Clients started asking about ISO/IEC 42001 the moment customers and procurement teams did. It is the AI governance answer to a question that used to get a hand-wave: how do you actually manage the AI you ship. Here is the working version.

What 42001 is

Published in 2023, ISO/IEC 42001 defines an AI Management System, an AIMS. It is to AI what ISO 27001 is to information security: a certifiable management system, audited by an accredited body, run on the Plan-Do-Check-Act cycle. It governs how you handle AI across its life, from design to retirement. It is not a technical checklist and it does not tell you which model to use. It asks whether you have decided, documented, and can prove how you run AI responsibly.

Annex A lists the controls, grouped into areas like policy, internal roles, resources, the AI lifecycle, data for AI systems, information for the people affected, responsible use, and third-party relationships. You select the ones that apply and justify what you leave out, the same Statement of Applicability move you know from 27001.

If you have 27001, you are halfway there

42001 uses the same high-level structure every modern ISO management standard shares: context, leadership, planning, support, operation, performance evaluation, improvement. If you already run an ISMS, you fold the AIMS into it rather than standing up a parallel system. The risk process you have can carry AI risk with extensions. The audit rhythm, the management reviews, the corrective-action loop all transfer.

The reuse is the selling point. A team with 27001 can reach 42001 by adding the AI-specific pieces, not by starting over.

The AI impact assessment is the new muscle

Here is what 42001 adds that 27001 does not have. Alongside risk to the organisation, it asks for an assessment of the AI system's impact on individuals and on groups of people: fairness, safety, transparency, and the ways the system could be misused or could harm someone who never agreed to use it. You document that assessment and act on it. Most teams have a risk register. Far fewer have written down who their model could hurt and how, and that gap is usually the first finding.

Where data and lifecycle controls bite

The Annex A controls that take real work are the ones on data and lifecycle. You need evidence of data quality and provenance for the data your AI learns from and runs on. You need defined stages for development, deployment, monitoring, and decommissioning, with controls operating at each. An auditor will ask to see the AI was built and is run under those controls, not just that a policy exists.

Certification, briefly

The path mirrors 27001. A Stage 1 audit checks your documentation and readiness. A Stage 2 audit checks the system is implemented and working. Pass and you hold a certificate, with surveillance audits in between and a recertification on a three-year cycle. Auditors want operating evidence, not intentions.

Where security testing fits

This is the part we get pulled into. 42001 expects controls to operate effectively, and several of them are technical security controls. Penetration testing and AI-specific security testing produce the evidence: the same model, prompt, tool, and agent-loop testing we covered in our AI engagement notes, mapped to the controls. A named methodology and a retest carry more weight than a screenshot, the same way they do in a SOC 2 review. When the auditor asks how you know the AI system is secure, a dated report with findings and fixes is the answer that ends the conversation.

Standing up the AIMS

If 42001 is on your roadmap this year:

  1. Decide the scope: which AI systems the AIMS covers.
  2. Fold it into your existing ISMS if you have one, rather than building a second system.
  3. Run the AI risk assessment and the AI system impact assessment.
  4. Map your controls to Annex A and write down the gaps.
  5. Collect operating evidence, including security testing of the AI itself.
  6. Book the Stage 1 audit once the documentation holds together.
27001 proves you protect data. 42001 proves you govern the AI that uses it. The teams that already had the first will spend most of their effort on one new thing: writing down who the model could affect, and showing what they did about it.

The standard rewards work you should be doing anyway. The certificate is the byproduct of running AI with the same discipline you already apply to security.