Making sense of AI frameworks

As AI adoption accelerates, organisations face a growing number of frameworks guiding its responsible use. Despite headline regulations such as the EU AI Act, the landscape remains evolving and fragmented. This article breaks down key frameworks and what they mean for compliance, governance, and trust.

Fabian Plattner

Senior Manager, Digital Assurance & Trust, PwC Switzerland

Email

Angelo Mathis

Senior Manager, Digital Assurance & Trust, PwC Switzerland

Email

As artificial intelligence (AI) becomes increasingly embedded in business operations, the regulatory and governance landscape surrounding its use is evolving rapidly. From risk-based regulation to cloud-specific audit criteria and international management standards, a wide range of frameworks now influence how organisations build, deploy, and oversee AI systems – each aiming to promote the responsible, transparent, and trustworthy use of AI.

Yet with so many overlapping requirements and varying scopes, companies face a fundamental question: where to focus?

We compare the most relevant AI frameworks currently shaping the compliance and governance agenda – and explain how a structured overview can help organisations navigate complexity, set priorities, and concentrate on what truly matters for their business.

Four frameworks, four perspectives

While all the major AI frameworks mandate the responsible use of AI, they originate from different domains: law, compliance, risk, cloud infrastructure, and management systems. As a result, their purpose, scope, enforceability, and practical implications differ significantly. While they all tend to address similar themes – such as transparency, risk, data management, and accountability – they do so from different starting points and with distinct underlying objectives.

A risk-based approach to AI regulation: the EU AI Act

The EU AI Act is the most far-reaching and influential AI regulation introduced to date. It establishes a binding, risk-based framework that applies to all AI systems deployed in the EU market. The Act classifies AI systems by risk level, imposing strict obligations on high-risk applications such as those used in healthcare, recruitment, or law enforcement. Requirements include transparency, human oversight, data quality, bias mitigation, and post-market monitoring. Certain uses, such as social scoring or real-time biometric surveillance in public spaces, are banned altogether. The Act formally entered into force in August 2024 and will be phased in gradually through 2027. Non-compliance with the Act can lead to significant penalties.

Ensuring trust in cloud-based AI: the AI Cloud Services Compliance Criteria Catalogue (AIC4)

Developed by Germany’s Federal Office for Information Security (BSI), AIC4 defines audit criteria for AI functionality delivered through cloud services. It builds on cloud security frameworks by introducing AI-specific controls related to explainability, reliability, adversarial testing, and operational assurance. As cloud-based AI continues to scale, AIC4 helps organisations assess the trustworthiness of their systems and prepare for audits – making it especially relevant for AI-as-a-Service providers and users of large-scale cloud-hosted models.

The key data protection law: GDPR and its role in AI

Although not designed specifically for AI, the General Data Protection Regulation (GDPR) is the foundation of data protection in the EU. It applies to any organisation processing the personal data of EU residents and sets out legally binding principles such as lawfulness, fairness, transparency, and data minimisation. GDPR explicitly regulates profiling and automated decision-making, granting individuals the right to understand and challenge decisions that significantly affect them. In practice, organisations must conduct Data Protection Impact Assessments (DPIAs) and may be required to appoint a Data Protection Officer (DPO). Aligning AI systems with GDPR is essential for ensuring both compliance and trust.

Establishing an AI Management System: ISO/IEC 42001

ISO/IEC 42001 is the first certifiable international standard for AI management systems. It provides a structured governance framework to help organisations define responsibilities, assess and mitigate risks, and integrate ethical principles across the AI lifecycle. The standard supports the operationalisation of AI governance through internal audits, oversight roles, and continuous improvement based on a Plan-Do-Check-Act (PDCA) cycle. It also aligns with related standards such as ISO/IEC 27001 (information security) and ISO/IEC 27701 (privacy management), enabling a cohesive approach to AI, security, and data protection. For organisations seeking to go beyond compliance, ISO/IEC 42001 offers a practical blueprint for embedding trustworthy AI at scale.

Why a comparative view matters for your organisation

Navigating the AI regulatory landscape is no longer just about ticking compliance boxes – it’s about bringing clarity to a fragmented and fast-evolving environment. With a mix of binding rules, voluntary standards, and sector-specific requirements, organisations need practical tools to distinguish what is mandatory, what is advisable, and what is most relevant to their specific use cases. A structured comparison provides exactly that: a clear, consolidated view that supports confident, well-informed decisions about AI governance, and helps align them with both legal and ethical requirements.

While reviewing each framework individually is helpful, understanding how they relate to one another offers far greater value. Our AI framework comparison table is a strategic tool that enables clients to:

Clarify regulatory complexity

Companies face a jungle of mandatory and voluntary requirements. The comparison provides a clear, visual breakdown to support prioritisation.

Streamline compliance efforts

By identifying overlapping requirements, clients can design smarter, more efficient compliance strategies and avoid duplication — where a single action, such as a risk assessment, may fulfil multiple framework requirements at once.

Prepare proactively

With the EU AI Act enforcement approaching, the table helps pinpoint compliance gaps and supports audit readiness.

Focus on what really matters

Each framework highlights different principles – from governance (ISO 42001) to accountability (GDPR) and transparency (EU AI Act) – helping organisations build trustworthy AI programmes aligned to their values.

Support better decision-making

The visual, structured format makes it easier for non-technical stakeholders – such as CIOs, CISOs, risk managers, and board members – to understand AI-related risks, ask the right questions, and make informed choices.

How key AI frameworks address core governance themes

Topic	How it’s addressed across frameworks
Scope and applicability	EU AI Act: Risk-based regulation for all AI systems placed on or used in the EU market; applies to both EU and non-EU providers. AIC4: Criteria developed by BSI for assessing cloud-based AI services; focuses on operational assurance, transparency, and reliability. GDPR: Core EU data privacy law; applies globally to any organisation processing personal data of EU residents. ISO/IEC 42001: Global management system standard for organisations building or using AI; certifiable and focused on governance and continuous improvement.
Risk management	Mandatory and continuous under the EU AI Act and ISO/IEC 42001; adversarial testing and fallback strategy design in AIC4; Data Protection Impact Assessments (DPIAs) required under GDPR for high-risk processing.
Data governance & Quality	Dataset quality, bias reduction, and representativeness required under the AI Act; integrity, traceability, and documentation enforced by AIC4; data minimisation and purpose limitation under GDPR; ongoing quality controls and data lineage in ISO/IEC 42001.
Transparency & Documentation	Design documentation and user disclosure required by the AI Act; explainability and traceability built into AIC4 and ISO/IEC 42001; user rights to information and logic under GDPR.
Human oversight	Mandatory across all frameworks: override and monitoring mechanisms in the AI Act and AIC4; structured governance roles in ISO/IEC 42001; right to human intervention in automated decisions under GDPR.
Security and resilience	Security-by-design, logging, and fallback mechanisms under the AI Act; adversarial testing, robustness, and incident response in AIC4; full lifecycle security planning and redundancy in ISO/IEC 42001; technical safeguards (e.g. encryption) required under GDPR.
Accountability & Governance	Role clarity and performance monitoring required by the AI Act; responsibility assignment and audit trails in AIC4; accountability principle and DPO obligations under GDPR; full governance system and internal audits under ISO/IEC 42001.
Ethics and fairness	Bias mitigation and protection of fundamental rights in the AI Act and AIC4; fairness-performance trade-offs and stakeholder impacts considered under ISO/IEC 42001; fairness and non-discrimination mandated under GDPR.
Enforcement and certification	Legally binding under the AI Act and GDPR; voluntary attestation and audit readiness under AIC4; certifiable framework and periodic audits in ISO/IEC 42001.

Turning insights into action

Comparing frameworks is an important first step – but the real value lies in taking action. We encourage organisations to assess where they currently stand: Which AI systems are in use? Which principles are already addressed? Where are the gaps? This self-assessment forms the basis for a structured governance approach that integrates compliance, ethical design, and risk management into the AI lifecycle. Ultimately, responsible AI is not just about meeting regulatory requirements – it’s about building systems people can trust. By taking an informed, proactive approach today, organisations can turn regulation into an opportunity for innovation, resilience, and long-term value.