ISO/IEC 42001: A Practical Guide to the AI Management System Standard
ISO/IEC 42001:2023 is the first international standard for an AI management system (AIMS): a certifiable framework for how an organization develops, deploys, and governs AI. It uses a Plan-Do-Check-Act cycle and adds 38 AI-specific controls in Annex A covering data governance, transparency, human oversight, and impact assessment. Think of it as ISO 27001 for AI risk, sitting alongside (not replacing) SOC 2.
Quick answer
ISO/IEC 42001:2023 is the first international standard for an AI management system (AIMS): a certifiable framework for how an organization develops, deploys, and governs AI. It uses a Plan-Do-Check-Act cycle and adds 38 AI-specific controls in Annex A covering data governance, transparency, human oversight, and impact assessment. Think of it as ISO 27001 for AI risk, sitting alongside (not replacing) SOC 2.
ISO/IEC 42001:2023 is the first international standard for an artificial intelligence management system (AIMS), published in December 2023 by ISO and IEC. It gives an organization a structured, auditable way to govern how it builds, buys, deploys, and monitors AI, and unlike a one-time checklist, it can be independently certified by an accredited body. If your company makes decisions with AI or sells AI features, this is the standard that proves you manage the risk on purpose, not by accident.
An AIMS is a set of policies, processes, roles, and records that govern AI across its lifecycle. The word "system" matters. ISO 42001 does not certify a single model or a particular product. It certifies the way your organization runs AI: who owns AI decisions, how you assess risk and impact before launch, how you keep humans in the loop, and how you fix things when they go wrong. That management-system shape is the same one used by ISO 27001 for information security and ISO 9001 for quality, which is why teams already familiar with those standards recognize the structure immediately.
The standard is built on a Plan-Do-Check-Act (PDCA) loop and ships with four annexes. Annex A is the normative list of 38 reference controls across nine areas. The other annexes give implementation guidance, suggested AI objectives and risk sources, and a mapping for integrating an AIMS with other management standards. The rest of this guide walks through what an AIMS actually requires, what the controls cover, how it lines up against ISO 27001 and SOC 2, what certification involves, and who should pursue it.
What is an AI management system (AIMS)?
An AI management system is the organizational machinery for governing AI responsibly and consistently. It is documentation plus behavior: a written AI policy, an inventory of where AI is used, defined roles and accountability, risk and impact assessments, controls, monitoring, internal audits, and a process for continual improvement. The point is repeatability. Any competent reviewer should be able to pick a deployed AI use case and trace it back to who approved it, what risks were assessed, and what controls apply.
ISO 42001 is deliberately technology-neutral and scalable. It does not tell you which model to use or ban any technique. It asks whether you have understood the context you operate in, identified interested parties (customers, regulators, affected individuals), set objectives, and put controls in place that match the risk. A two-person startup shipping one AI feature and a bank running dozens of models can both implement an AIMS; the depth scales with risk and scope.
Two ideas distinguish an AIMS from generic security governance. The first is the AI lifecycle: data sourcing, model development or selection, validation, deployment, monitoring, and decommissioning each carry their own risks. The second is AI impact assessment, which looks beyond the organization to people and society. Risk assessment asks "what could go wrong for us?" Impact assessment asks "who is affected, and how badly?" That second question, covering fairness, transparency, and harm to individuals, is what makes ISO 42001 an AI standard rather than a relabeled security one.
“ISO 42001 certifies how you run AI, not which model you picked. The unit of assurance is your management system, not a single deployment.”
How the Plan-Do-Check-Act cycle structures an AIMS
ISO 42001 runs on Plan-Do-Check-Act, the same continual-improvement engine behind ISO 27001 and ISO 9001. PDCA turns AI governance from a launch-day event into an ongoing operating rhythm. You plan controls based on risk, put them into practice, measure whether they work, then correct and raise the bar. Auditors look for evidence that the loop is actually turning, not that you wrote a policy once and filed it.
The clause structure maps onto the cycle. Clauses 4 through 6 (context, leadership, planning) are the Plan phase: scope the AIMS, secure leadership commitment, identify risks and impacts, and set objectives. Clauses 7 and 8 (support and operation) are Do: resources, competence, awareness, and the operational work of running AI risk treatment and impact assessments. Clause 9 (performance evaluation) is Check: monitoring, measurement, internal audit, and management review. Clause 10 (improvement) is Act: nonconformities, corrective action, and continual improvement.
- 1
Plan (clauses 4-6)
Set scope and context, leadership commitment, AI policy, objectives, and risk plus impact assessment.
- 2
Do (clauses 7-8)
Provide resources and competence, then operate AI risk treatment and impact assessments in practice.
- 3
Check (clause 9)
Monitor and measure controls, run internal audits, and hold management reviews.
- 4
Act (clause 10)
Handle nonconformities, take corrective action, and feed improvements back into the next cycle.
How ISO 42001 clauses map to the Plan-Do-Check-Act loop.
What the Annex A controls actually cover
Annex A of ISO 42001 lists 38 reference controls grouped into nine control areas. They are not a tick-box mandate. You select which controls apply based on your risk assessment, document the choice in a Statement of Applicability, and justify any you exclude. This mirrors how Annex A works in ISO 27001, so security teams will find the pattern familiar even though the subject matter is new.
The nine areas read like a responsible-AI program written down. They span AI policies, internal organization and accountability, resources for AI systems (including data, tooling, and human resources), assessing the impact of AI systems on individuals and society, the AI system lifecycle, data governance and quality, information for interested parties (transparency and documentation), use of AI systems, and management of third-party and supplier relationships. The list below highlights the ones teams most often underestimate.
A worked example makes this concrete. Say a logistics company deploys an AI agent that updates delivery exceptions in its order system. The AI policy control says someone owns the rules for that agent. The impact-assessment control means they documented who is affected if the agent miscategorizes a shipment. The data-governance control covers where the agent's reference data came from and how quality is checked. The transparency control means customers and staff know AI is involved and how to escalate. The human-oversight control, baked into the lifecycle area, requires a person can review or stop high-stakes actions. None of that is exotic; it is the difference between governed automation and a black box you hope behaves.
- AI impact assessment is the control teams skip first and regret most. ISO 42001 expects you to evaluate effects on individuals and groups, not just on the business, because that is where regulatory and reputational risk concentrates.
- Data governance and quality controls force you to know your data provenance, because a model is only as trustworthy as the data feeding it, and bad lineage is hard to prove away after the fact.
- Transparency and information-for-interested-parties controls require documentation that explains capabilities, limitations, and intended use, since affected people cannot exercise oversight over something hidden from them.
- Human oversight controls in the lifecycle area require that consequential AI actions can be reviewed, approved, or reversed, because fully autonomous action on sensitive operations is exactly what regulators scrutinize.
- Third-party and supplier controls extend governance to vendors and foundation-model providers, because outsourcing the model does not outsource your accountability for outcomes.
- Lifecycle controls cover decommissioning, not just launch, because a retired model left wired into a workflow is a silent risk that no one is watching anymore.
ISO 42001 vs ISO 27001 vs SOC 2: how they fit together
These three are complementary, not competing. ISO 27001 governs an information security management system. SOC 2 is an attestation, performed by a CPA firm against the Trust Services Criteria, that reports on operational controls. ISO 42001 governs an AI management system and adds the AI-specific concerns the other two never had: bias, transparency, human oversight, and impact on individuals. A serious AI vendor in 2026 is increasingly expected to carry a combination of these rather than treating any one as a substitute.
The good news for teams that already have security maturity: the management-system bones of ISO 27001 carry over. Risk assessment, internal audit, incident response, management review, document control, and corrective action all reuse. Practitioners and auditors widely report that an organization with a working ISO 27001 ISMS reaches ISO 42001 meaningfully faster than one starting cold, because the operating disciplines already exist and only the AI-specific content is new. ISO 23894 is the companion guidance for AI risk management, and Annex D of 42001 explicitly helps you integrate the AIMS with standards like ISO 27001 and ISO 9001.
Pick based on what you are protecting and what your buyers ask for. If the question is "is our data secure," that is ISO 27001 and SOC 2 territory. If the question is "do you govern your AI responsibly," that is ISO 42001. Regulated industries, public-sector procurement, and enterprise security reviews are starting to ask all three, especially with the EU AI Act's obligations phasing in through 2026 and 2027.
| Dimension | ISO/IEC 42001 | ISO/IEC 27001 | SOC 2 |
|---|---|---|---|
| What it governs | AI management system (AIMS) | Information security (ISMS) | Operational trust controls |
| Type of outcome | Certification | Certification | Attestation report |
| Assessed by | Accredited certification body | Accredited certification body | Licensed CPA firm |
| AI-specific controls | Yes (Annex A, 38 controls) | No | No (unless added via AI criteria) |
| Covers bias and human oversight | Yes | No | No |
| Structure | PDCA, Annex A controls | PDCA, Annex A controls | Trust Services Criteria |
| Typical buyer ask | Responsible AI assurance | Security assurance | Security and availability assurance |
What certification actually involves
Certification is a two-stage audit by an accredited certification body, followed by ongoing surveillance. Before the auditor shows up, you do the real work: build the AIMS, run it long enough to generate evidence, and fix the gaps your own internal audit finds. The audit confirms what you have built; it does not build it for you. Treat the certificate as the byproduct of a working system, not the goal.
Stage 1 is a readiness and documentation review. The auditor checks that your AIMS exists on paper: scope, AI policy, risk and impact assessment methodology, Statement of Applicability, and the required clause-4-through-10 documentation. They flag gaps so you can close them. Stage 2 is the certification audit, where the auditor tests whether the system operates as documented by sampling AI use cases, interviewing owners, and inspecting records. Pass, and you receive a certificate, typically valid for three years with annual surveillance audits and a recertification at the end.
Budget for time before you budget for the audit fee. The slow parts are writing honest risk and impact assessments, getting AI use-case owners to actually follow the process, and accumulating enough operating evidence (monitoring logs, review records, corrective actions) to demonstrate the PDCA loop is turning. An organization with an existing ISMS and a clear AI inventory moves quickly. One that has to first discover where AI is even running across the business should plan for a longer runway.
“The certificate is a lagging indicator. The work is building an AIMS that runs and keeps records; the audit just confirms it.”
A step-by-step path to an AIMS
If you are starting an ISO 42001 program, the sequence below keeps it from sprawling. Each step produces an artifact you will need at audit, so nothing here is busywork. Do them roughly in order, but expect to loop back as your AI inventory grows.
- Define scope and context (clause 4): decide which parts of the organization and which AI systems the AIMS covers, and identify interested parties and their expectations, because an undefined scope makes everything after it unauditable.
- Secure leadership and write the AI policy (clause 5): get executive ownership and a signed policy, since auditors test for genuine management commitment and AI governance fails without a budget owner.
- Build your AI inventory and risk plus impact assessment method (clause 6): list every AI use case and define how you assess risk and impact, because you cannot govern systems you have not enumerated.
- Select controls and write the Statement of Applicability: choose which Annex A controls apply, justify exclusions, and map them to your risks, as this document is the spine the entire audit hangs on.
- Operate and gather evidence (clauses 7-8): run the controls, train people, and let the system generate logs and records, because a control with no evidence of operation does not count.
- Check and improve (clauses 9-10): run an internal audit, hold a management review, fix nonconformities, then book the certification audit once the loop has visibly turned at least once.
Common mistakes that delay ISO 42001 certification
Most failed or stalled programs fail for predictable reasons, and almost none of them are technical. They are governance and evidence problems. Knowing the usual traps lets you avoid burning a stage-1 audit on findings you could have prevented.
The pattern underneath all of these is the same: treating ISO 42001 as a document you write rather than a system you run. The standard rewards organizations that already had reasonable AI discipline and are now formalizing it. It punishes teams hoping a policy PDF will substitute for actual oversight, monitoring, and records.
- Skipping the AI impact assessment because it feels softer than security risk, when it is the control that most distinguishes ISO 42001 and the one auditors probe hardest.
- Writing policies no one follows, so the documentation and the day-to-day reality diverge and stage 2 surfaces the gap immediately.
- Leaving AI systems out of the inventory, especially shadow AI in spreadsheets and SaaS tools, which makes your scope statement false the moment someone goes looking.
- Ignoring third-party and foundation-model risk, assuming a vendor's controls cover you, when accountability for outcomes stays with you regardless of who hosts the model.
- Treating certification as a finish line rather than the start of surveillance, then letting the PDCA loop go cold and failing the first surveillance audit.
- Reinventing security processes you already have under ISO 27001 instead of extending them, which wastes the biggest head start available to you.
Who should pursue ISO 42001, and when
ISO 42001 is most valuable for organizations whose AI decisions carry consequences or whose customers ask hard governance questions. The clearest candidates are AI product vendors selling into enterprise or regulated buyers, companies operating AI in high-impact domains like finance, healthcare, hiring, and critical operations, and any organization preparing for EU AI Act obligations where a certified management system is useful supporting evidence. If your sales cycles already stall on AI security questionnaires, certification turns a recurring objection into a one-line answer.
Timing comes down to maturity and pressure. If you already hold ISO 27001 or a SOC 2 report and AI is becoming central to your product or operations, the marginal effort is modest and the differentiation is real while the standard is still early. If you are pre-revenue with one experimental AI feature and no security baseline, build the ISO 27001 muscle first; the AIMS will be far cheaper once that foundation exists.
Where Onpilot fits this picture is narrow and practical. Teams deploying AI agents that take real action across CRM, support, and data tools still have to satisfy the human-oversight, transparency, and accountability controls an AIMS expects, so an agent platform that enforces human-in-the-loop approvals, least-privilege RBAC, and complete audit logs gives you working evidence for several Annex A controls rather than a slide deck describing them. The chart below shows, directionally, where common deployment patterns tend to sit on AIMS readiness.
Illustrative, directional comparison of how ready each pattern is to evidence Annex A controls. Not measured data.
A decision framework: which standard first?
When you cannot do everything at once, sequence by what your buyers demand and what protects you most. The rules below cut through the comparison noise.
Use ISO 27001 or SOC 2 first when the questions you keep getting are about data security, encryption, and access control, and AI is still a minor part of your offering. That foundation makes the eventual AIMS dramatically cheaper and answers most of today's procurement reviews.
Use ISO 42001 first, or in parallel, when AI is the product or a core operational dependency and buyers are asking specifically about responsible AI, bias, and oversight. In that situation a security certificate alone leaves the exact question your buyer cares about unanswered.
Pursue all three when you sell to regulated industries, critical infrastructure, or public-sector procurement. That combination, AI governance from 42001, security management from 27001, and independently attested operations from a SOC 2 Type 2 report, is becoming the expected posture for enterprise AI vendors, and the overlap between them means the third certificate costs less than the first.
Frequently asked questions
What is ISO/IEC 42001 in simple terms?
+
ISO/IEC 42001:2023 is the first international standard for an artificial intelligence management system (AIMS). It gives organizations a certifiable framework for how they develop, deploy, and govern AI responsibly. In plain terms, it is to AI governance roughly what ISO 27001 is to information security.
When was ISO 42001 published?
+
ISO and IEC published ISO/IEC 42001 in December 2023. It is the first management system standard dedicated specifically to artificial intelligence. Because it is so new, certification is still an early differentiator for AI vendors in 2026.
How many controls are in ISO 42001 Annex A?
+
Annex A lists 38 reference controls grouped into nine control areas, covering topics like AI policy, impact assessment, data governance, transparency, human oversight, and third-party management. You select applicable controls based on your risk assessment and record the choices in a Statement of Applicability. Excluded controls must be justified.
What is the difference between ISO 42001 and ISO 27001?
+
ISO 27001 governs an information security management system, while ISO 42001 governs an AI management system. ISO 42001 adds AI-specific concerns that 27001 never addressed, such as bias, model transparency, human oversight, and impact on individuals. They share the same PDCA and Annex A structure, so the two integrate well and an existing ISO 27001 program speeds up ISO 42001.
Is ISO 42001 the same as SOC 2?
+
No. SOC 2 is an attestation report produced by a CPA firm against the Trust Services Criteria, focused on security and operational controls, with no AI-specific requirements. ISO 42001 is a certification of an AI management system that directly addresses responsible AI. Many AI vendors pursue both because they answer different buyer questions.
Can you get certified for ISO 42001?
+
Yes. An accredited certification body audits your AI management system in two stages, a documentation and readiness review followed by a certification audit that tests whether the system operates as documented. A certificate is typically valid for three years with annual surveillance audits. SOC 2, by contrast, results in an attestation report rather than a certificate.
How does ISO 42001 relate to the EU AI Act?
+
ISO 42001 is a voluntary management-system standard, while the EU AI Act is binding law with obligations phasing in through 2026 and 2027. A certified AIMS does not automatically make you compliant with the Act, but it provides organized evidence of responsible AI governance that supports many of the Act's expectations around risk management, oversight, and documentation.
What is an AI impact assessment under ISO 42001?
+
An AI impact assessment evaluates how an AI system affects individuals, groups, and society, not just the organization deploying it. Where a risk assessment asks what could go wrong for the business, an impact assessment asks who is affected and how severely, covering fairness, transparency, and potential harm. It is one of the controls auditors scrutinize most because it is central to what makes ISO 42001 an AI standard.
Related
Put governed AI agents to work
See how Onpilot runs AI agents with human-in-the-loop approvals, least-privilege RBAC, and complete audit logs, the kind of evidence an AI management system needs.
Book a demo