What is ISO 42001?
- ISO/IEC 42001 is the first international, certifiable standard for an AI management system.
- It governs how an organisation manages AI as a whole, using the Plan-Do-Check-Act cycle.
- It is the only AI governance standard you can be independently certified against.
- It suits any organisation that develops, provides, or uses AI and wants demonstrable governance.
- Current as of June 2026. This is general information, not legal advice.
What the standard does
ISO 42001 sets out the requirements for establishing, implementing, maintaining, and continually improving a management system for AI. Rather than focusing on a single AI system, it governs how an organisation manages AI as a whole: its policies, roles, risk processes, controls, and improvement cycle. It follows the same high-level management-system structure as well-known standards like ISO 27001 (information security) and ISO 9001 (quality), so organisations familiar with those will recognise the shape.
The management-system approach
The standard is built on the Plan-Do-Check-Act cycle of continual improvement. You plan your AI governance (policies, objectives, risk assessment), do it (implement controls and processes), check it (monitor, audit, review), and act on what you find (improve). This makes AI governance an ongoing system rather than a one-time project, which is the central idea of any management-system standard.
What it covers
ISO 42001 addresses the things responsible AI governance requires: leadership and policy, planning and risk assessment, support and resources, operation and controls, performance evaluation, and improvement. It also includes a set of AI-specific controls in its annex, covering areas such as AI risk, data for AI, transparency, and the lifecycle of AI systems. Together these give an organisation a comprehensive structure for governing AI.
Why it is significant
Before ISO 42001, organisations had no certifiable standard to point to when asked for proof of responsible AI. They could describe their practices, but they could not show an independent certificate. ISO 42001 changes that. It is the only certifiable AI governance standard, which makes it uniquely useful when a buyer, regulator, or partner asks for verifiable proof rather than a description.
Who it is for
ISO 42001 is for any organisation that develops, provides, or uses AI and wants a structured, demonstrable way to govern it. That includes AI vendors who want to prove responsible AI to enterprise buyers, and enterprises that want to govern AI across the business and evidence it to regulators and customers. Certification is optional, and adopting the standard delivers value even before certification, but the certificate is what turns good practice into independent proof.
Key terms
- ISO/IEC 42001
- The first international, certifiable standard for an AI management system.
- AI management system (AIMS)
- The structured set of policies, processes, roles, and controls used to govern AI.
- Certifiable standard
- A standard against which an accredited body can audit and issue an independent certificate.
- Plan-Do-Check-Act
- The continual-improvement cycle that underpins ISO management-system standards.