ISO/IEC 42001
ISO/IEC 42001:2023 is the international standard for an Artificial Intelligence Management System (AIMS), published by ISO in December 2023. The standard specifies the requirements for establishing, implementing, maintaining, and continually improving a management system that governs AI-related processes inside an organization. It uses the same High-Level Structure (Annex SL) that ISO 27001 and ISO 9001 use, which lets organizations integrate AI governance into their existing management-system audits. Certification bodies began offering accredited audits against ISO 42001 in 2024 and 2025.
What ISO 42001 requires from the AI request layer
The standard's clauses cover AI policy (Clause 5), planning (Clause 6 with the AI risk and impact assessment), operational controls (Clause 8), performance evaluation (Clause 9), and continual improvement (Clause 10). Annex A lists the AI-specific controls the AIMS implements: documented AI lifecycle, data quality for AI systems, AI system records, transparency, and human oversight. The clauses translate into runtime evidence the auditor reads: which AI systems are inventoried, which data classes flow into them, how policy decisions are recorded, and how the records are retained.
How ISO 42001 relates to the EU AI Act and NIST AI RMF
ISO 42001 is a management-system standard that any organization can adopt. The EU AI Act is binding law for AI systems placed on the EU market. NIST AI RMF is a voluntary US framework. Certification against ISO 42001 is one of the demonstrations a high-risk-system provider can use under EU AI Act Article 40's harmonized-standards mechanism. NIST AI RMF maps to ISO 42001 Annex A controls through NIST's published crosswalk. A single AI request-layer architecture that records per-decision evidence with identity binding satisfies the auditable evidence requirements common to all t
Related reading
- ISO 42001 Implementation Guide: How to Stand Up an AI Management System That Passes Certification
ISO/IEC 42001:2023 is the first international management-system standard for AI. The standard takes the ISO management-system structure (the same Annex SL Harmonized Structure used in ISO 9001, ISO 27001, and ISO 14001) and applies it to AI. Certification requires a documented AI management system covering scope, leadership, planning, support, operations, performance evaluation, and improvement. This piece walks through the certification path step by step, the Annex A controls that have to be operational, the audit evidence the certification body expects, the implementation timeline a typical mid-market organization runs, and where the AI-specific controls intersect the inspection-layer architecture.
- ISO 42001 vs ISO 27001: How the AI Management System Layers on Top of Information Security
ISO 42001 and ISO 27001 share the same management-system structure (the Annex SL Harmonized Structure) and a substantial portion of the Annex A control catalog. Organizations with an ISO 27001 certification have a head start on ISO 42001 because the management-system processes transfer with modifications. The two standards address different risk domains: 27001 covers information security risks to confidentiality, integrity, and availability of information assets, while 42001 covers AI-specific risks to fairness, reliability under adversarial pressure, transparency, accountability, and the responsible use of AI systems. This piece walks through the structural overlap, the additive AI-specific controls 42001 introduces, the integration pattern for combined audits, and the inspection-layer architecture that produces evidence under both standards.
- AI Model Governance: Controls That Operate on the Request Path
AI model governance fails when it sits at the model registry layer alone. Model cards and versioning catalog the asset. Per-request enforcement governs how the model is actually used. Article walks through the runtime layer most model governance programs leave out.