International AI governance beyond the EU: treaty, principles and standards

Anyone who equates AI governance with the AI Act is missing half the playing field. Beyond the EU regulation sits an international layer of instruments, each with a different legal status — binding treaty, political principles, voluntary framework, certifiable standard — that interlock in practice. For organisations operating outside the EU or supplying non-EU counterparties, this layer is at least as decisive.

The Council of Europe Framework Convention: the only binding instrument

The Council of Europe Framework Convention on Artificial Intelligence and Human Rights, Democracy and the Rule of Law is the first legally binding international AI instrument. It was adopted on 17 May 2024 and opened for signature in Vilnius on 5 September 2024 — including for non-European states such as the United States, the United Kingdom and Japan.

The European Union ratified the Convention on 15 May 2026, after the European Parliament consented to its conclusion on 11 March 2026. The treaty enters into force on the first day of the month following a period of three months after five signatories, including at least three Council of Europe member states, have ratified it. Unlike the AI Act it has no direct effect: parties must transpose its obligations — risk assessment, transparency, oversight, remedies — into their own legislation. For the EU, the AI Act largely serves as that transposition. For the mandatory risk and impact assessment the Council of Europe has, since 2026, supplied its own method: HUDERIA and the COBRA model.

The OECD AI Principles: the common language

The OECD AI Principles for trustworthy AI (2019, revised in 2024) are not legally binding, but they form the de facto reference language of nearly every other framework — the AI Act borrows its very definition of an AI system from them. The 2024 revision incorporated generative AI. Around the Principles the OECD builds working instruments that shape practice, such as the OECD.AI policy observatory and recent due diligence guidance for AI in corporate value chains.

NIST AI RMF: the American reference framework

The AI Risk Management Framework of the US NIST (version 1.0, January 2023) is voluntary, but in the United States — which lacks a federal AI statute — it functions as the de facto standard for AI risk management, including in procurement requirements. The framework organises risk management into four functions (govern, map, measure, manage) and is tailored to generative systems through the Generative AI Profile (NIST AI 600-1). For European organisations it matters chiefly in transatlantic supply chains: American customers ask for NIST conformity the way European customers ask for AI Act conformity. In 2026 NIST is turning the framework into concrete security controls — see our dedicated analysis of the NIST AI Risk Management Framework and its 2026 operationalisation.

ISO/IEC 42001: the certifiable route

ISO/IEC 42001:2023 is the first management system standard for AI (AIMS), modelled on ISO 27001 for information security: certifiable, with a mandatory cycle of risk assessment, controls and improvement. The family is growing: ISO/IEC 42005:2025 standardises AI system impact assessment and ISO/IEC 42006:2025 sets requirements for certification bodies. A 42001 certificate does not prove AI Act conformity — that is what the harmonised European standards of CEN-CENELEC JTC 21 are for — but the frameworks overlap substantially, and an organisation that builds an AIMS lays the foundation both supervisory regimes rest on.

How the layers relate

The practical hierarchy for an organisation: the treaty binds states, not companies, and works through national legislation; the OECD Principles supply the vocabulary; NIST and ISO supply the operational method; the AI Act supplies the enforceable product rules within the EU. Build your governance on one layer while ignoring the others, and the gap shows the moment the first cross-border customer or supervisor starts asking questions.