We value your privacy

We use cookies to enhance your browsing experience, serve personalised ads or content, and analyse our traffic. By clicking "Accept All", you consent to our use of cookies.

Powered by
    RegulationAI & Technology

    15 AI Frameworks That Shape Your Strategy

    Dr. Oliver Gausmann · March 25, 2026 · 11 min read

    AI frameworks for mid-market companies, Rubik's cube reading Figure it out representing strategic clarity

    Key Takeaways

    • Only 6% of companies generate measurable EBIT from AI; three free benchmarks show where you stand
    • EU AI Act and ISO 42001 are the two frameworks that must be in place by August 2026
    • Germany's BMWK offers free AI trainers, and KfW funds AI projects up to €25 million

    43% of German mid-market companies have no AI strategy [1]Salesforce / DMB, KI-Index Mittelstand 2026 (526 Unternehmen). That's from the 2026 Mittelstand AI Index, a survey of 526 firms. At the same time, 36% already use AI [2]Bitkom Research, Künstliche Intelligenz 2025 (604 Unternehmen). The AI frameworks that mid-market leaders need answer four questions: Where do we stand? What must we do? Which technology fits? And who can help us?

    Four decisions, 15 frameworks. Sorted by urgency, not by alphabet.

    Where do we actually stand?

    A CTO of a plastics manufacturer, 220 employees, wanted to present an AI roadmap to his CEO. The problem: he had no starting point. "I know what we're technically capable of. I don't know how we compare."

    The answer sits in three free benchmarks.

    The Bitkom AI Study 2025 is the most comprehensive dataset for the German market. 604 companies with 20+ employees, representatively surveyed [2]Bitkom Research, Künstliche Intelligenz 2025 (604 Unternehmen). Key numbers: 36% use AI (2024: 20%), 47% are planning or discussing adoption, 81% see AI as the most important future technology. But 53% cite legal uncertainty as the biggest barrier, and 43% offer no AI training. Free at bitkom-research.de.

    The Gartner AI Maturity Model goes deeper. Five levels, seven dimensions. Among 432 organizations surveyed in six countries [3]Gartner, AI Maturity Survey 2025 (432 Befragte), most sit at Level 1 (Awareness) or Level 2 (Active). Only 6% reach "Transformational." High-maturity organizations keep AI projects operational for 3+ years at a rate of 45%, versus 20% for low-maturity firms [3]Gartner, AI Maturity Survey 2025 (432 Befragte). Full access requires a Gartner subscription; core findings are public.

    McKinsey's State of AI 2025 adds global context [4]McKinsey / QuantumBlack, The State of AI 2025 (1.993 Befragte). 1,993 respondents across 105 countries. 88% use AI. Only 6% qualify as "AI High Performers" generating 5%+ EBIT from AI. What separates them: workflow redesign (3.6x more frequent), CEO-driven AI ownership, and 20%+ of digital budget allocated to AI [4]McKinsey / QuantumBlack, The State of AI 2025 (1.993 Befragte). Critical figure: 51% of all firms report AI-related incidents. Free at mckinsey.com.

    The CTO condensed the three studies into one slide: "We're Level 2 of 5 on Gartner. We're in the 43% without a strategy per Salesforce. And we invest 2% of IT budget in AI while top performers invest 20%." The CEO approved the roadmap.

    Frameworks: Benchmarking

    Bitkom AI Study (free, DE-specific) · Gartner AI Maturity Model (5 levels, subscription) · McKinsey State of AI (free, global)

    , what's optional?

    A quality management director at a medical device supplier, 180 employees, had a direct question: "My CEO asks what we must have done by August 2026. Not what we should. What we must."

    The EU AI Act risk classification system is the only legally binding framework on this list. Four tiers: prohibited, high-risk, limited risk, minimal risk [5]EU AI Act, Verordnung (EU) 2024/1689. For her medical device company, the answer was uncomfortable: AI in medical devices nearly always qualifies as high-risk. The deadline for high-risk systems in regulated products extends to August 2027 through the Digital Omnibus Package [5]EU AI Act, Verordnung (EU) 2024/1689. Fines for prohibited practices: up to €35 million or 7% of global turnover.

    ISO/IEC 42001 answers "How do we prove we're doing it right?" The first certifiable AI Management System standard, published December 2023 [6]ISO/IEC 42001:2023, KPMG Zertifizierung Dezember 2025. KPMG International achieved certification in December 2025 as the first Big Four entity [6]ISO/IEC 42001:2023, KPMG Zertifizierung Dezember 2025. TÜV SÜD, BSI, and SGS offer certification in Germany. Cost: standard ~€400, certification audit €10,000-50,000 depending on company size (estimate).

    The NIST AI Risk Management Framework provides a free governance scaffold with four functions: Govern, Map, Measure, Manage [7]NIST AI Risk Management Framework 1.0. All documents and playbooks are free at nist.gov.

    Gartner AI TRiSM unifies governance, runtime inspection, and data security [9]Gartner, AI TRiSM / Hype Cycle 2025. Gartner's finding that 80% of unauthorized AI transactions stem from internal policy violations, not external attacks, is worth repeating to every board [9]Gartner, AI TRiSM / Hype Cycle 2025.

    The OECD AI Principles form the normative foundation beneath the EU AI Act. Five principles, adopted 2019, updated May 2024 [10]OECD AI Principles (2019, aktualisiert Mai 2024). The AI system definition in the OECD principles is identical to the one in the EU AI Act. Free at oecd.ai.

    The QM director established her sequence: EU AI Act classification first (mandatory), ISO 42001 as the proof mechanism, NIST as the free governance scaffold for internal implementation.

    Framework Status Cost Priority
    EU AI Act Risk Tiers Legally binding Compliance effort varies Mandatory
    ISO/IEC 42001 Voluntary, becoming standard ~€400 + audit €10-50K Mandatory (de facto)
    NIST AI RMF Voluntary Free Best practice
    Gartner AI TRiSM Voluntary Gartner subscription Best practice
    OECD AI Principles Voluntary, AI Act basis Free Best practice

    Frameworks: Governance & Compliance

    EU AI Act Risk Tiers (mandatory) · ISO 42001 (proof) · NIST AI RMF (free) · Gartner AI TRiSM · OECD AI Principles

    Which technology do we need?

    An IT director at a logistics company, 340 employees, had a specific problem. Three AI vendors had submitted proposals, each recommending a different architecture. "I don't need another tool pitch. I need a framework to compare the offers."

    MCP (Model Context Protocol) connects AI systems to data sources and tools [11]Anthropic, MCP und Agentic AI Foundation 2026. Open source, under the Linux Foundation since March 2026, supported by Anthropic, OpenAI, Google, Microsoft, and Amazon. Ask every vendor: "Do you support MCP?" That filters out lock-in in 30 seconds. A2A complements MCP by connecting agents to each other [12]Google Developers Blog, A2A Protocol (April 2025). Developed by Google, backed by 150+ organizations including SAP.

    RAG (Retrieval-Augmented Generation) is the standard pattern for AI accessing company data [13]Singh et al., Agentic RAG Survey (Januar 2025). Every major cloud platform offers RAG tooling. For a Microsoft shop: Azure AI Search. For AWS customers: Bedrock. For privacy concerns: open-source RAG with a local vector database.

    LangChain/LangGraph is the most-used open-source framework for AI applications and agents [14]Sequoia Capital, LangChain (2025). 90 million monthly downloads, used by 35% of Fortune 500 companies. Vendor-neutral, MIT-licensed.

    MLOps/LLMOps is the operational discipline behind production AI [15]Virtue Market Research, Enterprise LLMOps Market 2026-2030. Gartner predicts over 50% of generative AI deployments will fail by end of 2026 due to poor operational practices [15]Virtue Market Research, Enterprise LLMOps Market 2026-2030. Without MLOps, AI is a demo. With MLOps, AI is a production system.

    The IT director reduced his evaluation to four questions: Does the vendor support MCP? Is the architecture RAG-based? Is LangChain or equivalent in use? Is there an MLOps concept for operations? Two of three proposals failed these questions.

    Frameworks: Technical Architecture

    MCP (interfaces) · A2A (agent networking) · RAG (company data) · LangChain/LangGraph (development) · MLOps (operations)

    that costs nothing?

    A managing director of a trades company, 65 employees, told me: "Consultants cost €1,500 a day. My AI budget for this year is €15,000. I can buy ten consulting days or build something real."

    BMWK Mittelstand-Digital operates up to 29 centers across Germany offering free, vendor-neutral AI support [16]BMWK Mittelstand-Digital, Evaluation 2025. Around 100 AI trainers visit companies on-site. The program demonstrated a 3.3x multiplier effect: €134 million public investment generated €447 million in revenue increases [16]BMWK Mittelstand-Digital, Evaluation 2025.

    KfW launched the ERP Digitalization Credit in July 2025 [17]KfW, KI im Mittelstand + Förderkredit 2025. Three tiers, up to €25 million per project, with 3-5% grants (max €200,000).

    The Plattform Lernende Systeme, run by acatech with ~200 experts, publishes practical case studies and implementation roadmaps specifically for mid-market companies [18]acatech / Plattform Lernende Systeme. Free at plattform-lernende-systeme.de.

    Since February 2026, the Bundesnetzagentur operates a free AI Service Desk for SMEs [19]Bundesnetzagentur / KI-MIG. From August 2026, every EU member state must provide at least one regulatory sandbox where companies can test AI systems under supervision [5]EU AI Act, Verordnung (EU) 2024/1689.

    The managing director started with Mittelstand-Digital. An AI trainer came for two days. Cost: zero. Result: a concrete use case, an implementation plan, and a KfW funding application.

    Frameworks: German Funding Landscape

    BMWK Mittelstand-Digital (free AI trainers) · KfW Credit (up to €25M) · Plattform Lernende Systeme (case studies) · Bundesnetzagentur AI Service Desk (free)

    Take the AI maturity check

    15 questions, five minutes. The AI Maturity Check places your company in one of four phases and shows which frameworks you need next. Take the AI Framework check on convios.com.

    My Take

    What surprised me: most CEOs know ISO 27001 but have never heard of ISO 42001. That will change when the first tender documents require "ISO 42001 evidence." I saw this two months ago at an automotive supplier. The OEM had added the question to their supplier assessment. My contact at the supplier didn't know what to check.

    Of the 15 frameworks on this list, four are urgent for mid-market companies. The EU AI Act risk classification, because it's law. The Bitkom study, because it provides an honest benchmark. BMWK Mittelstand-Digital, because it's free and it works. And MCP, because a wrong interface decision today means three years of vendor lock-in.

    Which AI terms you need to understand these frameworks is covered in the AI terms article for CEOs. How to monetize AI and calculate ROI for your shareholders is in the next part of this series.

    Sources

    1. [1]Salesforce / DMB, KI-Index Mittelstand 2026 (526 Unternehmen)
    2. [2]Bitkom Research, Künstliche Intelligenz 2025 (604 Unternehmen)
    3. [3]Gartner, AI Maturity Survey 2025 (432 Befragte)
    4. [4]McKinsey / QuantumBlack, The State of AI 2025 (1.993 Befragte)
    5. [5]EU AI Act, Verordnung (EU) 2024/1689
    6. [6]ISO/IEC 42001:2023, KPMG Zertifizierung Dezember 2025
    7. [7]NIST AI Risk Management Framework 1.0
    8. [8]Microsoft, Responsible AI Transparency Report 2025
    9. [9]Gartner, AI TRiSM / Hype Cycle 2025
    10. [10]OECD AI Principles (2019, aktualisiert Mai 2024)
    11. [11]Anthropic, MCP und Agentic AI Foundation 2026
    12. [12]Google Developers Blog, A2A Protocol (April 2025)
    13. [13]Singh et al., Agentic RAG Survey (Januar 2025)
    14. [14]Sequoia Capital, LangChain (2025)
    15. [15]Virtue Market Research, Enterprise LLMOps Market 2026-2030
    16. [16]BMWK Mittelstand-Digital, Evaluation 2025
    17. [17]KfW, KI im Mittelstand + Förderkredit 2025
    18. [18]acatech / Plattform Lernende Systeme
    19. [19]Bundesnetzagentur / KI-MIG