What is ISO/IEC 42001?
ISO/IEC 42001 is the international standard for an AI management system (AIMS). Published in December 2023, it is the first management-system standard built specifically for artificial intelligence — and, importantly, the first one you can certify against through an accredited certification body. It does not certify a single model or a finished product; it certifies that your organization runs a defined, repeatable way of governing the AI it develops or uses.
That framing matters. A certificate against ISO 42001 is not a stamp that says "your model is safe." It says you have a working system for deciding what your AI should and should not do, identifying the risks and impacts it creates, putting controls and human oversight in place, and proving, over and over, that the system actually runs. An auditor is not testing your model’s accuracy; they are testing whether the management system around it exists and operates as documented.
Because it is a management-system standard, ISO 42001 follows the same harmonized structure as other ISO standards such as ISO 27001 — management clauses 4 to 10 plus a set of Annex A controls. If you have built an ISMS before, the shape will feel familiar; what changes is the subject matter, which is responsible, trustworthy AI rather than information security.
ISO 42001 vs the EU AI Act
These two are constantly conflated, so it is worth being precise. ISO 42001 is a voluntary, certifiable management-system standard — you choose to adopt it and an accredited body certifies you against it. The EU AI Act is a law: a binding regulation with obligations and penalties that applies whether or not you have any certification. ISO 42001 can help you operationalize many of the governance practices the AI Act expects, but holding the certificate is not the same as legal compliance with the Act, and the Act cannot be "certified against" the way the standard can.