NIST AI RMF and ISO 42001 vs the OWASP LLM Top 10

The NIST AI Risk Management Framework and ISO/IEC 42001 are governance frameworks: they define how an organisation manages AI risk through repeatable, auditable process. The OWASP LLM Top 10 is a concrete list of ten technical threats to applications built on large language models. Frameworks govern process; OWASP names specific threats, so they complement rather than compete with each other. This article explains each, sets out how their scope differs, and maps the OWASP risks to the NIST functions and ISO 42001 controls.

TL;DR:

• NIST AI RMF (AI 100-1) is voluntary US guidance built around four functions: Govern, Map, Measure, Manage, per NIST.
• ISO/IEC 42001 is the certifiable international standard for an AI management system (AIMS), per ISO.
• The OWASP LLM Top 10 is a list of ten named LLM application risks, per the OWASP GenAI Security Project, not a governance framework.
• Use the frameworks to run the programme, then prove your controls cover each OWASP risk. See the OWASP LLM Top 10 hub.

What is the NIST AI Risk Management Framework?

The NIST AI Risk Management Framework, formally AI 100-1, is voluntary guidance published by the US National Institute of Standards and Technology. Per NIST, it is “intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.”

It is organised around four core functions:

• Govern is the cross-cutting function. It establishes the culture, policies, accountability, and oversight that the other three functions operate within.
• Map establishes context and identifies the risks associated with an AI system and its intended use.
• Measure assesses, analyses, and tracks those risks using quantitative and qualitative methods.
• Manage prioritises and acts on risks, allocating resources to treat, monitor, and respond to them.

Crucially, NIST AI RMF tells you how to run a risk process. It does not enumerate the specific technical attacks an LLM faces.

What is ISO/IEC 42001?

Per ISO, ISO/IEC 42001 is the international standard that specifies requirements for an artificial intelligence management system (AIMS). It follows the familiar management-system pattern used by ISO/IEC 27001 for information security: leadership commitment, a defined scope, risk and impact assessment, documented controls, internal audit, and continual improvement.

The defining trait is that ISO/IEC 42001 is certifiable. ISO 42001 certification is issued by an accredited certification body that audits an organisation’s AI management system against the standard’s requirements, which makes it attractive for procurement and assurance. Like NIST AI RMF, it governs process and accountability rather than naming individual exploits. To avoid overstating specifics, treat ISO 42001 here at the level of its management-system structure and Annex controls; for exact clause and control identifiers, consult the published standard directly at iso.org.

What is the OWASP LLM Top 10?

The OWASP LLM Top 10 is a prioritised list of the ten most critical security risks in applications that use large language models, maintained by the OWASP GenAI Security Project. Each entry carries an identifier from LLM01 to LLM10, a definition, example attacks, and recommended mitigations. It is a threat catalogue and an awareness resource, not a certification. Our OWASP LLM Top 10 hub maps each risk to concrete defensive tooling.

How do these differ in scope?

The split is simple but important. NIST AI RMF and ISO/IEC 42001 are governance frameworks: broad, process-led, and applicable to any AI system, from a fraud model to an LLM agent. They answer “how does this organisation identify, measure, and manage AI risk, and who is accountable?” The OWASP LLM Top 10 is a concrete threat list: narrow, technical, and specific to LLM applications. It answers “what can actually go wrong in this LLM app?”

You do not pick one. A mature programme uses a framework to set policy and assurance, then uses OWASP as the concrete checklist that the framework’s Measure and Manage activities must demonstrably cover. Naming a control is not the same as proving it works, a point reinforced in our AI agent hardening checklist.

How do OWASP LLM risks map to NIST functions and ISO 42001?

The table below links each OWASP LLM risk to the NIST AI RMF function that primarily owns it and to the broad ISO/IEC 42001 management area that governs it. The NIST function shown is the leading one; in practice Govern oversees all rows. The ISO 42001 column is described in general management-system terms, not specific clause numbers.

OWASP LLM risk	NIST AI RMF function (lead)	ISO/IEC 42001 relevance (general)
LLM01 Prompt Injection	Measure and Manage	Operational controls and AI system risk treatment
LLM02 Sensitive Information Disclosure	Manage	Data governance and information protection controls
LLM03 Supply Chain	Map	Third-party, supplier, and resource controls
LLM04 Data and Model Poisoning	Map and Measure	Data quality, provenance, and lifecycle controls
LLM05 Improper Output Handling	Manage	Operational integration and system-level controls
LLM06 Excessive Agency	Govern and Manage	Roles, responsibilities, and authority over AI behaviour
LLM07 System Prompt Leakage	Manage	Configuration and secrets-handling controls
LLM08 Vector and Embedding Weaknesses	Map and Measure	Data and component integrity controls
LLM09 Misinformation	Measure	Performance, impact assessment, and human oversight
LLM10 Unbounded Consumption	Manage	Operational monitoring and resource controls

For the authoritative wording of each OWASP item, check the OWASP GenAI Security Project directly, because ordering and definitions are revised periodically.

Why is Govern the constant?

In NIST AI RMF, Govern is cross-cutting: it sets the policies, accountability, and oversight that make Map, Measure, and Manage meaningful. The same logic holds in ISO/IEC 42001, where leadership and the management system frame every control. So while the table assigns each OWASP risk a leading operational function, governance sits above all of them. This is why a risk like LLM06 Excessive Agency maps so strongly to Govern: deciding how much autonomy an agent may have is a policy and accountability question before it is a technical one. See excessive agency explained for the agent-level detail.

How do agent and MCP risks fit?

For autonomous agents, the highest-priority OWASP risks are LLM01, LLM05, and LLM06, since agents act on model output and call tools. The governance frameworks place these under Manage and Govern, but the actual hardening happens at the tool layer. Scoping every tool to least privilege, as covered in MCP security best practices, is how an organisation turns a framework requirement into a verified control.

How should you use all three together?

Treat the relationship as layers, not alternatives:

1. Set the programme with NIST AI RMF or ISO/IEC 42001 (or both) to define accountability, scope, and process.
2. Inventory every LLM, agent, and MCP server in scope.
3. Map each component to the relevant OWASP LLM01 to LLM10 risks.
4. Assign a named, testable control to each risk, satisfying the framework’s Measure and Manage activities.
5. Audit and improve continuously, the loop that both NIST and ISO 42001 require.

The frameworks give you the discipline and the audit trail; OWASP gives you the concrete threats those audits must cover.

Where to go next

Start with the OWASP LLM Top 10 hub to see each risk mapped to defensive tooling, then operationalise with the AI agent hardening checklist and MCP security best practices. For a deeper look at the single risk most tied to governance decisions, read excessive agency explained. More write-ups live in the guides library.

This article is maintained against primary sources: the NIST AI Risk Management Framework, ISO/IEC 42001 at iso.org, and the OWASP LLM Top 10.