-has-bg wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-1-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top\">\n<style>.kadence-column4381_178c0b-c4 > .kt-inside-inner-col,.kadence-column4381_178c0b-c4 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_178c0b-c4 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_178c0b-c4 > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_178c0b-c4 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_178c0b-c4 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_178c0b-c4{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_178c0b-c4 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_178c0b-c4 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_178c0b-c4\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb, .wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb[data-kb-block=\"kb-adv-heading4381_2597de-fb\"]{padding-bottom:60px;margin-top:0px;margin-bottom:20px;text-align:center;font-size:11px;font-weight:800;font-style:normal;color:#9E00D2;}.wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb[data-kb-block=\"kb-adv-heading4381_2597de-fb\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb[data-kb-block=\"kb-adv-heading4381_2597de-fb\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb, .wp-block-kadence-advancedheading.kt-adv-heading4381_2597de-fb[data-kb-block=\"kb-adv-heading4381_2597de-fb\"]{font-size:11px;}}<\/style>\n<h6 class=\"kt-adv-heading4381_2597de-fb ho-eyebrow wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_2597de-fb\">AI Governance \u00b7 Report<\/h6>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7, .wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7[data-kb-block=\"kb-adv-heading4381_566c94-e7\"]{max-width:900px;margin-right:auto;margin-left:auto;margin-top:0px;margin-bottom:20px;text-align:center;font-size:48px;line-height:1.08;font-weight:800;font-style:normal;text-transform:none;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7[data-kb-block=\"kb-adv-heading4381_566c94-e7\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7[data-kb-block=\"kb-adv-heading4381_566c94-e7\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7, .wp-block-kadence-advancedheading.kt-adv-heading4381_566c94-e7[data-kb-block=\"kb-adv-heading4381_566c94-e7\"]{font-size:32px;}}<\/style>\n<h1 class=\"kt-adv-heading4381_566c94-e7 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_566c94-e7\">NIST AI RMF: The Framework Germany&#8217;s Mittelstand is currently Underestimating<\/h1>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71, .wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71[data-kb-block=\"kb-adv-heading4381_aca21a-71\"]{max-width:720px;margin-right:auto;margin-left:auto;margin-top:0px;margin-bottom:36px;text-align:center;font-size:18px;line-height:1.65;font-weight:400;font-style:normal;text-transform:none;color:#8C8C8C;}.wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71[data-kb-block=\"kb-adv-heading4381_aca21a-71\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71[data-kb-block=\"kb-adv-heading4381_aca21a-71\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71, .wp-block-kadence-advancedheading.kt-adv-heading4381_aca21a-71[data-kb-block=\"kb-adv-heading4381_aca21a-71\"]{font-size:16px;}}<\/style>\n<h3 class=\"kt-adv-heading4381_aca21a-71 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_aca21a-71\">Microsoft built its governance program on NIST. Bitkom hasn&#8217;t even mentioned it. Why DACH boards need to engage with the NIST AI RMF now \u2014 and why the ISO 42001 crosswalk makes it convenient.<\/h3>\n\n\n<style>.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap{align-content:start;}:where(.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap) > .wp-block-kadence-column{justify-content:start;}.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap{column-gap:var(--global-kb-gap-md, 2rem);row-gap:var(--global-kb-gap-md, 2rem);padding-top:8px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap > div:not(.added-for-specificity){grid-column:initial;}.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap{grid-template-columns:repeat(3, minmax(0, 1fr));}.kb-row-layout-id4381_898ee0-97{background-color:transparent;}.kb-row-layout-id4381_898ee0-97 > .kt-row-layout-overlay{opacity:0.30;}@media all and (max-width: 1024px){.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap{padding-top:8px;padding-right:0px;padding-bottom:0px;padding-left:0px;grid-template-columns:repeat(3, minmax(0, 1fr));}}@media all and (max-width: 1024px){.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap > div:not(.added-for-specificity){grid-column:initial;}}@media all and (max-width: 767px){.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap > div:not(.added-for-specificity){grid-column:initial;}.kb-row-layout-id4381_898ee0-97 > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}<\/style><div class=\"kb-row-layout-wrap kb-row-layout-id4381_898ee0-97 alignnone kt-row-has-bg wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-3-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top\">\n<style>.kadence-column4381_fdcc31-31 > .kt-inside-inner-col,.kadence-column4381_fdcc31-31 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_fdcc31-31 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_fdcc31-31 > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_fdcc31-31 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_fdcc31-31 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_fdcc31-31{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_fdcc31-31 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_fdcc31-31 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_fdcc31-31\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6, .wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6[data-kb-block=\"kb-adv-heading4381_f25cbb-c6\"]{margin-top:0px;margin-bottom:0px;text-align:center;font-size:11px;font-weight:800;font-style:normal;color:#8C8C8C;}.wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6[data-kb-block=\"kb-adv-heading4381_f25cbb-c6\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6[data-kb-block=\"kb-adv-heading4381_f25cbb-c6\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6, .wp-block-kadence-advancedheading.kt-adv-heading4381_f25cbb-c6[data-kb-block=\"kb-adv-heading4381_f25cbb-c6\"]{font-size:11px;}}<\/style>\n<h6 class=\"kt-adv-heading4381_f25cbb-c6 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_f25cbb-c6\">9 min read<\/h6>\n<\/div><\/div>\n\n\n<style>.kadence-column4381_66d77c-70 > .kt-inside-inner-col,.kadence-column4381_66d77c-70 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_66d77c-70 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_66d77c-70 > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_66d77c-70 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_66d77c-70 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_66d77c-70{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_66d77c-70 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_66d77c-70 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_66d77c-70\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2, .wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2[data-kb-block=\"kb-adv-heading4381_9c667c-a2\"]{margin-top:0px;margin-bottom:0px;text-align:center;font-size:11px;font-weight:800;font-style:normal;color:#9E00D2;}.wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2[data-kb-block=\"kb-adv-heading4381_9c667c-a2\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2[data-kb-block=\"kb-adv-heading4381_9c667c-a2\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2, .wp-block-kadence-advancedheading.kt-adv-heading4381_9c667c-a2[data-kb-block=\"kb-adv-heading4381_9c667c-a2\"]{font-size:11px;}}<\/style>\n<h6 class=\"kt-adv-heading4381_9c667c-a2 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_9c667c-a2\">April 17, 2026<\/h6>\n<\/div><\/div>\n\n\n<style>.kadence-column4381_cfad4f-1f > .kt-inside-inner-col,.kadence-column4381_cfad4f-1f > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_cfad4f-1f > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_cfad4f-1f > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_cfad4f-1f > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_cfad4f-1f > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_cfad4f-1f{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_cfad4f-1f > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_cfad4f-1f > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_cfad4f-1f\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95, .wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95[data-kb-block=\"kb-adv-heading4381_63eda9-95\"]{margin-top:0px;margin-bottom:0px;text-align:center;font-size:11px;font-weight:800;font-style:normal;color:#8C8C8C;}.wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95[data-kb-block=\"kb-adv-heading4381_63eda9-95\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95[data-kb-block=\"kb-adv-heading4381_63eda9-95\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95, .wp-block-kadence-advancedheading.kt-adv-heading4381_63eda9-95[data-kb-block=\"kb-adv-heading4381_63eda9-95\"]{font-size:11px;}}<\/style>\n<h6 class=\"kt-adv-heading4381_63eda9-95 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_63eda9-95\">HandsOn Insights<\/h6>\n<\/div><\/div>\n\n<\/div><\/div><\/div><\/div>\n\n<\/div><\/div>\n\n<style>.kb-row-layout-id4381_a3cdd4-ea > .kt-row-column-wrap{align-content:start;}:where(.kb-row-layout-id4381_a3cdd4-ea > .kt-row-column-wrap) > .wp-block-kadence-column{justify-content:start;}.kb-row-layout-id4381_a3cdd4-ea > .kt-row-column-wrap{column-gap:var(--global-kb-gap-md, 2rem);row-gap:var(--global-kb-gap-md, 2rem);padding-top:40px;padding-right:20px;padding-bottom:60px;padding-left:20px;grid-template-columns:minmax(0, 1fr);}.kb-row-layout-id4381_a3cdd4-ea{background-color:#FFFFFF;}.kb-row-layout-id4381_a3cdd4-ea > .kt-row-layout-overlay{opacity:0.30;}@media all and (max-width: 1024px){.kb-row-layout-id4381_a3cdd4-ea > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}@media all and (max-width: 767px){.kb-row-layout-id4381_a3cdd4-ea > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}<\/style><div class=\"kb-row-layout-wrap kb-row-layout-id4381_a3cdd4-ea alignnone kt-row-has-bg wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-1-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top\">\n<style>.kadence-column4381_bf55c6-27 > .kt-inside-inner-col,.kadence-column4381_bf55c6-27 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_bf55c6-27 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_bf55c6-27 > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_bf55c6-27 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_bf55c6-27 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_bf55c6-27{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_bf55c6-27 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_bf55c6-27 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_bf55c6-27\"><div class=\"kt-inside-inner-col\">\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;font-weight:400;line-height:1.75\">Microsoft&#8217;s 2025 Responsible AI Transparency Report describes a governance program built explicitly on the NIST Govern-Map-Measure-Manage loop \u2014 including 67 red-team operations against flagship Azure OpenAI and Phi model releases in 2024. Bitkom&#8217;s 2025 position papers on EU AI Act norms, AI agent security, and the EU Apply AI Strategy mention ISO\/IEC 42001 as the baseline framework. None foreground NIST AI RMF. For DACH industrial and SaaS companies that sell into the US or into procurement processes that increasingly ask for NIST-aligned evidence, that asymmetry is expensive.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The NIST AI Risk Management Framework is technically voluntary. In practice, the US Federal Trade Commission, the Consumer Financial Protection Bureau, the Food and Drug Administration, the Securities and Exchange Commission, and the Equal Employment Opportunity Commission all reference NIST AI RMF principles in enforcement guidance. Major AI labs build their governance on it.<\/p>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18, .wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18[data-kb-block=\"kb-adv-heading4381_68f4aa-18\"]{margin-top:32px;margin-bottom:32px;font-size:24px;line-height:1.35;font-weight:800;font-style:normal;text-transform:none;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18[data-kb-block=\"kb-adv-heading4381_68f4aa-18\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18[data-kb-block=\"kb-adv-heading4381_68f4aa-18\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18, .wp-block-kadence-advancedheading.kt-adv-heading4381_68f4aa-18[data-kb-block=\"kb-adv-heading4381_68f4aa-18\"]{font-size:22px;}}<\/style>\n<h3 class=\"kt-adv-heading4381_68f4aa-18 ho-pullquote wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_68f4aa-18\">The question German boards should be asking, has moved from whether NIST AI RMF applies to why their operating model does not already incorporate it.<\/h3>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77, .wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77[data-kb-block=\"kb-adv-heading4381_684bb4-77\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77[data-kb-block=\"kb-adv-heading4381_684bb4-77\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77[data-kb-block=\"kb-adv-heading4381_684bb4-77\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77, .wp-block-kadence-advancedheading.kt-adv-heading4381_684bb4-77[data-kb-block=\"kb-adv-heading4381_684bb4-77\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_684bb4-77 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_684bb4-77\">How a voluntary US framework became de facto evidence<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The NIST AI Risk Management Framework 1.0 was published on 26 January 2023, organized around four functions: <strong>Govern<\/strong> (cross-cutting, establishes policies, roles, and accountability), <strong>Map<\/strong> (sets context and determines the initial go \/ no-go on an AI system), <strong>Measure<\/strong> (quantitative and qualitative risk assessment), and <strong>Manage<\/strong> (resource allocation and incident response). Its Generative AI Profile \u2014 NIST AI 600-1 \u2014 was published 18 months later, on 26 July 2024, narrowing the field to four GAI priorities: Governance, Content Provenance, Pre-deployment Testing, and Incident Disclosure.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The framework was explicitly designed to be voluntary. Elham Tabassi, then Chief of Staff of NIST&#8217;s Information Technology Laboratory and the person who led the drafting effort, closed the launch event in January 2023 with a line that has aged well.<\/p>\n\n\n\n<div style=\"background:#F8F7F5;border-left:4px solid #9E00D2;border-radius:0 8px 8px 0;padding:28px 32px 28px 36px;margin:28px 0;font-family:Montserrat,sans-serif\">\n<p style=\"font-size:19px;line-height:1.65;color:#0A0A0A;font-weight:500;font-style:italic;margin:0 0 12px\">&ldquo;Flexible to allow innovation and measurable because if you cannot measure it, you cannot improve it.&rdquo;<\/p>\n<p style=\"font-size:11px;font-weight:700;letter-spacing:0.08em;text-transform:uppercase;color:#9E00D2;margin:0\">\u2014 Elham Tabassi, then Chief of Staff, NIST Information Technology Laboratory \u00b7 AI RMF Launch, 26 January 2023<\/p>\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Regulatory gravity did the rest. Within 18 months, US sector regulators started referencing NIST AI RMF principles in enforcement guidance across financial services, healthcare, employment, and consumer protection. The practical consequence is commercial reasonableness: an enterprise that follows the framework has a defensible story when a regulator, plaintiff, or enterprise customer asks how AI risk is being managed. An enterprise that does not has a gap. In a March 2025 update, NIST broadened the threat categories the framework addresses \u2014 poisoning attacks, evasion attacks, data extraction, and model manipulation \u2014 moving from \u201cvoluntary guidance\u201d toward what looks increasingly like a baseline evidentiary standard.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The 2025 AI Governance Survey by The Data Exchange (350+ respondents, heavily US-concentrated) named NIST AI RMF \u201cthe most recognized framework, particularly among U.S. technical leaders.\u201d The IAPP&#8217;s AI Governance Profession Report 2025 confirms the direction: <strong>77% of organizations are working on AI governance<\/strong>, a figure that rises to roughly 90% among those already using AI in production. NIST AI RMF, ISO\/IEC 42001, and the EU AI Act anchor the conversation everywhere.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1, .wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1[data-kb-block=\"kb-adv-heading4381_d14f89-f1\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1[data-kb-block=\"kb-adv-heading4381_d14f89-f1\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1[data-kb-block=\"kb-adv-heading4381_d14f89-f1\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1, .wp-block-kadence-advancedheading.kt-adv-heading4381_d14f89-f1[data-kb-block=\"kb-adv-heading4381_d14f89-f1\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_d14f89-f1 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_d14f89-f1\">What the four functions actually change in an operating model<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Reading the NIST AI RMF as a list of 72 subcategories across 19 categories is a way to miss the point. The functional logic is what makes the framework operational. <strong>Govern is cross-cutting<\/strong> \u2014 it sits above the other three and runs continuously. <strong>Map, Measure, and Manage apply to specific AI systems<\/strong> and specific phases of the lifecycle. An organization that adopts this structure has a clean separation between policy (Govern) and operational controls (Map \/ Measure \/ Manage) \u2014 which is precisely where most governance programmes collapse when they try to do both inside a single RACI.<\/p>\n\n\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(260px,1fr));gap:16px;font-family:Montserrat,sans-serif;margin:20px 0 28px\">\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #9E00D2;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:8px\">Function 1 \u00b7 Cross-cutting<\/div>\n<div style=\"font-size:16px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Govern<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Establishes policies, roles, and accountability. Runs continuously across every AI system. This is the foundation \u2014 no other function works without it.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #C600FF;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#C600FF;margin-bottom:8px\">Function 2 \u00b7 System-specific<\/div>\n<div style=\"font-size:16px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Map<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Sets the context and surfaces the go \/ no-go decision before deployment. Impact assessment, stakeholder analysis, risk categorization.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #C600FF;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#C600FF;margin-bottom:8px\">Function 3 \u00b7 System-specific<\/div>\n<div style=\"font-size:16px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Measure<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Quantitative and qualitative risk assessment in production. Metrics, red-teaming, monitoring \u2014 the evidence layer the framework asks for under audit.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #C600FF;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#C600FF;margin-bottom:8px\">Function 4 \u00b7 System-specific<\/div>\n<div style=\"font-size:16px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Manage<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Resource allocation, risk treatment, and incident response. What happens after Measure flags an issue \u2014 the closing loop of the system.<\/div>\n<\/div>\n\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The Generative AI Profile sharpens the picture for the systems DACH Mittelstand companies are most likely to be running in production today. Four considerations \u2014 governance, content provenance, pre-deployment testing, incident disclosure \u2014 and a risk catalogue that names hallucinations, data leakage, copyright exposure, harmful bias, disinformation, and cybersecurity misuse. What the profile prescribes is that these risk vectors get named, assessed, and monitored explicitly \u2014 less about specific controls and more about making the exposure visible. This is where most pilot-to-production transitions in the Mittelstand currently fail quietly.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The practical test of whether your operating model already thinks in Govern-Map-Measure-Manage terms is simple: can your risk function produce, on demand, (a) the policy that covers an AI system, (b) the context and go \/ no-go record from before deployment, (c) the monitoring evidence from after deployment, and (d) the incident-response plan if something breaks? If any of those four is missing, the management system is not operational.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a, .wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a[data-kb-block=\"kb-adv-heading4381_4e1394-8a\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a[data-kb-block=\"kb-adv-heading4381_4e1394-8a\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a[data-kb-block=\"kb-adv-heading4381_4e1394-8a\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a, .wp-block-kadence-advancedheading.kt-adv-heading4381_4e1394-8a[data-kb-block=\"kb-adv-heading4381_4e1394-8a\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_4e1394-8a wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_4e1394-8a\">Microsoft ran 67 red teams on one loop. That&#8217;s what operationalized looks like.<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The single most useful reference case for a DACH board asking what \u201cNIST-aligned governance\u201d looks like in practice is Microsoft&#8217;s 2025 Responsible AI Transparency Report. The report documents a scaled governance program built explicitly on the NIST Govern-Map-Measure-Manage loop.<\/p>\n\n\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(220px,1fr));gap:14px;font-family:Montserrat,sans-serif;margin:28px 0\">\n\n<div style=\"background:#F8F7F5;border-radius:8px;padding:24px 22px\"><div style=\"font-size:34px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em;margin-bottom:10px\">67<\/div><div style=\"font-size:11px;font-weight:800;letter-spacing:0.12em;text-transform:uppercase;color:#0A0A0A;margin-bottom:8px\">AI Red-Team Operations<\/div><div style=\"font-size:13px;line-height:1.6;color:#464646\">Across every flagship Azure OpenAI and Phi model release in 2024 (Microsoft 2025 RAI Transparency Report).<\/div><\/div>\n\n<div style=\"background:#F8F7F5;border-radius:8px;padding:24px 22px\"><div style=\"font-size:34px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em;margin-bottom:10px\">30<\/div><div style=\"font-size:11px;font-weight:800;letter-spacing:0.12em;text-transform:uppercase;color:#0A0A0A;margin-bottom:8px\">Responsible AI Tools<\/div><div style=\"font-size:13px;line-height:1.6;color:#464646\">With 155+ combined features. 42 added in 2024 alone. The Measure and Manage layer at enterprise scale.<\/div><\/div>\n\n<div style=\"background:#F8F7F5;border-radius:8px;padding:24px 22px\"><div style=\"font-size:34px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em;margin-bottom:10px\">99%<\/div><div style=\"font-size:11px;font-weight:800;letter-spacing:0.12em;text-transform:uppercase;color:#0A0A0A;margin-bottom:8px\">Trust Code Completion<\/div><div style=\"font-size:13px;line-height:1.6;color:#464646\">Microsoft personnel completion rate on the Responsible AI Trust Code \u2014 the Govern layer enforced.<\/div><\/div>\n\n<\/div>\n\n\n\n<div style=\"background:#F8F7F5;border-left:4px solid #9E00D2;border-radius:0 8px 8px 0;padding:28px 32px 28px 36px;margin:28px 0;font-family:Montserrat,sans-serif\">\n<p style=\"font-size:19px;line-height:1.65;color:#0A0A0A;font-weight:500;font-style:italic;margin:0 0 12px\">&ldquo;NIST&#8217;s efforts to align the AI Risk Management Framework with its Cybersecurity and Privacy Frameworks [&#8230;] further enable organizations to build upon existing frameworks.&rdquo;<\/p>\n<p style=\"font-size:11px;font-weight:700;letter-spacing:0.08em;text-transform:uppercase;color:#9E00D2;margin:0\">\u2014 Natasha Crampton, Vice President &amp; Chief Responsible AI Officer, Microsoft \u00b7 2025 Responsible AI Transparency Report<\/p>\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The operational architecture maps directly onto the four functions: the Responsible AI Standard plus the Frontier Governance Framework constitute Govern; the AI Red Team (AIRT) does Map; the automated measurement pipeline with policy-aligned metrics is Measure; the layered safety stack \u2014 UX, System Messages, Safety System, Model \u2014 is Manage.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Microsoft is, obviously, operating at a very different scale from a Mittelstand industrial group \u2014 and the useful signal is structural, not aspirational. A company that runs governance on the NIST loop has a system that produces evidence of its own operation continuously \u2014 red-team reports, measurement dashboards, sensitive-uses case logs. A company that runs governance on an annual PowerPoint cycle has policies. The difference shows up in procurement conversations, audit responses, and regulator interactions.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Anthropic&#8217;s Responsible Scaling Policy (v3, August 2025) does not cite NIST AI RMF directly but sits in the same voluntary-governance neighbourhood, using AI Safety Level (ASL) standards as its structuring device. OpenAI and Google DeepMind adopted comparable preparedness frameworks within months of Anthropic&#8217;s initial RSP release. The pattern across the frontier-AI community is consistent: voluntary, measurable, evidence-producing governance is the emerging table stake.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec, .wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec[data-kb-block=\"kb-adv-heading4381_39016f-ec\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec[data-kb-block=\"kb-adv-heading4381_39016f-ec\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec[data-kb-block=\"kb-adv-heading4381_39016f-ec\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec, .wp-block-kadence-advancedheading.kt-adv-heading4381_39016f-ec[data-kb-block=\"kb-adv-heading4381_39016f-ec\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_39016f-ec wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_39016f-ec\">The NIST \u2194 ISO 42001 crosswalk is the European angle nobody is using<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The single highest-leverage fact about NIST AI RMF for a DACH company is that NIST itself publishes an official crosswalk mapping AI RMF subcategories to ISO\/IEC 42001 clauses. The two frameworks are structurally interoperable. Govern maps to ISO 42001 Clauses 5 (Leadership) and 6 (Planning). Map and Measure map to Clause 8 (Operation). Manage maps to Clauses 9 (Performance Evaluation) and 10 (Improvement). Annex A controls in ISO 42001 \u2014 impact assessment, data governance, third-party AI \u2014 have clean referents in the NIST Measure and Manage categories.<\/p>\n\n\n\n<div style=\"background:#0A0A0A;border-radius:8px;padding:32px 28px;margin:28px 0;font-family:Montserrat,sans-serif;position:relative;overflow:hidden\">\n<div style=\"position:absolute;top:-30%;right:-10%;width:40%;height:160%;background:radial-gradient(ellipse at center,rgba(158,0,210,0.25) 0%,transparent 65%);pointer-events:none\"><\/div>\n<div style=\"position:relative;z-index:1\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#DA6DFF;margin-bottom:10px\">EU AI Act coverage via either framework<\/div>\n<div style=\"font-size:44px;font-weight:800;color:#DA6DFF;line-height:1.05;letter-spacing:-0.03em;margin-bottom:10px\">60\u201370%<\/div>\n<div style=\"font-size:14.5px;line-height:1.6;color:rgba(255,255,255,0.75);font-weight:400;max-width:560px\">Of EU AI Act management-system and risk-governance requirements are covered by operationalizing NIST AI RMF or ISO 42001 (EU AI Compass analysis, March 2026). The remaining 30\u201340% is EU-specific: conformity assessment, CE marking, database registration, mandatory incident reporting.<\/div>\n<\/div>\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">For the DACH enterprise with US customers, US procurement exposure, or a US corporate parent, this is the answer to the \u201cISO 42001 or NIST AI RMF?\u201d question. Operationalize one of them. Certify against ISO 42001 for the European regulator and commercial customer. Maintain NIST AI RMF alignment \u2014 evidence, not certification \u2014 for the US market and for US-headquartered enterprise buyers whose procurement teams are already asking for it. The crosswalk means the underlying management system is the same. The audit trail differs; the control design does not.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55, .wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55[data-kb-block=\"kb-adv-heading4381_e5385e-55\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55[data-kb-block=\"kb-adv-heading4381_e5385e-55\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55[data-kb-block=\"kb-adv-heading4381_e5385e-55\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55, .wp-block-kadence-advancedheading.kt-adv-heading4381_e5385e-55[data-kb-block=\"kb-adv-heading4381_e5385e-55\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_e5385e-55 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_e5385e-55\">Where the HandsOn AI Operating Model anchors this<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The HandsOn AI Operating Model treats AI governance as an organizational-design problem, not a standards-selection problem. Two domains carry the load. <strong>System Governance (D03)<\/strong> asks how the organization governs AI systems across their full lifecycle in a way that is operationally embedded. <strong>Decision Architecture (D04)<\/strong> asks who is authorized to let AI decide \u2014 at what autonomy level, under what conditions. NIST AI RMF Govern is the standard surface for D03. NIST Map and Measure feed into D04 when the impact-assessment and risk-measurement outputs shape who gets to approve autonomy escalation for a given decision type.<\/p>\n\n\n\n<div style=\"display:grid;grid-template-columns:repeat(auto-fit,minmax(280px,1fr));gap:16px;font-family:Montserrat,sans-serif;margin:20px 0 28px\">\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #9E00D2;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:8px\">NIST Govern \u2192 D03<\/div>\n<div style=\"font-size:15px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">System Governance<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">NIST&#8217;s cross-cutting Govern function is the standard surface for HandsOn&#8217;s D03. Policies, roles, accountability \u2014 operationalized, not archived.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #C600FF;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#C600FF;margin-bottom:8px\">NIST Map + Measure \u2192 D04<\/div>\n<div style=\"font-size:15px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Decision Architecture<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Impact assessment and risk measurement shape who gets to approve autonomy escalation for a given decision type. Standard outputs, framework decisions.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #9E00D2;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:8px\">Core Artefact \u00b7 Map + Manage<\/div>\n<div style=\"font-size:15px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Decision Rights Registry<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Every AI-enabled decision type with autonomy level, authority, evidence standard, recalibration trigger. Exactly what a NIST-aligned audit asks for.<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-left:3px solid #C600FF;border-radius:8px;padding:22px 24px\">\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#C600FF;margin-bottom:8px\">Design Core \u00b7 Human Oversight<\/div>\n<div style=\"font-size:15px;font-weight:800;color:#0A0A0A;margin-bottom:8px;letter-spacing:-0.01em\">Human-AI Interface<\/div>\n<div style=\"font-size:13px;line-height:1.6;color:#464646\">Four autonomy levels \u2014 HITL, AI decides \/ human reviews, AI decides \/ human notified, Human-in-the-Exception. NIST&#8217;s human-oversight language, made operational.<\/div>\n<\/div>\n\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Every decision type in the registry gets classified into one of the four autonomy levels. That classification is the operating system. The NIST alignment is the documentation layer on top. Build the registry for governance reasons and the NIST and ISO 42001 artefacts fall out as side effects.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50, .wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50[data-kb-block=\"kb-adv-heading4381_c02b67-50\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50[data-kb-block=\"kb-adv-heading4381_c02b67-50\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50[data-kb-block=\"kb-adv-heading4381_c02b67-50\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50, .wp-block-kadence-advancedheading.kt-adv-heading4381_c02b67-50[data-kb-block=\"kb-adv-heading4381_c02b67-50\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_c02b67-50 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_c02b67-50\">What the Vorstand decides when \u201cvoluntary\u201d starts costing deals<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">For a DACH industrial or SaaS company with AI in production and no NIST-aligned evidence layer, three decisions belong on the next Vorstand agenda.<\/p>\n\n\n\n<div style=\"display:flex;flex-direction:column;gap:16px;font-family:Montserrat,sans-serif;margin:20px 0 28px\">\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-radius:10px;padding:26px 30px;display:grid;grid-template-columns:80px 1fr;gap:20px;align-items:start\">\n<div>\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:4px\">Decision 1<\/div>\n<div style=\"font-size:36px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em\">01<\/div>\n<\/div>\n<div>\n<div style=\"font-size:18px;font-weight:800;color:#0A0A0A;margin-bottom:10px;letter-spacing:-0.01em\">Pick an anchor framework and operationalize it<\/div>\n<div style=\"font-size:14.5px;line-height:1.7;color:#464646\">The honest commercial answer for a DACH-headquartered company selling into Europe is ISO 42001 for certification plus NIST AI RMF as the internal operating logic \u2014 the crosswalk makes dual evidence cheap. The failure mode is picking neither and running a bespoke programme that produces no externally recognized evidence.<\/div>\n<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-radius:10px;padding:26px 30px;display:grid;grid-template-columns:80px 1fr;gap:20px;align-items:start\">\n<div>\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:4px\">Decision 2<\/div>\n<div style=\"font-size:36px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em\">02<\/div>\n<\/div>\n<div>\n<div style=\"font-size:18px;font-weight:800;color:#0A0A0A;margin-bottom:10px;letter-spacing:-0.01em\">Map where NIST evidence is commercially required<\/div>\n<div style=\"font-size:14.5px;line-height:1.7;color:#464646\">US Fortune 500 procurement questionnaires, federal contractors, and increasingly European financial-services customers routinely ask for NIST AI RMF alignment. First Q2 task: map the current customer base and pipeline against the question. If 15% of revenue or more depends on buyers who ask it, the answer needs to be ready by Q3.<\/div>\n<\/div>\n<\/div>\n\n<div style=\"background:#FFFFFF;border:1px solid #E6E6E6;border-radius:10px;padding:26px 30px;display:grid;grid-template-columns:80px 1fr;gap:20px;align-items:start\">\n<div>\n<div style=\"font-size:10px;font-weight:800;letter-spacing:0.14em;text-transform:uppercase;color:#9E00D2;margin-bottom:4px\">Decision 3<\/div>\n<div style=\"font-size:36px;font-weight:800;color:#9E00D2;line-height:1;letter-spacing:-0.03em\">03<\/div>\n<\/div>\n<div>\n<div style=\"font-size:18px;font-weight:800;color:#0A0A0A;margin-bottom:10px;letter-spacing:-0.01em\">Put one accountable executive on the management system<\/div>\n<div style=\"font-size:14.5px;line-height:1.7;color:#464646\">The NACD 2025 survey found only 27% of boards formally include AI governance in committee charters. The IAPP 2025 report named &ldquo;finding people skilled across AI, governance, risk, compliance, and policy translation&rdquo; as the top challenge, cited by 23.5%. The role does not live in IT \u2014 it lives next to Risk, Strategy, or Transformation, with direct access to the Vorstand.<\/div>\n<\/div>\n<\/div>\n\n<\/div>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">These three decisions can be taken in a single Vorstand meeting. The sequencing work \u2014 dual-compliance scoping, procurement-exposure mapping, executive search if needed \u2014 starts the day after.<\/p>\n\n\n\n<div style=\"max-width:760px;margin:36px auto 12px;padding:0\">\n<div style=\"width:60px;height:2px;background:linear-gradient(90deg,#9E00D2 0%,transparent 100%);margin:0\"><\/div>\n<\/div>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c, .wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c[data-kb-block=\"kb-adv-heading4381_0a3c03-0c\"]{margin-top:16px;margin-bottom:20px;font-size:32px;line-height:1.2;font-weight:800;font-style:normal;color:#0A0A0A;}.wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c[data-kb-block=\"kb-adv-heading4381_0a3c03-0c\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c[data-kb-block=\"kb-adv-heading4381_0a3c03-0c\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c, .wp-block-kadence-advancedheading.kt-adv-heading4381_0a3c03-0c[data-kb-block=\"kb-adv-heading4381_0a3c03-0c\"]{font-size:26px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_0a3c03-0c wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_0a3c03-0c\">Germany&#8217;s NIST blind spot is a commercial risk<\/h2>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">Bitkom&#8217;s 2025 position papers on EU AI Act norms, AI agent security, and the EU Apply AI Strategy do the work they were written for \u2014 representing the German industry position to EU policymakers. They do not surface NIST AI RMF as a governance anchor the Mittelstand needs to engage with. That omission reflects what DACH enterprise leaders are currently reading, benchmarking against, and planning around \u2014 which is precisely where the commercial exposure begins.<\/p>\n\n\n\n<p class=\"has-text-color\" style=\"color:#2B2B2B;font-size:17px;line-height:1.8\">The August 2026 EU AI Act deadline is four months away. The NIST AI RMF 1.1 addenda are expected through the same period. Microsoft, Anthropic, and OpenAI are already running operationalized governance programmes against either NIST or an equivalent voluntary framework. The DACH companies that cross-walk their ISO 42001 work to NIST AI RMF now \u2014 using the official NIST crosswalk as the starting document \u2014 have a dual-evidence story ready for both markets. The companies that treat NIST as an American curiosity will discover, deal by deal, that their buyers have moved.<\/p>\n<\/div><\/div>\n\n<\/div><\/div>\n\n<style>.kb-row-layout-id4381_fb22b0-bc > .kt-row-column-wrap{align-content:start;}:where(.kb-row-layout-id4381_fb22b0-bc > .kt-row-column-wrap) > .wp-block-kadence-column{justify-content:start;}.kb-row-layout-id4381_fb22b0-bc > .kt-row-column-wrap{column-gap:var(--global-kb-gap-md, 2rem);row-gap:var(--global-kb-gap-md, 2rem);padding-top:80px;padding-right:24px;padding-bottom:80px;padding-left:24px;grid-template-columns:minmax(0, 1fr);}.kb-row-layout-id4381_fb22b0-bc{background-color:#0A0A0A;}.kb-row-layout-id4381_fb22b0-bc > .kt-row-layout-overlay{opacity:0.30;}@media all and (max-width: 1024px){.kb-row-layout-id4381_fb22b0-bc > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}@media all and (max-width: 767px){.kb-row-layout-id4381_fb22b0-bc > .kt-row-column-wrap{grid-template-columns:minmax(0, 1fr);}}body:not(.block-editor-page) .kb-row-layout-id1685_ne092a-81 { position:relative; overflow:hidden; }body:not(.block-editor-page) .kb-row-layout-id1685_ne092a-81::before { content:''; position:absolute; top:-30%; right:-10%; width:55%; height:160%; background:radial-gradient(ellipse at center,rgba(158,0,210,0.22) 0%,transparent 65%); pointer-events:none; z-index:0; }body:not(.block-editor-page) .kb-row-layout-id1685_ne092a-81 > .kt-row-column-wrap { position:relative; z-index:1; }<\/style><div class=\"kb-row-layout-wrap kb-row-layout-id4381_fb22b0-bc alignnone kt-row-has-bg wp-block-kadence-rowlayout\"><div class=\"kt-row-column-wrap kt-has-1-columns kt-row-layout-equal kt-tab-layout-inherit kt-mobile-layout-row kt-row-valign-top\">\n<style>.kadence-column4381_a0299a-88 > .kt-inside-inner-col,.kadence-column4381_a0299a-88 > .kt-inside-inner-col:before{border-top-left-radius:0px;border-top-right-radius:0px;border-bottom-right-radius:0px;border-bottom-left-radius:0px;}.kadence-column4381_a0299a-88 > .kt-inside-inner-col{column-gap:var(--global-kb-gap-sm, 1rem);}.kadence-column4381_a0299a-88 > .kt-inside-inner-col{flex-direction:column;}.kadence-column4381_a0299a-88 > .kt-inside-inner-col > .aligncenter{width:100%;}.kadence-column4381_a0299a-88 > .kt-inside-inner-col:before{opacity:0.3;}.kadence-column4381_a0299a-88{position:relative;}@media all and (max-width: 1024px){.kadence-column4381_a0299a-88 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}@media all and (max-width: 767px){.kadence-column4381_a0299a-88 > .kt-inside-inner-col{flex-direction:column;justify-content:center;}}<\/style>\n<div class=\"wp-block-kadence-column kadence-column4381_a0299a-88\"><div class=\"kt-inside-inner-col\"><style>.wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01, .wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01[data-kb-block=\"kb-adv-heading4381_418c87-01\"]{margin-top:0px;margin-bottom:16px;text-align:center;font-size:11px;font-weight:800;font-style:normal;color:#DA6DFF;}.wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01 mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01[data-kb-block=\"kb-adv-heading4381_418c87-01\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01 img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01[data-kb-block=\"kb-adv-heading4381_418c87-01\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01, .wp-block-kadence-advancedheading.kt-adv-heading4381_418c87-01[data-kb-block=\"kb-adv-heading4381_418c87-01\"]{font-size:11px;}}<\/style>\n<h6 class=\"kt-adv-heading4381_418c87-01 wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_418c87-01\">HandsOn \u00b7 AI Governance Anchor Diagnostic<\/h6>\n\n\n<style>.wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b, .wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b[data-kb-block=\"kb-adv-heading4381_3b57be-9b\"]{margin-top:0px;margin-bottom:18px;text-align:center;font-size:34px;line-height:1.2;font-weight:800;font-style:normal;color:#FFFFFF;}.wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b mark.kt-highlight, .wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b[data-kb-block=\"kb-adv-heading4381_3b57be-9b\"] mark.kt-highlight{font-style:normal;color:#f76a0c;-webkit-box-decoration-break:clone;box-decoration-break:clone;padding-top:0px;padding-right:0px;padding-bottom:0px;padding-left:0px;}.wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b img.kb-inline-image, .wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b[data-kb-block=\"kb-adv-heading4381_3b57be-9b\"] img.kb-inline-image{width:150px;vertical-align:baseline;}@media all and (max-width: 767px){.wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b, .wp-block-kadence-advancedheading.kt-adv-heading4381_3b57be-9b[data-kb-block=\"kb-adv-heading4381_3b57be-9b\"]{font-size:28px;}}<\/style>\n<h2 class=\"kt-adv-heading4381_3b57be-9b wp-block-kadence-advancedheading\" data-kb-block=\"kb-adv-heading4381_3b57be-9b\">Is NIST AI RMF on your Vorstand&#8217;s agenda yet?<\/h2>\n\n\n\n<p class=\"has-text-align-center has-text-color\" style=\"color:#B2B2B2;font-size:16px;line-height:1.7\"><p class=\"has-text-align-center has-text-color\" style=\"color:#B2B2B2;font-size:16px;line-height:1.7;max-width:580px;margin-left:auto;margin-right:auto\">A two-week AI Governance Anchor diagnostic grounded in the HandsOn AI Operating Model \u2014 ownership, scope, the NIST \u2194 ISO 42001 crosswalk, Decision Rights Registry, and a 30\/60\/90 plan that maps commercial exposure by market.<\/p><\/p>\n\n\n\n<div class=\"wp-block-buttons is-content-justification-center is-layout-flex wp-container-core-buttons-is-layout-5590e8cb wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-white-color has-text-color has-background has-custom-font-size wp-element-button\" href=\"https:\/\/wearehandson.de\/en\/what-we-think\/tools\/maturity-assessment\/\" style=\"border-radius:4px;background-color:#9E00D2;padding-top:14px;padding-right:30px;padding-bottom:14px;padding-left:30px;font-size:12px;font-weight:800;letter-spacing:0.08em;text-transform:uppercase\">Take the Assessment \u2192<\/a><\/div>\n\n\n\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link has-white-color has-text-color has-background has-border-color has-custom-font-size wp-element-button\" href=\"https:\/\/wearehandson.de\/en\/contact\/\" style=\"border-color:rgba(255,255,255,0.25);border-width:1px;border-radius:4px;background-color:transparent;padding-top:14px;padding-right:30px;padding-bottom:14px;padding-left:30px;font-size:12px;font-weight:700;letter-spacing:0.08em;text-transform:uppercase\">Book a Meeting<\/a><\/div>\n<\/div>\n<\/div><\/div>\n\n<\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>AI Governance \u00b7 Report NIST AI RMF: The Framework Germany&#8217;s Mittelstand is currently Underestimating Microsoft built its governance program on NIST. Bitkom hasn&#8217;t even mentioned it. Why DACH boards need to engage with the NIST AI RMF now \u2014 and why the ISO 42001 crosswalk makes it convenient. 9 min read April 17, 2026 HandsOn&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","inline_featured_image":false,"_kadence_starter_templates_imported_post":false,"_kad_post_transparent":"","_kad_post_title":"hide","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[8],"tags":[27,30,25,29,28],"class_list":["post-4381","post","type-post","status-publish","format-standard","hentry","category-report","tag-eu-ai-act","tag-handson-ai-operating-model","tag-iso-42001","tag-ki-governance","tag-nist-ai-rmf"],"_links":{"self":[{"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/posts\/4381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/comments?post=4381"}],"version-history":[{"count":4,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/posts\/4381\/revisions"}],"predecessor-version":[{"id":4386,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/posts\/4381\/revisions\/4386"}],"wp:attachment":[{"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/media?parent=4381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/categories?post=4381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/wearehandson.de\/en\/wp-json\/wp\/v2\/tags?post=4381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}