The first international management-system standard for AI, published December 2023 — certifiable, auditable, and already adopted by major AI vendors.
Last updated April 21, 2026 · Every fact traceable to a public source
ISO/IEC 42001 is the first international certifiable management system standard specifically for AI. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS). Increasingly treated by procurement teams as the SOC 2 equivalent for AI — a signal that an organization has mature, auditable AI governance.
Key obligations include: AI management system scope and policy; Leadership commitment and roles; AI risk assessment and treatment; Resources, competence, awareness; Operational planning and control. The standard is structured like other ISO management-system standards (such as ISO 27001) with a Plan-Do-Check-Act cycle, annexes listing AI-specific controls, and requirements for risk assessment, impact assessment, and ongoing monitoring.
No. The EU AI Act is a binding regulation that applies to any provider or deployer of AI systems placed on the EU market. ISO/IEC 42001 is a voluntary international standard that can help demonstrate compliance with parts of the EU AI Act (especially the governance and risk-management obligations), but it is not a legal substitute. Many organizations pursue both: the standard for operational rigor, the regulation for legal conformity.
In our directory, the following vendors reference ISO/IEC 42001 in their compliance programs or certifications: Credo AI, Holistic AI, Fiddler AI, CalypsoAI, Trustible, FairNow, Fairly AI, Saidot, LatticeFlow AI, HiddenLayer, Prompt Security, Enzai. Note that claims to certification should always be verified against the accredited certification body — we link to source evidence on each vendor page.
Typical gap-to-certificate timelines run 6 to 12 months for organizations that already have an ISO 27001 program, and 12 to 18 months starting from scratch. Stage 1 (documentation review) is followed by Stage 2 (onsite/implementation audit) by an accredited certification body.
The standard is published by ISO at iso.org. The full PDF is not free — individual licenses are typically a few hundred Swiss francs. The title is ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system.
This FAQ is editorial. No vendor can pay to be included, highlighted, or ranked in answers. Paid listing tiers affect profile depth only — never rankings or commentary. Read our methodology for details.