I Built a Free Open-Source EU AI Act / NIST AI RMF / ISO 42001 Crosswalk Tool - Here Is What I Found

Suhana Sayyad, an MSc Cybersecurity student at TUS Athlone, built a free, open-source interactive tool that maps 30 EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001. The tool provides strength ratings for each mapping—Strong, Partial, Indirect, or No Equivalent—along with gap analysis and source document links to help compliance teams identify which controls are covered and where additional work is needed.

Every week I see the same question in AI governance communities: "We already have NIST AI RMF implemented. Does that cover our EU AI Act obligations?" The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which controls map to which, how strong those mappings actually are, and where the genuine gaps are. So I built one. Live tool: An open-source tool that maps EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001, with mapping strength indicators, gap analysis, and source document links. Built for compliance teams, AI governance practitioners, and anyone trying to understand how these three frameworks relate to each other. Live demo: https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool Built by: Suhana Sayyad https://www.linkedin.com/in/suhana35 | MSc Cybersecurity, TUS Athlone Every organisation dealing with the EU AI Act is being asked the same questions: "We already have NIST AI RMF controls in place. Does that cover our EU AI Act obligations?" "We're pursuing ISO 42001 certification. Does that satisfy the regulation?" The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which… The EU AI Act / NIST AI RMF / ISO 42001 Interactive Crosswalk Tool maps 30 EU AI Act obligations to their nearest equivalents in NIST AI RMF and ISO 42001. For each mapping it shows a strength rating - Strong, Partial, Indirect, or No Equivalent - so compliance teams know which mappings they can rely on and which need additional work. Features: Deliberately simple. Three files. No backend, no database, no server, no build pipeline. index.html style.css script.js All 30 controls live in a JavaScript array. The entire tool runs in the browser. This means it deploys to GitHub Pages for free, loads instantly, and anyone can fork and modify it. Each control follows this data structure: { topic: "Risk Management System", category: { euChapter: "high-risk", nistFunction: "govern", isoClause: "planning" }, euaiact: { ref: "Article 9", desc: "Providers of high-risk AI systems must establish, implement, document and maintain a risk management system throughout the entire lifecycle.", url: "https://artificialintelligenceact.eu/article/9/" }, nist: { ref: "GOVERN 1.1", desc: "Policies, processes, procedures and practices related to mapping, measuring and managing AI risks are in place.", url: "https://airc.nist.gov/airmf-resources/playbook/govern/", strength: "strong" }, iso42001: { ref: "Clause 6.1", desc: "The organisation must determine risks and opportunities that need to be addressed.", url: "https://www.iso.org/standard/81230.html", strength: "strong" } } The strength field drives the colour coding throughout the interface. Green for Strong, amber for Partial, red for Indirect, purple for No Equivalent. Mapping 30 controls across three frameworks for six weeks taught me things I did not expect. Most high-risk AI obligations map reasonably well. Risk management Article 9 , data governance Article 10 , human oversight Article 14 , cybersecurity Article 15 , post-market monitoring Article 72 , incident reporting Article 73 - all of these have meaningful equivalents in both NIST AI RMF and ISO 42001. A company that has properly implemented either framework is genuinely partway there. Transparency obligations are weaker than you think. Article 13 on transparency to deployers and Article 50 on user-facing AI disclosures both map as Partial at best. NIST and ISO address transparency at a high level but neither mandates the specific instructions-for-use requirements or machine-readable content marking that the EU AI Act requires. GPAI obligations are essentially uncovered. Articles 53 and 55 on general-purpose AI models and systemic risk have no meaningful equivalent in either framework. NIST AI RMF was not designed for foundation model governance at a societal scale. ISO 42001 does not address systemic risk from large language models at all. Five obligations are genuine gaps - no coverage anywhere. These are the ones that require EU-specific compliance work regardless of what frameworks you have implemented: If your compliance strategy is "we have NIST AI RMF and ISO 42001 so we are covered" - you are not covered on any of these five. The three filter controls work together with the search bar. All filters are applied simultaneously on every keystroke or selection change. js function applyFilters { var search = document.getElementById 'search-input' .value.toLowerCase .trim ; var chapter = document.getElementById 'filter-chapter' .value; var nistFn = document.getElementById 'filter-nist' .value; var gapOnly = document.getElementById 'filter-gaps' .checked; var filtered = crosswalkData.filter function item { if search && / search logic / return false; if chapter && item.category.euChapter == chapter return false; if nistFn && item.category.nistFunction == nistFn return false; if gapOnly && item.nist.strength == 'none' && item.iso42001.strength == 'none' && item.nist.strength == 'indirect' && item.iso42001.strength == 'indirect' return false; return true; } ; populateTable filtered ; } All tools are free, open-source, and deploy on GitHub Pages. No backend, no data collection, no paywalls. Live: GitHub: An open-source tool that maps EU AI Act obligations to their equivalents in NIST AI RMF and ISO 42001, with mapping strength indicators, gap analysis, and source document links. Built for compliance teams, AI governance practitioners, and anyone trying to understand how these three frameworks relate to each other. Live demo: https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool https://suhanasayyad.github.io/eu-ai-act-crosswalk-tool Built by: Suhana Sayyad https://www.linkedin.com/in/suhana35 | MSc Cybersecurity, TUS Athlone Every organisation dealing with the EU AI Act is being asked the same questions: "We already have NIST AI RMF controls in place. Does that cover our EU AI Act obligations?" "We're pursuing ISO 42001 certification. Does that satisfy the regulation?" The honest answer is: sometimes yes, sometimes partially, and sometimes not at all. The problem is that nobody had built a clean, free, interactive tool that showed exactly which… If you find it useful, a star on GitHub goes a long way. If you find an error in the mappings, open an issue - I want the data to be as accurate as possible. I am Suhana Sayyad, an MSc Cybersecurity student at TUS Athlone, Ireland, building open-source AI governance tooling and looking for roles in AI governance and data protection from September 2026. LinkedIn: