What is ISO 42001?

ISO 42001 is the international standard for an AI management system. Its full name is ISO/IEC 42001, published jointly by the International Organization for Standardization and the International Electrotechnical Commission, and it is the first certifiable management-system standard built for AI in particular.

In plain terms: ISO 42001 sets out how an organisation should establish, run, and improve the way it governs AI, so the practice can be audited and certified by an independent body.

It follows the same management-system structure as standards many enterprises already know, such as ISO 27001 for information security. That shared structure lets an organisation fold AI governance into the systems it already operates, rather than building a separate discipline from scratch.

The standard is deliberately technology-neutral and risk-based. It does not tell you which models to use or which controls to apply line by line. It tells you to identify your AI risks, decide how to treat them, and keep evidence that you are doing it.

What is an AI management system?

An AI management system, often shortened to AIMS, is the set of policies, roles, processes, and controls an organisation uses to manage AI responsibly across its lifecycle. ISO 42001 defines what a good one looks like.

An AIMS is not a document. It is a working system that connects intent to action and produces evidence as it runs. Under ISO 42001, it has to cover a recognisable set of components.

• Context and scope. Which AI systems are in scope, what they do, and the factors that shape the risk.

• Leadership and policy. Named accountability at the top, plus a written AI policy that sets direction.

• Risk and impact assessment. A repeatable way to identify AI risks, including impacts on individuals and society, and decide how to treat them.

• Controls and objectives. The measures applied to those risks, drawn from the standard's control set, with measurable objectives.

• Operation. The day-to-day running of those controls across the AI lifecycle, from design through deployment and retirement.

• Performance and improvement. Monitoring, internal audit, management review, and corrective action, so the system gets better over time.

The thread running through all of it is evidence. An AIMS that cannot show what it tested, enforced, and reviewed is one an auditor cannot certify.

What does ISO 42001 require?

The requirements track the management-system pattern of plan, do, check, and improve: a loop, not a checklist. You plan by setting scope, leadership, policy, and risk treatment. You do by operating controls across every AI system in scope. You check through monitoring, measurement, and internal audit. You improve by acting on what those checks reveal, then run the loop again.

Two features make ISO 42001 demanding in practice.

First, it is risk-based, so the depth of control has to match the risk a system carries. A low-stakes internal tool and a customer-facing decision engine are not held to the same bar, and you have to justify the line you drew.

Second, it is continual. Certification is not a one-time event. The standard expects the system to keep operating and improving, so evidence has to keep being generated long after the audit.

This is where many programmes struggle. The policy and the risk register are written once. The ongoing controls and their evidence are the hard part, because AI systems change after you sign off. Models drift, agents act on their own, and new vulnerabilities ship daily.

What does ISO 42001 certification involve?

Certification is the independent confirmation that your AI management system meets the standard. An accredited body assesses your AIMS and, if it conforms, issues a certificate. The path usually runs in stages.

• Gap assessment. You compare current practice against the standard and find where the AIMS falls short.

• Implementation. You build or strengthen the missing pieces: policy, risk assessment, controls, monitoring, and records that prove they run.

• Stage 1 audit. The certification body reviews your documentation and readiness.

• Stage 2 audit. The body tests whether the system actually operates as documented, looking for evidence, not intent.

• Surveillance. After certification, periodic audits confirm the system still runs and improves.

The lesson holds across every stage. Auditors do not certify a binder of policies. They certify a system that demonstrably operates, and the only proof of that is evidence captured as the work happened.

Who needs ISO 42001?

Nobody is legally required to hold ISO 42001 the way they are required to follow the EU AI Act. It is voluntary. But for a growing set of organisations it is becoming the practical way to prove AI maturity. It matters most for:

• Enterprises building or deploying AI at scale, especially in regulated sectors such as financial services, where a recognised standard gives the board and the regulator a reference point.

• AI providers and vendors who need to show enterprise buyers their AI is governed, because certification answers the due-diligence question before it is asked.

• Organisations bidding for work where a certificate is fast becoming a procurement expectation, not a differentiator.

• Firms already certified to ISO 27001 or similar, for whom an AI management system is a natural extension of the systems they run.

For the wider discipline ISO 42001 sits inside, start with our overview of AI governance, then see how the standard maps into a working AI compliance programme.

How ISO 42001 relates to the EU AI Act and the NIST AI RMF

These three frameworks are often confused, and treated as if you must choose one. You do not. They do different jobs and reinforce each other.

The EU AI Act is binding law. It classifies AI systems by risk and sets obligations that land hardest on high-risk systems, including the Article 9 risk-management duties and the Article 72 post-market monitoring requirements. Our EU AI Act guide covers who is in scope and what it requires.

The NIST AI RMF is a voluntary framework, not a standard you certify against. It gives organisations a common language and four functions for managing AI risk: govern, map, measure, and manage. Our guide to the NIST AI RMF explains how it works.

ISO 42001 is the certifiable management-system standard that sits between the two, giving you a recognised structure to operate and an independent certificate to prove you operate it.

So the relationship is straightforward. The NIST AI RMF helps you frame the risk. ISO 42001 gives you a certifiable system to manage it. The EU AI Act sets the obligations that are legally mandatory on top. A mature programme runs all three off one body of evidence, which is the heart of how Disseqt handles Prove and Comply.

How Disseqt helps you operate ISO 42001

The policy and the risk register are the parts most organisations can write. The parts that fail an audit are the ongoing controls and the evidence the standard expects you to keep generating, long after the documents are signed.

That is the gap Disseqt closes. Disseqt is the only unified AI assurance platform covering testing, monitoring, policy, audit, and compliance in one place, so the evidence an AIMS needs is produced as you work, not reconstructed before an audit. It comes from the AI Assurance Lifecycle, three connected stages that map onto what ISO 42001 asks you to run and improve.

• Test and Detect supplies the testing evidence the standard expects, finding vulnerabilities, jailbreaks, and silent failures before a system goes live and as new threats appear.

• Protect and Enforce turns written policy into live controls, applying guardrails and policy enforcement inline in production and catching drift in real time. This is the difference between a control that runs and one that lives in a slide deck.

• Prove and Comply turns all of that activity into tamper-evident, audit-ready evidence, with compliance dashboards and mapping to ISO/IEC 42001, the EU AI Act, the FCA, and the SEC, structured for the people who will scrutinise it.

Because the validators are ML-based rather than LLM-as-judge, that evidence can be generated continuously and at scale, with sub-50ms inline latency, around 99% less water, and around 98% less CO2 than judging every output with another model. That is what makes the continual operation ISO 42001 demands realistic.