If you’ve spent any time in compliance circles recently, you’ve likely heard of ISO 42001: the new standard of AI governance most organisations are nowhere near ready for.
Per Stanford research, 78% of organisations used AI in 2024, up from 55% the year before, but only 1.5% believe they have adequate governance headcount, according to the 2025 AI Governance Profession Report.
Someone has to close that distance, and ISO 42001 is the global standard trying to do it.
This article covers what the ISO 42001 standard is, how it works, who it applies to, how it relates to adjacent frameworks like the EU AI Act and the NIST AI RMF, and what ISO 42001 certification involves.
What is ISO 42001?
ISO/IEC 42001:2023, published in December 2023 as a joint effort between the International Organization for Standardization and the International Electrotechnical Commission, is the first management system standard specifically designed for artificial intelligence.
It gives organizations a formal, auditable structure for governing AI initiatives responsibly, consistently, and with named accountability. It joins other members of the ISO management system family, like ISO 9001 and ISO 27001.
| Standard | Domain | What it governs |
| ISO 9001 | Quality management | Product and service consistency |
| ISO 27001 | Information security | Confidentiality, integrity, availability of data |
| ISO 42001 | AI management | Ethical AI, bias, oversight, and the full AI lifecycle |
What’s critical to understand is that ISO 42001 doesn’t govern your AI models. It governs your organization’s behaviour around those models.
The standard introduces an Artificial Intelligence Management System (AIMS), which is the full set of policies, processes, controls, documentation, and monitoring mechanisms an organization builds around its AI activity.
If you’ve worked within an Information Security Management System under ISO 27001, the architecture will feel familiar.
ISO 42001 isn’t asking whether your model is good. It’s asking whether your organisation is ready to be accountable for what the model does.
Why ISO 42001 exists now
AI introduces categories of risk that conventional information security frameworks weren’t designed to handle—risks with documented failures and organisational consequences:
- Bias in hiring and lending: Amazon scrapped its AI recruiting tool in 2018 after discovering it systematically downgraded resumes from women, trained as it was on years of male-dominated hiring data. Apple Card’s underwriting algorithm in 2019 was alleged to offer women lower credit limits than men with identical financial profiles, according to a CNN report.
- Bias in healthcare: A widely used hospital algorithm deprioritized Black patients for additional care by using cost as a proxy for medical need, resulting in Black patients receiving less intervention than equally ill white patients. When researchers corrected the model, the percentage of Black patients identified for additional care rose from 17.7% to 46.5%.
- Hallucinations with professional consequences: In the landmark Mata v. Avianca case in 2023, attorneys submitted a legal brief citing cases generated by ChatGPT. None existed. The court sanctioned the firm, but it wasn’t an isolated incident: the AI Hallucination Cases Database now tracks 1,459 incidents worldwide, 1,008 in US courts alone.
- Hallucinations in medical settings: OpenAI’s Whisper, used by over 30,000 medical workers for patient transcription, hallucinated in approximately 1.4% of transcriptions, inventing sentences, fabricating medication names, and injecting racially charged language into patient records.
Documented AI safety incidents surged from 149 in 2023 to 233 in 2024, a 56% increase in a single year. ISO 42001 is a direct organisational response to a failure rate that’s rising faster than deployment slows down.
The global AI governance market reflects this urgency, now valued at approximately $550 million in 2024 and projected to reach $16.6 billion by 2034, growing at a CAGR of around 40%. Procurement pressure, AI regulation deadlines, and enterprise risk appetite are all driving that spend.
Who does ISO 42001 apply to?
ISO 42001 isn’t just for AI labs, model developers, and big tech companies managing AI risk. The standard applies to any organisation that builds AI products, buys AI tools, launches AI projects, integrates AI models into its workflows, or makes consequential decisions using AI applications.
That covers:
- A bank running automated credit scoring
- A recruiting platform screening CVs with machine learning
- A healthcare organisation using predictive diagnostics
- A marketing team deploying personalization engines
- An HR system flagging performance anomalies
- A law firm using AI for document review
- An adtech provider optimizing campaigns with AI solutions
Even an enterprise deploying large-scale generative AI internally without formal AI policy documentation sits well within scope.
And up to 77% of organisations now plan to pursue an AI compliance framework in the next 12 months—60% of them specifically cited ISO 42001, according to A-LIGN’s 2026 Compliance Benchmark Report.
Many of these organisations have likely noticed their regulators and enterprise clients increasingly asking for such certifications in procurement questionnaires.
The ISO 42001 structure
ISO 42001 runs from Clause 1 through Clause 10, following the same high-level structure as every modern ISO management system standard.
ISO 42001 Clauses: Full list
Clauses 1 through 3 set the definitional groundwork:
Clause 1: Scope defines what the standard covers and confirms that any organisation, regardless of size, sector, or AI maturity level, can implement it.
Clause 2: Normative references point to ISO 22989 as the source standard for AI terminology and concepts used throughout ISO 42001.
Clause 3: Terms and definitions establish the shared vocabulary the standard uses, drawing on ISO 22989 and adding AI management-specific definitions for easier interpretation.
The AI-specific parts are from Clauses 4-10.
Clause 4: Context requires a full map of the organisation’s AI landscape. Which AI systems exist, where they deploy, who they affect, and what regulatory obligations apply. An organisation running AI in credit decisions carries categorically different risk than one using AI to schedule meetings.
Clause 5: Leadership moves accountability up the chain. An executive-level AI policy must exist, with named ownership and a formal review cycle. Someone senior must own the AI risk.
Clause 6: Planning and risk management. Clause 6.1.2 requires a documented AI risk assessment process covering what could go wrong, how severe the impact could be, and how likely each failure is. The standard then requires organisations to map identified risks against Annex A controls. Clause 6.2 requires measurable AI objectives tied to those risks.
Clause 7: Support covers the infrastructure behind governance: resources, staff competence, AI literacy training, documented communication structures, and audit-ready decision records.
Clause 8: Operation governs the full AI lifecycle from development through deployment and monitoring, including pre-release validation and third-party vendor oversight. Clause 8.4 introduces the AI System Impact Assessment, an evaluation of potential harms.
Clause 9: Performance evaluation requires formal measurement through internal audits, management reviews, defined metrics, and corrective actions.
Clause 10: Continual improvement requires the AIMS to adapt as models drift, regulations evolve, and new risks emerge.
ISO 42001 Annexes: Full list
ISO 42001 also includes four annexes.
Annex A contains 30+ AI-specific controls across nine topic areas, covering data quality, bias detection, human oversight, and incident response. It functions as the definitive controls checklist, equivalent to Annex A in ISO 27001.
- A.2 Policies related to AI
- A.3 Internal organisation
- A.4 Resources for AI systems
- A.5 Assessing impacts of AI systems
- A.6 AI system life cycle
- A.7 Data for AI systems
- A.8 Information for interested parties of AI systems
- A.9 Use of AI systems
- A.10 Third‑party and customer relationships
Annex B provides implementation guidance for each Annex A control. If Annex A specifies what to implement; Annex B specifies how.
Annex C maps AI objectives to risk sources, giving technical and non-technical stakeholders a shared reference for what AI systems should achieve and what could prevent that.
Annex D covers sector-specific application: how to integrate the AIMS with industry regulations and other ISO standards.
| Clause / Annex | Focus | Key output |
| Clause 1 | Scope | Applicability to all organisation types |
| Clause 2 | Normative references | ISO 22989 as the terminology source |
| Clause 3 | Terms and definitions | Shared AI management vocabulary |
| Clause 4 | Context | AI inventory, stakeholder map, regulatory obligations |
| Clause 5 | Leadership | Named AI policy, executive ownership |
| Clause 6 | Planning | Risk assessment, objectives, Annex A mapping |
| Clause 7 | Support | Competence records, training, documented decisions |
| Clause 8 | Operation | Lifecycle controls, vendor oversight, impact assessments |
| Clause 9 | Evaluation | Audits, metrics, incident reviews |
| Clause 10 | Improvement | Corrective actions, governance updates |
| Annex A | Controls | 30+ AI-specific controls across 9 topic areas |
| Annex B | Guidance | Implementation detail per Annex A control |
| Annex C | Risk mapping | Objectives-to-risk-sources reference |
| Annex D | Sectors | Cross-industry and cross-standard integration |
The four ideas that run through ISO 42001
AI risk management is the central logic. The standard doesn’t treat AI as inherently harmful. Instead, it treats AI risk as something to be systematically identified, evaluated, and mitigated, the same discipline organisations already apply to financial risk, operational risk, and security risk. The question isn’t whether your AI systems could go wrong, but whether you have documented processes for managing the ways they might.
Human oversight means accountability doesn’t transfer to the model; it stays with the organisation. ISO 42001 requires human oversight structures to remain active and documented, especially for high-impact decisions, automated outcomes in regulated sectors, and AI applications with limited explainability. AI security needs human vigilance.
Transparency here means governance transparency, not necessarily open-source transparency. Organisations need to understand what their AI systems do, where training data originates, what the known limitations are, and who owns each decision. This forms the foundation for trustworthy AI.
AI lifecycle thinking treats deployment as a checkpoint, not a finish line. From AI development through testing, deployment, monitoring, and eventual retirement, governance must span the full arc. AI deployment without post-deployment monitoring isn’t responsible AI—merely deferred liability.
ISO 42001 and the EU AI Act
The EU AI Act is law. It creates binding obligations for organisations operating AI systems in European markets, with a structured enforcement timeline: in force from August 2024, fully applicable by August 2026. Penalties for the most serious violations reach €35 million or 7% of global annual turnover. The Act is a legal instrument.
ISO 42001 is a voluntary governance standard. No regulator will prosecute you for lacking an AIMS, but ISO 42001 compliance functions as substantive evidence of governance maturity, which regulators, auditors, and enterprise procurement teams increasingly want to see documented.
ISO 42001 aligns closely with the risk-based, transparency, and human oversight expectations of the EU AI Act, with management system foundations that supply chain auditors will expect.
Organisations pursuing the standard build a documented governance posture that serves as pre-compliance infrastructure for the Act.
The NIST AI RMF operates in similar territory, especially for organisations with US federal exposure. It’s a strong, detailed framework for AI risk identification and response, but it’s non-certifiable. ISO 42001 is certifiable.
| Framework | Type | Certifiable | AI risk focus | Geographic scope |
| ISO 42001 | Management system standard | Yes | Comprehensive | Global |
| EU AI Act | Law | N/A (compliance required) | High-risk AI | EU markets |
| NIST AI RMF | Voluntary framework | No | Comprehensive | US-oriented |
| ISO 27001 | Management system standard | Yes | Information security | Global |
How ISO 42001 certification works
Certification follows the same three-year cycle as ISO 27001, governed by ISO 17021. An independent, accredited auditor conducts a staged assessment.
Stage one reviews your documentation and readiness. Stage two tests your operational effectiveness. During an AI audit, auditors will probe:
- Does a documented AI policy exist?
- Who owns AI governance at the leadership level?
- How does your organisation conduct an AI risk assessment?
- How do you approve new AI models before deployment?
- How do you monitor AI systems post-deployment?
- How do you manage AI vendors and their compliance claims?
- How do you handle AI incidents?
- What AI training have relevant staff received?
KPMG Australia became the first organisation globally to receive the ISO 42001 certificate. Since then, organisations across robotics, AI video generation, enterprise software, and professional services have pursued the standard.
EU-wide adoption grew from 8% to 13.5% in a single year, a signal that certification has moved from early-adopter territory into broader competitive and regulatory expectation.
The honest picture of AI governance today
Only 41% of Fortune 500 companies had a dedicated AI governance team as of December 2025, according to Sedgwick’s 2026 Global Risk Study. Among the wider market, the picture is far less mature.
Most organisations use AI informally, without inventory tracking, named governance ownership, or documented AI use cases, and with vendor compliance claims substituting for their own AI policy.
As we saw earlier, only 1.5% of surveyed organisations believe they have adequate governance headcount, while 23.5% cite the lack of qualified professionals as their primary AI implementation barrier.
This isn’t surprising. AI governance requires cross-functional expertise across AI technology, ethics, compliance, risk management, and data protection simultaneously.
That profile is rare, and the market for it is competitive.
ISO 42001 is trying to professionalize a space that’s been running largely on vendor trust and good intentions.
It sets a repeatable, auditable standard for what responsible AI looks like in an organisational context, with requirements that don’t bend to the speed of product development.
Where to start in your ISO 42001 journey
The entry points differ by maturity level:
Organisations using AI informally should begin with an honest inventory. Which AI systems are in use? Who approved them? What data do they process? What decisions do they influence?
Organisations with some internal AI process already in place should map their existing controls against the ISO 42001 requirements and identify the gaps. Leadership accountability and documented AI policy are almost always the first areas requiring attention.
Organisations pursuing ISO certification should engage an accredited auditor early in the planning process, assess ISO 27001 structural overlap if applicable, and treat the annexes as primary working documents.
AI governance is a technical undertaking that requires leadership commitment. ISO 42001 gives that commitment a structure the rest of the world can verify.