Skip to main content
COMPEL Body of Knowledge
Get Certified Platform
AITP M2.6-Art13 v1.0 Reviewed 2026-04-06 Open Access
M2.6 Industry Applications and Case Study Analysis
AITP · Practitioner

Implement Once, Comply with Many: The COMPEL Harmonization Approach

Implement Once, Comply with Many: The COMPEL Harmonization Approach — Industry Applications & Case Studies — Applied depth — COMPEL Body of Knowledge.

12 min read Article 13 of 20

COMPEL Certification Body of Knowledge — Module 2.6: Industry-Specific Applications Article 13 of 15

The previous articles in this module demonstrated how the COMPEL framework adapts to different industry contexts. This article addresses a challenge that spans all industries: how to comply with multiple AI governance frameworks without multiplying effort. The answer lies in harmonization — using COMPEL as a single operational layer that generates evidence satisfying requirements across the EU AI Act, NIST AI RMF, ISO/IEC 42001, OECD AI Principles, Singapore Model AI Governance Framework, and UNESCO Recommendation on AI Ethics simultaneously.

The Multi-Framework Challenge

A multinational financial services firm operating in Europe, the United States, and Singapore faces a representative scenario. Its European operations must comply with the EU AI Act (mandatory, with enforcement beginning August 2, 2026). Its US operations follow the NIST AI Risk Management Framework (voluntary but increasingly expected by regulators and customers). It seeks ISO/IEC 42001 certification for its global AI management system. Its Singapore subsidiary operates under the Model AI Governance Framework. And as a signatory to responsible AI commitments, it aligns with the OECD AI Principles.

Without a harmonization approach, this firm would need to:

  • Analyze 282 total requirements across five frameworks
  • Maintain five separate compliance tracking systems
  • Generate framework-specific evidence for each requirement
  • Train governance teams on five different terminologies
  • Report compliance status using five different structures

The result is what practitioners call “compliance sprawl” — duplicated effort, inconsistent implementation, team confusion, and governance fatigue. Compliance sprawl does not just waste resources; it actively undermines governance quality. When teams are overwhelmed by overlapping requirements, they default to superficial compliance — checking boxes rather than building genuine capability.

COMPEL as a Harmonization Layer

The COMPEL framework solves this problem by operating as a harmonization layer — a single governance methodology that maps to requirements across all applicable frameworks. Instead of implementing each framework separately, the organization implements COMPEL once and then maps its COMPEL-based governance outputs to the specific requirements of each applicable framework.

This works because of the regulatory convergence documented in Article 18 of the Foundations level. The ten universal requirements — risk management, human oversight, transparency, documentation, testing and validation, monitoring, accountability, incident reporting, data governance, and audit and review — appear in every framework. When your COMPEL implementation addresses these convergence areas thoroughly, you have addressed the majority of requirements across all frameworks.

The harmonization approach has three components: the compliance harmonization matrix, the effort reduction methodology, and the evidence sharing model.

The Compliance Harmonization Matrix

The compliance harmonization matrix is an N-by-M mapping that links every COMPEL element (stage or domain) to specific requirements in each applicable framework. Each cell in the matrix identifies:

  • The COMPEL element (e.g., “Calibrate” stage or “Risk Management” domain)
  • The framework requirement (e.g., EU AI Act Article 9(1), NIST MAP 1.1, ISO 42001 Clause 4.1)
  • The requirement description
  • The evidence types that satisfy the requirement
  • The compliance level (mandatory, recommended, or voluntary)

The matrix serves as the master reference for multi-framework compliance. When a governance team executes a COMPEL activity — say, conducting a risk assessment during the Calibrate stage — they can immediately identify which framework requirements that activity satisfies and what evidence they need to capture.

For example, a risk assessment conducted during the Calibrate stage simultaneously satisfies:

  • EU AI Act Article 9(1): “Establish, implement, document and maintain a risk management system”
  • NIST MAP 1.1: Understanding “intended purposes, potentially beneficial uses, context of use, and requirements”
  • ISO 42001 Clause 4.1: “Determine external and internal issues relevant to the AI management system”
  • OECD Principle 1.2: Engaging “in responsible stewardship of trustworthy AI”
  • Singapore Section 2.1: Having “clear internal governance structures” with “defined roles and responsibilities”
  • UNESCO Area 4.1: Assessing “impacts at the outset to ensure proportionality”

One activity. Six framework requirements addressed. One set of evidence generated.

The Effort Reduction Methodology

The effort reduction from harmonized implementation is quantifiable. When an organization selects the frameworks it must comply with, the methodology calculates three numbers:

  1. Naive total: The sum of all requirements across all selected frameworks (if each were implemented independently).
  2. Shared requirements: Requirements that overlap between frameworks and can be satisfied by a single COMPEL implementation activity.
  3. Framework-specific requirements: Requirements unique to a single framework that require dedicated attention.

For a typical organization implementing all six frameworks:

  • Naive total: approximately 282 requirements
  • Shared requirements: approximately 140 (satisfied through convergence)
  • Effective unique requirements: approximately 142

The effort reduction — the percentage of total naive effort saved through harmonization — typically ranges from 40% to 55% depending on the specific framework combination. For the most common combination (EU AI Act + NIST AI RMF + ISO 42001), the effort reduction exceeds 45%.

This is not a theoretical calculation. It reflects the practical reality that when you build a risk management system that satisfies EU AI Act Article 9, you have also built most of what you need for NIST GOVERN 1.4 and ISO 42001 Clause 6.1.2. The incremental effort to adapt your existing risk management system to explicitly address the language of each additional framework is far smaller than building separate systems from scratch.

The Evidence Sharing Model

The evidence sharing model is the operational mechanism that makes harmonization work in practice. It defines how governance activities generate evidence that serves multiple frameworks simultaneously.

Evidence sharing works at three levels:

Level 1: Universal Evidence — Documents and records that directly satisfy requirements in all applicable frameworks. Examples include the risk management policy, the accountability RACI matrix, the AI system technical documentation package, and the monitoring dashboard configuration. These are produced once, maintained centrally, and referenced in compliance reporting for every framework.

Level 2: Adaptable Evidence — Documents that satisfy multiple frameworks with minor adaptations in framing or terminology. A risk assessment report, for example, may need to reference “high-risk AI system” when cited for EU AI Act compliance, “AI system categorization” for NIST compliance, and “AI risk assessment” for ISO 42001 compliance. The underlying assessment is the same; only the compliance mapping annotation changes.

Level 3: Framework-Specific Evidence — Documents or records required by only one framework. The EU AI Act’s conformity assessment declaration, for example, has no direct equivalent in other frameworks. The NIST AI RMF’s specific subcategory self-assessments use a format unique to that framework. These items represent the true incremental effort of multi-framework compliance.

The practical impact is significant. In a typical harmonized implementation, approximately 60% of evidence falls into Level 1 (universal), 25% into Level 2 (adaptable), and only 15% into Level 3 (framework-specific). This means that 85% of your compliance evidence is generated through your core COMPEL governance activities, with only 15% requiring framework-specific effort.

Practical Implementation of Harmonized Compliance

Step 1: Framework Selection and Scoping

Begin by determining which frameworks apply to your organization. This is driven by:

  • Jurisdiction: Where do you develop, deploy, and operate AI systems?
  • Sector: Do sector-specific AI requirements apply (e.g., financial services, healthcare)?
  • Certification goals: Are you pursuing ISO/IEC 42001 certification?
  • Customer requirements: Do customers or partners require specific framework alignment?
  • Strategic positioning: Do you want to demonstrate alignment with voluntary frameworks for competitive advantage?

Document the selected frameworks, the rationale for each, and the organizational scope (which AI systems, which business units, which geographies).

Step 2: Harmonization Matrix Configuration

Configure the compliance harmonization matrix for your selected frameworks. This involves:

  • Loading the full requirement set for each selected framework
  • Mapping requirements to COMPEL stages and domains
  • Identifying convergence points where a single COMPEL activity satisfies multiple requirements
  • Flagging framework-specific requirements that need dedicated attention
  • Assigning evidence types to each requirement

The COMPEL platform provides a pre-configured matrix covering the six major frameworks. Organizations typically customize this by adding sector-specific requirements and adjusting compliance levels based on their risk appetite.

Step 3: Governance Implementation through COMPEL

Execute the COMPEL lifecycle with harmonized compliance as an explicit objective:

Calibrate: Conduct the initial assessment with all applicable framework requirements in view. Your risk classification should satisfy the most stringent framework (typically the EU AI Act’s risk-based classification). Your stakeholder analysis should cover the interested parties defined by all frameworks. Your context analysis should address the organizational and environmental factors specified by ISO 42001 Clause 4.1.

Organize: Build governance structures that satisfy accountability requirements across all frameworks. Your RACI matrix should map roles to requirements from each framework. Your policies should reference all applicable frameworks. Your training program should cover the terminology and expectations of each framework.

Model: Design AI systems with multi-framework compliance built in. Documentation should follow the EU AI Act Annex IV structure (the most comprehensive). Transparency mechanisms should satisfy the disclosure requirements of all applicable frameworks. Data governance practices should meet the most stringent data quality requirements.

Produce: Implement controls that satisfy operational requirements across frameworks. Human oversight mechanisms should meet EU AI Act Article 14 specifications (the most detailed). Incident response procedures should satisfy the EU AI Act’s mandatory reporting timeline while also meeting ISO 42001 and NIST corrective action requirements.

Evaluate: Validate against all applicable frameworks simultaneously. Testing should cover the performance, fairness, robustness, and security dimensions required across frameworks. Audit activities should satisfy ISO 42001 Clause 9.2 (the most structured audit requirement).

Learn: Feed continuous improvement activities into all framework compliance tracking. Monitoring outputs should be mapped to the monitoring requirements of each framework. Improvement actions should be documented in a way that satisfies ISO 42001 Clause 10.1 and NIST MANAGE 4.2.

Step 4: Evidence Generation and Mapping

As governance activities produce evidence, map each evidence item to the framework requirements it satisfies. Maintain a central evidence repository with framework-requirement tagging. This enables:

  • Auditors to quickly locate evidence for their specific framework
  • Governance teams to identify evidence gaps for any framework
  • Management to track compliance status across all frameworks from a single dashboard
  • Regulatory authorities to receive framework-specific reports drawn from the same evidence base

Step 5: Multi-Framework Reporting

Generate compliance reports for each applicable framework from the harmonized evidence base. Each report is structured according to the framework’s own organization:

  • EU AI Act: Structured by Title III Chapter 2 requirements (Articles 8-15)
  • NIST AI RMF: Structured by functions (GOVERN, MAP, MEASURE, MANAGE) and subcategories
  • ISO 42001: Structured by clauses (4-10) and Annex A controls
  • OECD: Structured by principles (1.1-1.5) and policy recommendations (2.1-2.5)
  • Singapore: Structured by sections (1-4) and subsections
  • UNESCO: Structured by policy areas (1-11)

The content of each report draws from the same evidence base. The structure and framing adapt to each framework’s expectations. This is the practical realization of “implement once, comply with many.”

Common Pitfalls in Harmonized Compliance

Pitfall 1: Lowest Common Denominator Implementation

Harmonization does not mean implementing only the requirements that all frameworks share. Framework-specific requirements exist because they address real governance needs unique to a particular context. The EU AI Act’s conformity assessment requirement, for example, reflects the EU’s product safety regulatory tradition. Ignoring it because other frameworks do not require it defeats the purpose of compliance.

Harmonization means implementing the shared foundation efficiently and then adding framework-specific requirements on top. The efficiency gain comes from the shared foundation — not from ignoring the specifics.

Pitfall 2: Terminology Confusion

Each framework uses different terms for similar concepts. The EU AI Act says “provider” and “deployer.” NIST says “AI actors.” ISO 42001 says “organization.” Singapore says “organizations using AI.” Using these terms interchangeably creates confusion. Establish an internal terminology mapping that translates between frameworks and use a consistent internal vocabulary in governance activities.

Pitfall 3: Compliance Drift

Harmonized compliance requires maintenance. Frameworks evolve — new guidance is issued, implementing regulations are published, interpretive guidance changes enforcement expectations. Without active monitoring, the harmonization matrix drifts out of alignment with current requirements. Assign explicit ownership for monitoring framework updates and schedule quarterly harmonization reviews.

Pitfall 4: Over-Reliance on the Matrix

The harmonization matrix is a mapping tool, not a governance program. Organizations that focus on filling in matrix cells without building genuine governance capabilities produce comprehensive-looking compliance documentation backed by thin implementation. The matrix tells you what to implement; the COMPEL lifecycle tells you how to implement it with genuine organizational capability.

Measuring Harmonization Effectiveness

Track three metrics to assess whether your harmonization approach is delivering value:

  1. Effort reduction ratio: Compare actual governance effort to the estimated effort of implementing each framework independently. This should show 40-55% reduction for organizations implementing three or more frameworks.

  2. Evidence reuse rate: Track the percentage of evidence items that serve multiple frameworks. Target 75% or higher reuse rate for organizations implementing three or more frameworks.

  3. Compliance gap velocity: Measure how quickly framework-specific gaps are identified and closed. Harmonized organizations should close gaps faster because the convergence foundation is already in place.

Key Takeaways

Multi-framework AI governance compliance is not just achievable — it is more efficient than single-framework compliance done separately. The COMPEL harmonization approach transforms a seemingly overwhelming compliance landscape into a manageable, systematic program. By implementing governance through the COMPEL lifecycle, mapping outputs to all applicable frameworks through the harmonization matrix, and generating shared evidence, organizations can achieve comprehensive multi-framework compliance with dramatically less effort than the framework-by-framework alternative.

The articles that follow apply this harmonization approach to two specific frameworks in detail: ISO/IEC 42001 implementation using COMPEL methodology and NIST AI RMF alignment with COMPEL stages.