15 AI Frameworks That Shape Your Strategy

43% of German mid-market companies have no AI strategy¹. That's from the 2026 Mittelstand AI Index, a survey of 526 firms. At the same time, 36% already use AI². The AI frameworks that mid-market leaders need answer four questions: Where do we stand? What must we do? Which technology fits? And who can help us?

Four decisions, 15 frameworks. Sorted by urgency, not by alphabet.

Where do we actually stand?

A CTO of a plastics manufacturer, 220 employees, wanted to present an AI roadmap to his CEO. The problem: he had no starting point. "I know what we're technically capable of. I don't know how we compare."

The answer sits in three free benchmarks.

The Bitkom AI Study 2025 is the most comprehensive dataset for the German market. 604 companies with 20+ employees, representatively surveyed². Key numbers: 36% use AI (2024: 20%), 47% are planning or discussing adoption, 81% see AI as the most important future technology. But 53% cite legal uncertainty as the biggest barrier, and 43% offer no AI training. Free at bitkom-research.de.

The Gartner AI Maturity Model goes deeper. Five levels, seven dimensions. Among 432 organizations surveyed in six countries³, most sit at Level 1 (Awareness) or Level 2 (Active). Only 6% reach "Transformational." High-maturity organizations keep AI projects operational for 3+ years at a rate of 45%, versus 20% for low-maturity firms³. Full access requires a Gartner subscription; core findings are public.

McKinsey's State of AI 2025 adds global context⁴. 1,993 respondents across 105 countries. 88% use AI. Only 6% qualify as "AI High Performers" generating 5%+ EBIT from AI. What separates them: workflow redesign (3.6x more frequent), CEO-driven AI ownership, and 20%+ of digital budget allocated to AI⁴. Critical figure: 51% of all firms report AI-related incidents. Free at mckinsey.com.

The CTO condensed the three studies into one slide: "We're Level 2 of 5 on Gartner. We're in the 43% without a strategy per Salesforce. And we invest 2% of IT budget in AI while top performers invest 20%." The CEO approved the roadmap.

A quality management director at a medical device supplier, 180 employees, had a direct question: "My CEO asks what we must have done by August 2026. Not what we should. What we must."

The EU AI Act risk classification system is the only legally binding framework on this list. Four tiers: prohibited, high-risk, limited risk, minimal risk⁵. For her medical device company, the answer was uncomfortable: AI in medical devices nearly always qualifies as high-risk. The deadline for high-risk systems in regulated products extends to August 2027 through the Digital Omnibus Package⁵. Fines for prohibited practices: up to €35 million or 7% of global turnover.

ISO/IEC 42001 answers "How do we prove we're doing it right?" The first certifiable AI Management System standard, published December 2023⁶. KPMG International achieved certification in December 2025 as the first Big Four entity⁶. TÜV SÜD, BSI, and SGS offer certification in Germany. Cost: standard ~€400, certification audit €10,000-50,000 depending on company size (estimate).

The NIST AI Risk Management Framework provides a free governance scaffold with four functions: Govern, Map, Measure, Manage⁷. All documents and playbooks are free at nist.gov.

Gartner AI TRiSM unifies governance, runtime inspection, and data security⁹. Gartner's finding that 80% of unauthorized AI transactions stem from internal policy violations, not external attacks, is worth repeating to every board⁹.

The OECD AI Principles form the normative foundation beneath the EU AI Act. Five principles, adopted 2019, updated May 2024¹⁰. The AI system definition in the OECD principles is identical to the one in the EU AI Act. Free at oecd.ai.

The QM director established her sequence: EU AI Act classification first (mandatory), ISO 42001 as the proof mechanism, NIST as the free governance scaffold for internal implementation.

Which technology do we need?

An IT director at a logistics company, 340 employees, had a specific problem. Three AI vendors had submitted proposals, each recommending a different architecture. "I don't need another tool pitch. I need a framework to compare the offers."

MCP (Model Context Protocol) connects AI systems to data sources and tools¹¹. Open source, under the Linux Foundation since March 2026, supported by Anthropic, OpenAI, Google, Microsoft, and Amazon. Ask every vendor: "Do you support MCP?" That filters out lock-in in 30 seconds. A2A complements MCP by connecting agents to each other¹². Developed by Google, backed by 150+ organizations including SAP.

RAG (Retrieval-Augmented Generation) is the standard pattern for AI accessing company data¹³. Every major cloud platform offers RAG tooling. For a Microsoft shop: Azure AI Search. For AWS customers: Bedrock. For privacy concerns: open-source RAG with a local vector database.

LangChain/LangGraph is the most-used open-source framework for AI applications and agents¹⁴. 90 million monthly downloads, used by 35% of Fortune 500 companies. Vendor-neutral, MIT-licensed.

MLOps/LLMOps is the operational discipline behind production AI¹⁵. Gartner predicts over 50% of generative AI deployments will fail by end of 2026 due to poor operational practices¹⁵. Without MLOps, AI is a demo. With MLOps, AI is a production system.

The IT director reduced his evaluation to four questions: Does the vendor support MCP? Is the architecture RAG-based? Is LangChain or equivalent in use? Is there an MLOps concept for operations? Two of three proposals failed these questions.

A managing director of a trades company, 65 employees, told me: "Consultants cost €1,500 a day. My AI budget for this year is €15,000. I can buy ten consulting days or build something real."

BMWK Mittelstand-Digital operates up to 29 centers across Germany offering free, vendor-neutral AI support¹⁶. Around 100 AI trainers visit companies on-site. The program demonstrated a 3.3x multiplier effect: €134 million public investment generated €447 million in revenue increases¹⁶.

KfW launched the ERP Digitalization Credit in July 2025¹⁷. Three tiers, up to €25 million per project, with 3-5% grants (max €200,000).

The Plattform Lernende Systeme, run by acatech with ~200 experts, publishes practical case studies and implementation roadmaps specifically for mid-market companies¹⁸. Free at plattform-lernende-systeme.de.

Since February 2026, the Bundesnetzagentur operates a free AI Service Desk for SMEs¹⁹. From August 2026, every EU member state must provide at least one regulatory sandbox where companies can test AI systems under supervision⁵.

The managing director started with Mittelstand-Digital. An AI trainer came for two days. Cost: zero. Result: a concrete use case, an implementation plan, and a KfW funding application.

15 questions, five minutes. The AI Maturity Check places your company in one of four phases and shows which frameworks you need next. Take the AI Framework check on convios.com.

My Take

What surprised me: most CEOs know ISO 27001 but have never heard of ISO 42001. That will change when the first tender documents require "ISO 42001 evidence." I saw this two months ago at an automotive supplier. The OEM had added the question to their supplier assessment. My contact at the supplier didn't know what to check.

Of the 15 frameworks on this list, four are urgent for mid-market companies. The EU AI Act risk classification, because it's law. The Bitkom study, because it provides an honest benchmark. BMWK Mittelstand-Digital, because it's free and it works. And MCP, because a wrong interface decision today means three years of vendor lock-in.

Which AI terms you need to understand these frameworks is covered in the AI terms article for CEOs. How to monetize AI and calculate ROI for your shareholders is in the next part of this series.

Sources

Have questions about this topic?