advanta

HomeGlossaryRegulation

Regulation

P4

ISO/IEC 42001

DEFINITION

ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence. Published in 2023 and adopted at increasing pace through 2025 and 2026, it specifies the management-system requirements an organisation must demonstrate to claim mature AI governance: risk assessment, supplier evaluation, audit trail, continuous improvement, and named accountability. ISO/IEC 42001 does not prescribe technical controls; it prescribes the management system that produces them. Defensibility is the lived application of ISO/IEC 42001 inside a legal function.

Detailed Explanation

ISO/IEC 42001 — AI Management System Standard (Summary)

ISO/IEC 42001:2023 is the first certifiable management-system standard for AI. It defines how an organisation should establish, operate, and continually improve an AI Management System (AIMS), using the same high-level structure as other ISO standards (e.g. ISO/IEC 27001).

Core structure (Clauses 4–10)

  • Context (4): Define organisational context, stakeholders, and AIMS scope.
  • Leadership (5): Assign roles, responsibilities, and top-management commitment.
  • Planning (6): Address AI-related risks and opportunities; set objectives.
  • Support (7): Provide resources, competence, awareness, communication, documentation.
  • Operation (8): Plan, design, develop, deploy, and operate AI systems under control.
  • Performance evaluation (9): Monitor, measure, audit, and review AIMS performance.
  • Improvement (10): Manage nonconformities and drive continual improvement.

Annex A controls (AI-specific)

Annex A provides a catalogue of AI-focused controls, including:

  • AI policy and internal organisation
  • Resources and competence for AI
  • Impact and risk assessment for AI systems
  • AI system lifecycle management (design, development, validation, deployment, monitoring, retirement)
  • Data quality and data governance
  • Third-party and vendor relationships
  • Information for interested parties (e.g. transparency, documentation)

The standard certifies the management system, not individual models or AI products. A certificate shows that an organisation runs a structured, auditable approach to governing AI, but each use case still needs case-specific application of that system.

Why ISO/IEC 42001 Matters

  1. Procurement and assurance signal
  2. Coverage of AI governance methodology
    • Strategy: Clause 4 (context, scope, objectives)
    • Governance: Clauses 5 and 9 (leadership, oversight, review)
    • Risk: Annex A.5 (impact and risk assessment)
    • Use cases & maturity: Annex A.6 (lifecycle controls)
    • Change & improvement: Clause 10
    • Vendor management: Annex A.10 (third-party controls)
    • Sustainability & learning: Clause 10.2 (continual improvement)
  3. Audit defensibility
    • Defined AIMS scope and boundaries
    • AI policy and governance structure
    • Risk and impact registers for AI systems
    • Lifecycle records (design, testing, deployment, monitoring, retirement)
    • Management review minutes and improvement actions

Relationship to the EU AI Act

  • The EU AI Act defines substantive legal obligations (e.g. prohibited practices, high-risk system requirements, transparency duties, GPAI obligations).
  • ISO/IEC 42001 defines a management system that structures how an organisation identifies, manages, documents, and reviews AI risks and controls.

They are complementary:

  • Operating a robust 42001 AIMS makes it easier to generate and maintain the documentation, risk assessments, and lifecycle evidence the AI Act expects.
  • 42001 does not equal AI Act compliance, but a 42001-aligned programme is significantly closer to AI Act readiness than an ad hoc approach.

Quick Facts

Category

Regulation

Related Pillar

P4 · Governance

Explore Glossary

← All Terms