AI Compliance Vendors

What is ISO/IEC 42001?

The first international management-system standard for AI, published December 2023 — certifiable, auditable, and already adopted by major AI vendors.

Last updated April 21, 2026 · Every fact traceable to a public source

ISO/IEC 42001:2023 is the first international management-system standard for artificial intelligence, published in December 2023 jointly by ISO and IEC. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI management system (AIMS) within an organisation. The standard follows the harmonised high-level structure used by ISO 27001 and ISO 9001, making integration with existing management systems straightforward. ISO 42001 is voluntary but is the most credible signal a vendor or operator can provide that AI risk is governed at the management-system level. Certification is granted by accredited third-party certification bodies (the ISO/IEC body itself does not issue certificates) and follows a typical 3-year cycle with annual surveillance audits.

What does ISO/IEC 42001 actually require?

Key obligations include: Define the scope of the AI management system, including the AI systems, organisational units, and lifecycle stages it covers.; Establish an AI policy, objectives, and roles & responsibilities approved by top management.; Conduct AI risk assessments and AI impact assessments addressing fairness, transparency, safety, security, privacy, accountability, and societal impact.; Implement Annex A controls (organisational, lifecycle, data, system, third-party, customer/end-user, and use-case controls) selected via a Statement of Applicability.; Maintain documented information for AI system lifecycle (data, design, verification, deployment, operation, retirement) sufficient for an external auditor.. The standard is structured like other ISO management-system standards (such as ISO 27001) with a Plan-Do-Check-Act cycle, annexes listing AI-specific controls, and requirements for risk assessment, impact assessment, and ongoing monitoring.

Is ISO/IEC 42001 the same as the EU AI Act?

No. The EU AI Act is a binding regulation that applies to any provider or deployer of AI systems placed on the EU market. ISO/IEC 42001 is a voluntary international standard that can help demonstrate compliance with parts of the EU AI Act (especially the governance and risk-management obligations), but it is not a legal substitute. Many organizations pursue both: the standard for operational rigor, the regulation for legal conformity.

Who is already certified against ISO/IEC 42001?

In our directory, the following vendors reference ISO/IEC 42001 in their compliance programs or certifications: Credo AI, Holistic AI, Trustible, FairNow, Fairly AI, Saidot, LatticeFlow AI, HiddenLayer, Prompt Security, Enzai, OneTrust AI Governance, Collibra AI Governance. Note that claims to certification should always be verified against the accredited certification body — we link to source evidence on each vendor page.

How long does certification take?

Typical gap-to-certificate timelines run 6 to 12 months for organizations that already have an ISO 27001 program, and 12 to 18 months starting from scratch. Stage 1 (documentation review) is followed by Stage 2 (onsite/implementation audit) by an accredited certification body.

Where is the authoritative text?

The standard is published by ISO at iso.org. The full PDF is not free — individual licenses are typically a few hundred Swiss francs. The title is ISO/IEC 42001:2023 — Information technology — Artificial intelligence — Management system.

Related

Keep reading

Framework
ISO/IEC 42001 framework brief
Best of
ISO 42001 software picks
Guide
ISO/IEC 42001 certification path

Sources

Editorial independence

This FAQ is editorial. No vendor can pay to be highlighted or ranked in answers, and the written commentary on this page is payment-free. Featured slots in directory listings are always labeled where they appear. Read our methodology for details.