ISO 42001 — IT definition

ISO/IEC 42001:2023, published in December 2023, defines the requirements for an AI management system (AIMS). It is the world's first certifiable standard dedicated to AI governance — the AI counterpart of ISO 27001 for information security or ISO 9001 for quality.

The stakes are twofold: meeting emerging regulatory requirements (notably the EU AI Act, in force since 2024) and giving organizations an auditable frame to govern their AI systems — from strategy to deployment, including risk, compliance, transparency, and continuous improvement.

Who is it for?

ISO 42001 applies to any organization that develops, deploys, or uses AI systems — vendors, integrators, end users. Especially relevant for:

• •SaaS vendors embedding AI in their products.
• •Large enterprises industrializing GenAI and AI agents.
• •Organizations subject to the AI Act (banking, healthcare, HR, education, justice).
• •Consulting firms and IT service providers active on AI engagements.

Structure of the standard

ISO 42001 follows the high-level structure common to ISO management standards:

• •Context: internal/external issues, stakeholders.
• •Leadership: AI policy, roles, top management commitment.
• •Planning: AI objectives, risk and opportunity assessment.
• •Support: resources, competence, communication, documentation.
• •Operations: design, development, deployment, retirement of AI systems.
• •Performance evaluation: monitoring, internal audits, management review.
• •Improvement: nonconformities, corrective actions, continuous improvement.

Annex A details 38 controls across 9 domains (AI policies, resources, impact assessment, lifecycle, data, stakeholder information, etc.).

ISO 42001 vs the AI Act

The two texts are complementary:

• •The AI Act is a binding EU regulation that classifies AI systems by risk level (prohibited, high-risk, limited, minimal) and imposes specific obligations.
• •ISO 42001: is a voluntary standard that provides the management system required to meet those obligations.

Concretely, an organization certified to ISO 42001 has a structured proof of compliance to bring to European regulators. The European Commission has explicitly recognized ISO 42001 as a reference in the AI Act implementing acts.

Benefits of an ISO 42001 program

• •Regulatory compliance: structured evidence for the AI Act, GDPR, NIS2, DORA.
• •Customer trust: certification reassures B2B buyers on the vendor's AI maturity.
• •Risk control: systematic identification of AI risks (bias, hallucinations, security, human rights).
• •Internal governance: clarification of roles between CIO, CISO, business, legal.
• •Fight against [Shadow AI](/en/glossary/shadow-ai): enforceable frame against ungoverned use.
• •Compatibility with other standards: aligned with ISO 27001, ISO 9001, ISO 27701.

Implementing ISO 42001

The program typically runs 6 to 12 months for a mid-sized organization:

1. Initial assessment: map existing AI systems (including Shadow AI).
2. AI policy: top management commitment, ethical principles, AIMS scope.
3. Risk assessment: for each AI system, identify risks (bias, security, compliance).
4. Control design: deploy the relevant Annex A controls (out of 38).
5. Documentation and training: write procedures, train employees.
6. Internal audits: verify implementation before certification.
7. Certification: audit by an accredited body (Bureau Veritas, AFNOR, BSI, LRQA).

AI inventory: a non-negotiable prerequisite

No ISO 42001 program is possible without an up-to-date inventory of AI systems in use across the organization — including undeclared usage. It is the AI counterpart of the application portfolio. Kabeen surfaces GenAI, LLM, and AI agent usage automatically across the IT estate to feed this AIMS inventory.