← All posts

AI Governance Platforms: The Gap Between Tooling and Actual Compliance

AI Governance Platforms: The Gap Between Tooling and Actual Compliance
TL;DR

AI governance platforms like Credo AI market themselves as compliance solutions, but the EU AI Act, ISO 42001, and NIST AI RMF all demand organisational processes and human decision-making that no software platform can automate. A platform organises evidence. It does not perform conformity assessments, conduct management reviews, or certify your AI management system. Understanding this gap is critical for procurement teams evaluating governance tools.

The promise is seductive

Buy our platform. Map your AI systems. Run a risk assessment. Generate an audit trail. Congratulations, you are now EU AI Act compliant and ISO 42001 ready. That is the pitch coming from the AI governance platform market, and it is working. Forrester named Credo AI a Leader with 12 perfect scores in 2025. Gartner published its first Market Guide for AI Governance Platforms. Fast Company put Credo AI at number 6 in Applied AI for 2026, right alongside Google and OpenAI.

So here is the question nobody in the analyst reports is asking: does buying a governance platform actually make you compliant with anything?

I audit AI vendors for a living, and I have spent the last six months mapping platform capabilities against the actual text of the EU AI Act, ISO 42001, and NIST AI RMF 1.0. The gap between what the platforms market and what the regulations demand is wider than most buyers realise.

What Credo AI claims

Credo AI is the category leader, so let me use their public marketing as the reference point. Their website, as of July 2026, makes these specific claims:

  • "Pre-built policy packs for EU AI Act, NIST AI RMF, ISO 42001, and SOC 2 with automated governance workflows and audit-ready evidence"
  • "10x Faster Compliance" for the EU AI Act
  • "Ready-to-deploy policy packs written by the team in the room where AI governance standards are made: ISO, NIST, the EU Parliament, NATO, OECD"
  • "Automated evidence generation and audit trails"
  • "Governance Knowledge Graph" that "connects regulations, risks, controls, and business context"

These are not edge-case claims. They are the headline value proposition. The customer quote displayed prominently reads: "Working with the Credo AI platform accelerated our ability to be compliant with the EU AI Act by at least 10x the speed of trying to do it manually."

Let me be clear: Credo AI has built genuinely useful infrastructure. A central AI registry, risk assessment templates, and evidence generation tools are all real capabilities that address real operational pain points. The problem is not the tool. The problem is the implication that the tool equals compliance.

What the EU AI Act actually requires

The EU AI Act, which entered into force on 1 August 2024 and whose high-risk system obligations began phasing in from August 2026 (Article 113), does not ask you to "map your AI systems into a platform." It asks you to perform a conformity assessment.

For high-risk AI systems under Annex III, Article 43 requires either internal control (for systems following harmonised standards) or a third-party assessment by a notified body. Conformity assessment means demonstrating that your AI system meets the requirements in Articles 8 through 15: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy/robustness.

Here is the critical distinction: a platform can help you organise the evidence for a conformity assessment, but it cannot perform the conformity assessment. A notified body will not accept a Credo AI dashboard as proof of compliance. They will accept technical documentation, test results, and risk assessments that your organisation produced, reviewed, and signed off on.

The platform is a filing cabinet. The conformity assessment is the work product that goes in the filing cabinet. Buying a nicer filing cabinet does not write the documents for you.

Credo AI's Knowledge Graph maps regulations to controls. That is useful navigational infrastructure. But the EU AI Act does not ask "which control maps to which article." It asks "have you demonstrated, with evidence, that your specific system satisfies each requirement?" The gap between mapping and demonstrating is where compliance actually lives.

What ISO 42001 actually requires

ISO 42001 is an AI Management System standard. It follows the Annex SL structure common to all ISO management system standards (ISO 9001, ISO 27001, ISO 14001). This is important because it means the standard is about organisational process, not about software feature checklists.

Clause 5 requires leadership and commitment. Clause 6 requires risk assessment and treatment planning. Clause 7 requires competence and awareness across the organisation. Clause 9 requires internal audit and management review. Clause 10 requires continual improvement.

None of these clauses say "install a governance platform." They say "establish, implement, maintain, and continually improve" a management system. A platform can support documentation, but certification requires an accredited certification body to audit your organisation against every applicable clause. The auditor will interview your leadership team. They will review meeting minutes. They will check whether your risk treatment plan is actually being executed, not just documented.

The "pre-built policy packs" Credo AI advertises give you a template. A template that says "the organisation shall conduct management review at planned intervals" does not make management review happen. That requires leadership attention, scheduled meetings, reviewed minutes, and action items tracked to closure. None of that happens inside a platform unless your organisation drives it.

What NIST AI RMF actually is

NIST AI RMF 1.0 is explicitly not a compliance standard. It is a voluntary framework organised around four functions: Govern, Map, Measure, Manage. It does not have certification. It does not have pass/fail criteria. It is guidance.

Marketing a platform as "NIST AI RMF compliant" is technically meaningless. You can align with the RMF. You can adopt its categories and subcategories. But there is no such thing as NIST AI RMF certification, and no auditor will issue a statement saying a system "passes" NIST AI RMF. The framework is a tool for internal governance, not a regulatory benchmark.

Platforms that bundle NIST AI RMF alongside ISO 42001 and EU AI Act as equivalent "compliance frameworks" are blurring an important line. ISO 42001 leads to certification. The EU AI Act leads to legal obligations and penalties of up to 35 million euros or 7% of global annual turnover (Article 99). NIST AI RMF leads to better internal governance. These are not the same thing, and treating them as interchangeable creates a false sense of security for buyers who think checking a box in a platform satisfies a legal requirement.

What buyers should ask before signing

If you are evaluating an AI governance platform, here are the questions that separate infrastructure from actual compliance:

  1. "Does this platform produce a conformity assessment, or does it help me organise one?" If the answer is the latter, you still need the people, process, and documentation to do the actual assessment.
  2. "Does the ISO 42001 policy pack include a complete management system, or just policy templates?" ISO 42001 requires evidence of operation, not just documented policies. Ask whether the platform captures management review minutes, internal audit findings, corrective actions, and competence records. Most do not.
  3. "What happens when my auditor asks to interview the risk owner?" A platform dashboard is not a person. ISO certification auditors interview people. They check whether your staff understand their responsibilities. No platform can substitute for organisational competence.
  4. "Are your policy packs maintained against regulatory updates, and who signs off on the mapping?" The EU AI Act will evolve. Delegated acts, implementing acts, and guidelines from the AI Office will refine requirements. A policy pack frozen at a point in time becomes stale. Ask about the maintenance model.
  5. "What does the platform not cover?" Every platform has gaps. For the EU AI Act, common gaps include fundamental rights impact assessments (Article 27 for high-risk systems deployed by public bodies), post-market monitoring plans (Article 72), and serious incident reporting procedures (Article 73).

The platform is infrastructure, not a solution

AI governance platforms are genuinely useful infrastructure. If you have dozens or hundreds of AI systems in production, you need a central registry, risk assessment workflows, and evidence management. Spreadsheets do not scale. I have seen organisations that track AI systems in Confluence pages and Jira tickets, and it is a compliance nightmare.

But calling a platform an "EU AI Act compliance solution" is like calling a CRM a "GDPR compliance solution." It helps, but compliance requires your organisation to do the work. The platform is a tool. The methodology, the decisions, the risk acceptance, the management review, the conformity assessment — those are human processes that no software can automate.

The real risk for buyers is not that the platform fails to deliver features. It is that the platform's marketing creates the impression that buying a tool discharges a regulatory obligation. It does not. And when the notified body or certification auditor asks to see the evidence behind the dashboard, the question will not be "which platform did you use." The question will be "show me how your organisation meets each requirement."

If you are building your AI governance capability, start with methodology first. Understand the regulations. Map your obligations. Build your processes. Then and only then select a platform to support the work you are already doing. Buying a platform before you understand your obligations is putting a dashboard on top of confusion.

Need help evaluating whether your AI governance approach holds up to audit scrutiny? Contact us for a methodology assessment. See our sample audit report or review our pricing. For more on this topic, read our guides on AI vendor auditing, ISO 42001 certification, and EU AI Act enforcement deadlines.

Written by David Swan, reviewed and fact-checked against primary regulatory sources. AI-assisted but human-directed.

Frequently asked questions

Does buying an AI governance platform make you EU AI Act compliant?

No. The EU AI Act requires conformity assessments that demonstrate your AI system meets specific requirements for risk management, data governance, transparency, and human oversight. A platform can help organise the evidence, but it cannot perform the conformity assessment. For high-risk systems, a notified body must review your documentation and verify compliance independently of any software platform you use.

Can a governance platform replace ISO 42001 certification?

No. ISO 42001 certification requires an accredited certification body to audit your organisation against all applicable clauses, including leadership commitment, risk treatment, internal audit, management review, and continual improvement. A platform can support documentation, but the auditor will interview your people, review your meeting minutes, and verify that processes are actually being executed, not just documented.

What is the difference between NIST AI RMF and EU AI Act compliance?

NIST AI RMF is a voluntary framework for internal AI governance. It has no certification, no pass/fail criteria, and no legal obligations. The EU AI Act is binding legislation with penalties of up to 35 million euros or 7% of global annual turnover. Treating them as equivalent compliance frameworks creates a false sense of security.

What should I ask AI governance platform vendors before buying?

Ask whether the platform produces a conformity assessment or just helps organise one. Ask whether ISO 42001 policy packs include a complete management system with evidence of operation. Ask what happens when an auditor wants to interview people, not review dashboards. Ask about the policy pack maintenance model as regulations evolve. And ask explicitly what the platform does not cover.

What is the most common compliance gap when using governance platforms?

The most common gap is assuming the platform handles compliance when it only handles documentation. Organisations still need to perform risk assessments, make risk acceptance decisions, conduct management reviews, and demonstrate organisational competence. The platform stores the evidence. Your organisation creates it.