ISO/IEC 42001 — AI management system certification.
Published December 2023. The first management-system standard for AI — and the cheapest credible path to AI governance certification. Here's what each clause actually demands.
Published 2026-05-19 · reviewed 2026-05-19 · ~8-min read
What 42001 is
ISO/IEC 42001:2023 is a management-system standard (MSS) modelled on ISO 9001 (quality) and ISO 27001 (information security). MSS standards don't tell you which AI models to use — they tell you which processes your organisation needs around its AI use. The certification audit verifies the processes exist, are operating, and are being improved.
It is certifiable. Auditors are accredited. Procurement teams in 2026 ask for it.
Clauses 4-10 — the AIMS in 8 minutes
| Clause | What it covers | What it demands |
|---|---|---|
| 4 — Context | The organisation's context, interested parties, AIMS scope | Document the boundary — which AI uses are in scope, which aren't |
| 5 — Leadership | Top management, AI policy, roles + responsibilities | A signed AI policy. A named AIMS owner. A defined RACI for AI risk |
| 6 — Planning | Risks + opportunities, AI risk assessment, objectives | An AI risk register. Per-system impact assessments. Measurable objectives |
| 7 — Support | Resources, competence, awareness, communication, documented info | Training records. A document control system. An AI-literate workforce |
| 8 — Operation | Operational planning, AI system impact assessment, lifecycle | This is where the controls live. Annex A's 38 controls hang off here |
| 9 — Performance evaluation | Monitoring, internal audit, management review | Periodic attestation. Internal audit program. Management review minutes |
| 10 — Improvement | Nonconformity, corrective action, continual improvement | A nonconformity log. Root-cause-analysis discipline. Trend tracking |
Annex A — where the controls live
38 controls across 8 categories. The categories:
- A.2 — Policies related to AI. Documented AI policy + supporting policies.
- A.3 — Internal organisation. Roles, accountabilities, reporting lines.
- A.4 — Resources for AI systems. Computing, data, tooling, human resources.
- A.5 — Assessing impacts of AI systems. Impact assessment process + records.
- A.6 — AI system lifecycle. Design, dev, test, deploy, operate, retire.
- A.7 — Data for AI systems. Data governance, quality, provenance.
- A.8 — Information for interested parties. Transparency to users, regulators, partners.
- A.9 — Use of AI systems. Operational controls, monitoring, incident response.
Overlap with ISO 27001
If you have 27001 you're already 40-60% of the way. Clauses 4-10 are nearly identical (the MSS skeleton is shared). The 42001-specific work is Annex A.5-A.9: impact assessment, lifecycle, data governance, transparency, operational use. The 27001 ISMS and 42001 AIMS can share an audit program, a management review cycle, and a nonconformity log.
The cheapest path to certification
- Inventory your AI uses. Be honest about which are in scope.
- Write the policy. Sign it. Communicate it.
- Build the impact assessment template (clause 8.2). Run it on three AI uses.
- Stand up the controls (Annex A) — only the ones that apply to your scope.
- Run an internal audit. Find nonconformities. Fix them.
- Stage 1 audit (documentation), then Stage 2 audit (operation), then certificate.
KYE Protocol™'s evidence packs + assurance card + attestation cycle generate clause 9 (performance evaluation) and Annex A.9 (operational use) artefacts automatically.