ISO/IEC 42001

the standard that tells you to manage your AI properly but doesn't tell you what happens when you don't — pair it with a regulator for the full experience.

"we got ISO 42001 certified last quarter and the board thinks we're done with AI governance now. nobody tell them about the 47 shadow deployments."
"spent six months building an AI management system to the standard. auditor asked for our risk treatment plan. we showed him a spreadsheet with three rows and a conditional formatting rule."
"our CISO says ISO 42001 is just ISO 27001 with extra steps. he's wrong but also kind of right and that's the problem."
Share this one
Canonical Definition

The international standard for AI Management Systems (AIMS), published December 2023 by ISO and IEC. Provides requirements for establishing, implementing, maintaining, and continually improving an AI management system. Built on the Annex SL high-level structure shared by ISO 9001 and ISO/IEC 27001, it introduces AI-specific controls covering risk assessment, data governance, transparency, and third-party AI supply chain management. Certification is voluntary but signals governance maturity to regulators, customers, and partners.

Why It Matters

ISO/IEC 42001 is the first internationally recognised standard that treats AI governance as a management system — not a checklist, not a policy document, not a one-time risk assessment. It requires organisations to build repeatable processes for AI risk identification, treatment, monitoring, and improvement, then prove those processes work through internal audits and management reviews.

This matters because regulators are watching. The EU AI Act explicitly references harmonised standards as a pathway to demonstrating conformity. While ISO/IEC 42001 is not yet a harmonised European standard (that process is underway through CEN-CENELEC JTC 21), organisations that can demonstrate a functioning AI management system have a structural advantage when the compliance clock starts ticking. The standard does not tell you what to build. It tells you how to build the system that governs what you build.

The structural risk is the opposite of what most organisations expect. The danger is not failing to get certified. The danger is getting certified and believing you are done. A management system that exists on paper but does not drive operational decisions is a liability, not an asset — it creates a documented record of the governance you claimed to have but did not practice.

The Stress Test

Your organisation achieved ISO/IEC 42001 certification six months ago. A regulator arrives and asks to see the AI risk register. You produce it — twelve entries, all assessed at initial deployment. The regulator asks when the risk treatments were last reviewed. The answer is never. The register has not been updated since certification.

The regulator then asks for evidence that the management system drove a real decision: a deployment that was delayed, a model that was retrained, a use case that was rejected. You have no such evidence. The management system produced documents. It did not produce decisions. That gap between documented intent and operational reality is exactly what the standard was designed to close — and exactly what your implementation failed to achieve.

In the Wild

Certification Race — Global, 2024–2025
The Rush to Be First

Within months of publication, certification bodies worldwide began offering ISO/IEC 42001 audits. Major consultancies reported a surge in readiness assessments, with financial services and healthcare leading demand. By mid-2025, dozens of organisations had achieved certification — but industry observers noted a familiar pattern from ISO 27001’s early years: the gap between the management system on paper and the management system in practice remained wide.

Being first to certify and being first to govern are not the same achievement. The standard measures the system. The regulator measures the outcome.

Regulatory Signal — EU AI Act, 2024
Harmonised Standards as a Compliance Shortcut

Article 40 of the EU AI Act establishes that conformity with harmonised standards creates a presumption of conformity with the Act’s requirements. CEN-CENELEC JTC 21 was tasked with developing these harmonised standards, with ISO/IEC 42001 serving as a key input. Organisations tracking this pathway recognised that a certified AIMS would not guarantee EU AI Act compliance — but the absence of any management system would make demonstrating compliance significantly harder.

The standard is not the regulation. But the regulation needs the standard’s infrastructure to work.

Integration Challenge — Enterprise, 2025
When AIMS Meets ISMS

Organisations with existing ISO/IEC 27001 information security management systems discovered that integrating an AI management system was not a simple extension exercise. AI risk categories — bias, explainability, autonomy drift — did not map neatly onto information security risk taxonomies. Teams that treated 42001 as “27001 with an AI annex” found themselves with a management system that addressed data security but missed the AI-specific risks the standard was designed to govern.

The Annex SL structure makes integration possible. It does not make the risk domains identical.

How to Govern It

A management system is not a destination. It is an operating rhythm.

Within the AI Control Index, ISO/IEC 42001 governance maps primarily to:

  • GRC (S1) — The management system’s backbone. Policy frameworks, risk registers, internal audit schedules, management reviews, corrective actions, and the Evidence Factory that turns governance claims into documented proof.
  • Strategy (L1) — AI strategy alignment with business objectives, stakeholder requirements, and organisational context. The standard requires understanding of internal and external issues affecting the AIMS — this is strategic governance, not operational compliance.
  • Supply Chain (S3) — Third-party AI components, foundation model providers, and data suppliers fall under the standard’s scope. If you consume AI, you govern AI — regardless of who built it.
  • Ethics & Fairness (L2) — The standard’s Annex B controls address transparency, explainability, and societal impact — aligning with the Index’s ethical governance layer.
  • Observability (S4) — Monitoring and measurement requirements demand that the AIMS is not just documented but observed in operation. Performance metrics, KPIs, and continual improvement cycles.

When It's Relevant

Any organisation that develops, provides, or uses AI systems and wants to demonstrate systematic governance. ISO/IEC 42001 is particularly relevant when:

  • You are preparing for EU AI Act compliance and need a structured management system to produce conformity evidence
  • Your customers or procurement partners require evidence of AI governance maturity
  • You operate in regulated sectors (financial services, healthcare, public sector) where AI risk management is expected
  • You already hold ISO 27001 or ISO 9001 and want to integrate AI governance into your existing management system
  • You are a provider of AI services and certification is becoming a market differentiator

See this control in the framework. ISO/IEC 42001 governance is operationalised across S1, L1, S3, L2, and S4 in the AI Control Index v6.0.

Open Framework →

Related Terms

References

  1. [1] ISO/IEC (2023) ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system. International Organization for Standardization. Available at: iso.org/standard/81230.html.
  2. [2] European Parliament and Council (2024) Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence (AI Act). Official Journal of the European Union. Available at: eur-lex.europa.eu/eli/reg/2024/1689/oj.
  3. [3] CEN-CENELEC (2024) JTC 21 — Artificial Intelligence: Standardisation request in support of the AI Act. European Committee for Standardization.
  4. [4] Kazim, E. and Koshiyama, A.S. (2021) ‘A High-Level Overview of AI Ethics’, Patterns, 2(9), 100314. doi: 10.1016/j.patter.2021.100314.
  5. [5] Mazzini, G. (2024) ‘The EU AI Act and ISO/IEC 42001: Synergies and Gaps in AI Governance’, Computer Law & Security Review, 52, 105940. doi: 10.1016/j.clsr.2024.105940.
  6. [6] NIST (2023) Artificial Intelligence Risk Management Framework (AI RMF 1.0). National Institute of Standards and Technology, U.S. Department of Commerce. NIST AI 100-1.
  7. [7] Raji, I.D., Smart, A., White, R.N., Mitchell, M., Gebru, T., Hutchinson, B., Smith-Loud, J., Theron, D. and Barnes, P. (2020) ‘Closing the AI Accountability Gap: Defining an End-to-End Framework for Internal Algorithmic Auditing’, Proceedings of the 2020 Conference on Fairness, Accountability, and Transparency (FAT*), pp. 33–44.

AI Control Index v6.0 · Glossary · June 2026 · i-DEPOT 158508 (BOIP) · CC BY-NC-ND 4.0

By Jeroen Janssen, Apparens