ISO/IEC 42001:2023 — Published December 18, 2023

ISO 42001 AI Management System: Implementation Guide for Regulated Industries

📅 Published February 2026 🕑 17 min read ⚒ ISO/IEC 42001:2023
ISO
First Certifiable International AI Management System Standard Published December 18, 2023, ISO/IEC 42001 is the world's first certifiable standard for AI management systems. Organizations that achieve certification demonstrate structured AI governance to regulators, customers, and supply chain partners — and gain recognized evidence of EU AI Act compliance readiness for high-risk AI systems.
ISO 42001 and EU AI Act: The Certification Pathway Opens The European Commission is expected to recognize ISO/IEC 42001 certification as evidence of EU AI Act compliance for high-risk AI systems, potentially qualifying as a basis for the EU Declaration of Conformity. For organizations operating high-risk AI under the EU AI Act's August 2026 deadline, pursuing ISO 42001 certification simultaneously satisfies both requirements with a single implementation effort.
Section 01

ISO 42001 Standard Structure: Clauses 4 Through 10

ISO/IEC 42001:2023 was published by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) on December 18, 2023. It is the first international standard specifically designed to govern AI management systems — meaning the policies, processes, controls, and accountability structures through which organizations manage AI throughout its lifecycle.

The standard follows the Annex SL high-level structure (also called the "harmonized structure"), which is the same framework used by ISO 27001 (information security management), ISO 9001 (quality management), and ISO 14001 (environmental management). This structural consistency is deliberately designed to enable integration: organizations that already have ISO 27001 or ISO 9001 implemented can integrate ISO 42001 into their existing management system framework without rebuilding from scratch.

ISO 42001 applies to any organization that provides or uses AI systems — both organizations that develop AI (AI providers) and organizations that deploy AI developed by others (AI deployers). Unlike some AI regulations that focus only on high-risk AI, ISO 42001's scope covers the full range of AI management activities regardless of risk tier, though the intensity of controls scales with risk.

Dec 2023
ISO/IEC 42001:2023 published — first international AI management system standard
Annex SL
Harmonized structure enabling integration with ISO 27001, ISO 9001, and ISO 14001
Certifiable
Third-party certification available — organizations can demonstrate compliance to external parties
Annex A+B
Annex A provides specific AI controls; Annex B defines AI objectives for trustworthy AI

The Seven Clauses of ISO 42001

ISO 42001 is organized into seven operational clauses (Clauses 4 through 10), plus the two annexes. Each clause describes a set of requirements that an AI management system must satisfy. Together, they form a Plan-Do-Check-Act management cycle adapted for AI system governance.

  • 4

    Organizational Context

    Organizations must understand their internal and external context as it affects AI governance — including regulatory requirements, stakeholder expectations, organizational capabilities, and the types of AI systems in scope. This clause requires mapping the AI management system boundary and documenting the factors that determine what governance is needed.

  • 5

    Leadership

    Top management must demonstrate commitment to the AI management system. This includes approving an AI policy, assigning roles and responsibilities for AI governance, and actively supporting AI management objectives. ISO 42001 is explicit that AI governance cannot be delegated entirely to technical teams — it requires visible senior leadership engagement.

  • 6

    Planning

    Organizations must conduct systematic AI risk and opportunity assessments, establish AI management objectives with measurable targets, and plan how to achieve those objectives. Planning must consider both risks from AI (what could go wrong) and opportunities through AI (what beneficial outcomes responsible AI enables).

  • 7

    Support

    Organizations must provide the resources, competence, awareness, communication, and documented information necessary for effective AI management. This includes maintaining the documented information (records, procedures, policies) that demonstrates the AI management system is functioning. Documented information requirements under ISO 42001 are the primary evidence base for certification audits.

  • 8

    Operation

    Organizations must implement the controls and processes needed to govern AI system design, development, deployment, and operation. Clause 8 includes the AI impact assessment requirement (Clause 8.4), which requires assessing potential impacts on individuals before deploying AI systems that affect them. This is one of the most operationally intensive clauses.

  • 9

    Performance Evaluation

    Organizations must monitor, measure, analyze, and evaluate AI management system performance. This includes conducting internal audits of the AI management system, performing management reviews at planned intervals, and comparing AI system performance against established objectives. Clause 9 is the "Check" in the Plan-Do-Check-Act cycle.

  • 10

    Improvement

    Organizations must address nonconformities through corrective action and continually improve the AI management system. Clause 10 requires root cause analysis for significant AI management failures and documented corrective action plans with tracked implementation. Continual improvement distinguishes a management system from a static compliance framework.

Section 02

AI Impact Assessment Methodology: Clause 8.4

Clause 8.4 of ISO 42001 is one of the standard's most consequential requirements for organizations in regulated industries. It requires organizations to conduct an AI impact assessment (AIIA) before deploying AI systems that could affect individuals. The AIIA is conceptually analogous to a Data Protection Impact Assessment (DPIA) under GDPR — a structured pre-deployment analysis designed to identify potential harms and implement mitigating controls before they occur.

What Triggers an AI Impact Assessment

The AIIA requirement is triggered when an AI system's deployment could materially affect individuals — particularly where decisions, recommendations, or outputs may influence access to services, opportunities, or rights. For regulated industry AI, this threshold is crossed by virtually all customer-facing or patient-facing AI systems. In healthcare, any AI system that influences patient care pathways triggers the requirement. In financial services, any AI system that influences credit, insurance, or investment outcomes triggers it. In legal services, any AI system whose outputs inform client counseling triggers it.

The AIIA process under ISO 42001 requires organizations to document: the AI system's purpose and intended use cases; the population potentially affected; the categories of impact (positive and negative); the likelihood and severity of each negative impact; the controls implemented to mitigate negative impacts; the residual impact after controls; and the rationale for accepting residual impact. The completed AIIA is a documented information artifact retained as part of the AI management system records.

AIIA for Regulated Industry AI Systems

AI System Type Key Impact Areas to Assess Minimum AIIA Content Review Frequency
Healthcare Scheduling AI Access to care, appointment equity, data privacy for PHI in scheduling queries Demographic access analysis; PHI handling assessment; escalation pathway for urgent clinical needs; HIPAA alignment Annual or after major model update
Legal Research AI Legal outcome accuracy, hallucination risk, client confidentiality in AI prompts Accuracy benchmarking; confidentiality controls; attorney oversight requirements; citation verification protocol Annual or after new jurisdiction deployment
Financial Credit AI Credit access equity, disparate impact on protected classes, adverse action explainability Disparate impact testing by demographic group; adverse action notice capability; model drift monitoring plan; SR 11-7 alignment Semi-annual; after any model retraining
Hotel Guest AI Guest data privacy, pricing fairness, data retention for loyalty programs PII handling controls; pricing algorithm fairness review; GDPR/CCPA data rights fulfillment; PCI DSS alignment for payment contexts Annual or after system scope change

Distinguishing AIIA from DPIA

Organizations already conducting GDPR Data Protection Impact Assessments under Article 35 of the GDPR should understand the relationship between DPIAs and AIIAs. A DPIA focuses on personal data processing risks — the AIIA is broader, encompassing risks to individuals from AI system behavior even where personal data is not the primary concern (e.g., AI that makes discriminatory recommendations based on non-personal proxy variables). In many cases, a single combined AI Impact and Data Protection Impact Assessment can satisfy both ISO 42001 Clause 8.4 and GDPR Article 35 requirements, reducing documentation duplication.

Section 03

Annex A Controls for AI Governance

ISO 42001's Annex A contains AI-specific controls organized across four domains: organizational controls, people controls, technology controls, and third-party AI controls. Unlike the normative clauses (4-10), which define what the AI management system must do, Annex A provides the specific control mechanisms through which those requirements are implemented. Organizations select and implement Annex A controls based on their AI impact assessment findings and risk profile.

Organizational Controls (Annex A Section 5)

Organizational controls address governance structures, policies, and processes for AI management. Key controls include: AI use policies that define acceptable and prohibited AI use cases; AI system lifecycle management procedures covering design through decommission; AI risk ownership assignment with clear accountability; and procedures for managing changes to AI systems and their deployment contexts.

For organizations in regulated industries, the organizational controls in Annex A provide the documented governance structure that regulators increasingly expect to see. HIPAA's administrative safeguard requirements, OCC model risk governance expectations, and the EU AI Act's technical documentation requirements all align with Annex A organizational controls.

People Controls (Annex A Section 6)

People controls address competence, awareness, and responsibility for AI governance. Key controls include: screening and responsibility requirements for AI-sensitive roles; AI literacy training programs appropriate to each role's AI interaction level; documented accountability structures for AI development and deployment decisions; and disciplinary procedures for violations of AI governance policies.

The people controls are particularly relevant for legal services organizations, where attorney competence requirements (ABA Model Rule 1.1) include staying current with technology. ISO 42001 Annex A people controls provide a structured framework for demonstrating that attorneys and staff using AI tools have been trained on their limitations and appropriate use.

Technology Controls (Annex A Section 7)

Technology controls address the technical mechanisms that implement AI management objectives. Key controls include: access controls for AI systems and their underlying data; logging and monitoring of AI system operations; accuracy testing and performance benchmarking procedures; security controls protecting AI systems from adversarial manipulation; and model documentation requirements covering architecture, training data, and performance characteristics.

Third-Party AI Risk (Annex A.6)

Annex A.6 is one of the most practically significant sections for organizations that deploy AI developed by third-party vendors — which is the majority of healthcare, legal, and hospitality organizations. Third-party AI risk controls require: due diligence of AI vendors before procurement; contractual requirements for AI risk documentation and incident notification; ongoing monitoring of third-party AI system performance; and procedures for managing end-of-life or discontinued third-party AI services.

Third-Party AI Risk: The Due Diligence Gap Most Organizations Have ISO 42001 Annex A.6 makes explicit what the NIST AI RMF and EU AI Act imply: organizations cannot disclaim liability for AI systems they deploy simply because the underlying model was built by a vendor. The organization deploying the AI bears responsibility for its impacts on their stakeholders. Annex A.6 controls require establishing what the vendor's AI risk management practices actually are — not simply relying on vendor marketing claims.
Section 04

Integration with ISO 27001 and SOC 2

Because ISO 42001 follows the Annex SL harmonized structure, integrating it with an existing ISO 27001 information security management system is substantially less effort than implementing both standards independently. The high-level structure — context, leadership, planning, support, operation, performance evaluation, improvement — is identical. This means policies, procedures, audit programs, management review processes, and documented information frameworks can serve both standards with targeted modifications rather than parallel systems.

ISO 27001 and ISO 42001: Complementary Scope

The critical distinction is scope: ISO 27001 governs information security — the confidentiality, integrity, and availability of information assets. ISO 42001 governs AI system management — the trustworthy and responsible development, deployment, and use of AI systems. These are complementary but distinct concerns.

An AI system may be perfectly secure in the ISO 27001 sense (no unauthorized access, no data breach) while failing ISO 42001 requirements (biased outputs, inadequate transparency, no human oversight). Conversely, an organization might have excellent AI management practices while having information security gaps. Organizations pursuing both certifications benefit from integrated implementation, but should not assume that ISO 27001 certification implies ISO 42001 readiness or vice versa.

The integration points that yield maximum efficiency include: unified risk management methodology (ISO 42001 and ISO 27001 both require risk assessment — a single risk register can capture both AI-specific and information security risks); unified incident response procedures (AI incidents may also be security incidents — integrated response procedures avoid gaps); and unified internal audit programs (a single annual audit cycle can address both standards).

SOC 2 and ISO 42001

For organizations that carry SOC 2 Type II reports — common in SaaS, healthcare technology, and financial technology contexts — ISO 42001 integration follows a different path. SOC 2 uses the AICPA Trust Services Criteria (TSC), which focuses on security, availability, processing integrity, confidentiality, and privacy. ISO 42001 AI governance controls can be mapped to the SOC 2 TSC's processing integrity criteria, providing AI-specific evidence for a controls area that many SOC 2 reports address insufficiently.

Organizations pursuing SOC 2 Type II reports should work with their auditors to incorporate ISO 42001-aligned AI controls into the description of the system and controls under examination. The resulting SOC 2 report will provide significantly more informative AI governance assurance than a report that addresses AI only through generic processing integrity controls.

"ISO/IEC 42001 provides organizations with the structured framework needed to demonstrate responsible AI governance to customers, regulators, and supply chain partners — regardless of whether AI regulation in their jurisdiction is yet mandatory."

— ISO/IEC 42001:2023 Introduction
Section 05

ISO 42001 Certification Pathway and Timeline

ISO/IEC 42001 is a certifiable standard, meaning organizations can engage an accredited certification body to conduct a formal assessment and issue a certificate of conformance. Unlike ISO 27001, which has been certifiable since 2005 and has a large global ecosystem of certification bodies, ISO 42001 is newly published and the certification infrastructure is still developing. Organizations seeking certification in 2025-2026 should expect longer lead times for finding accredited auditors than they would for ISO 27001.

The Three-Stage Certification Process

ISO 42001 certification follows the standard ISO management system certification process:

  • Stage 1

    Documentation Review (Gap Analysis)

    The certification body reviews the organization's AI management system documentation against ISO 42001 requirements. This is a desk audit — the auditor assesses whether the documented system is adequate, not whether it is effectively implemented. Typical duration: 1-2 days of auditor time. Output: list of areas requiring clarification or improvement before Stage 2.

  • Stage 2

    Implementation Audit (Certification Audit)

    On-site (or remote) assessment of whether the AI management system is effectively implemented and operating. Auditors interview staff at all levels, review records and evidence of AI governance activities, observe AI system management processes, and assess whether implemented controls match documented controls. Typical duration: 2-5 days depending on organizational scope. Output: audit report with conformity findings.

  • Annual

    Surveillance Audits and Recertification

    ISO 42001 certificates are valid for three years, with annual surveillance audits maintaining certification. Surveillance audits focus on areas of concern identified in previous audits and on significant changes to the AI management system. Three-year recertification is a full re-audit equivalent to Stage 2. Organizations must address any minor nonconformities within defined timeframes and major nonconformities before receiving certification.

Realistic Implementation Timeline

For organizations starting from scratch, a realistic ISO 42001 implementation and certification timeline is 12-18 months. This assumes: 3-4 months for gap analysis and planning; 4-6 months for implementing the AI management system (policies, AI impact assessments, training, controls); 2-3 months of management system operation to generate audit evidence; and 1-2 months for the certification audit process. Organizations with existing ISO 27001 or ISO 9001 implementations can typically compress this to 8-12 months by leveraging existing frameworks.

For organizations operating AI systems in the EU that need to demonstrate EU AI Act compliance by August 2026, the timeline is achievable if implementation begins immediately. Organizations that delay until late 2025 may not complete certification before the EU AI Act high-risk deadline, though they can use in-progress implementation as a mitigation factor in regulatory discussions.

Section 06

EU AI Act Alignment Analysis

The European Commission has indicated that ISO/IEC 42001 is expected to be recognized as a harmonized standard under the EU AI Act, meaning ISO 42001 certification would provide presumption of conformity with relevant EU AI Act requirements for high-risk AI systems. While this formal harmonization designation had not been finalized as of February 2026, the structural alignment between the two frameworks is explicit and intentional — ISO 42001 was developed with the EU AI Act trajectory in mind.

Clause-to-Article Mapping

ISO 42001 Requirement EU AI Act Requirement Alignment Status
Clause 8.4 AI Impact Assessment Art. 9 Risk Management System Strong Alignment
Annex A Technology Controls (training data) Art. 10 Data Governance Strong Alignment
Clause 7.5 Documented Information Art. 11 Technical Documentation Strong Alignment
Annex A Technology Controls (logging) Art. 12 Record-Keeping and Logging Partial — EU AI Act more prescriptive
Annex B AI Objectives (transparency) Art. 13 Transparency Strong Alignment
Annex B AI Objectives (human oversight) Art. 14 Human Oversight Strong Alignment
Clause 9 Performance Evaluation (accuracy monitoring) Art. 15 Accuracy and Robustness Partial — EU AI Act requires specific accuracy metrics
Clause 9.3 Management Review Art. 72 Post-Market Monitoring Strong Alignment

The practical implication of this alignment is significant: organizations that implement ISO 42001 comprehensively will have addressed the majority of EU AI Act high-risk requirements through their management system work. The gaps — primarily around EU AI Act-specific documentation formats, CE marking procedures, and registration in the EU AI Act database — can be addressed through targeted supplementary work without duplicating the entire compliance effort.

Section 07

12-Item ISO 42001 Implementation Checklist

  • Clause 4 — Define Organizational AI Context Document internal and external issues affecting AI governance, identify stakeholder requirements and expectations, and define the scope of the AI management system. Include a list of all AI systems within scope. Confirm senior leadership has reviewed and approved the scope definition. This is the foundation for all subsequent ISO 42001 work.
  • Clause 5 — Obtain Top Management Commitment and Publish AI Policy Draft and obtain leadership approval for an AI policy that commits to trustworthy AI, establishes AI management objectives, and assigns accountability. The policy must be communicated to all relevant staff and available to external stakeholders. Document evidence of top management's active role in AI governance decisions.
  • Clause 6 — Complete AI Risk and Opportunity Assessment Conduct a systematic assessment of AI-related risks and opportunities using a documented methodology. Risk assessment must cover all AI systems in scope across their full lifecycle. Document risk owners, likelihood/impact ratings, existing controls, and residual risk. Update annually and when new AI systems are deployed.
  • Clause 7 — Establish AI Management System Documentation Framework Implement document control procedures for all AI management system documented information. Establish a document register tracking policy documents, procedures, assessment records, and audit evidence. Assign document owners and define retention periods. Create a training records system capturing all ISO 42001-required competence activities.
  • Clause 8.4 — Conduct AI Impact Assessment for All In-Scope AI Systems Complete an AIIA for each AI system in scope before deployment or, for already-deployed systems, within the implementation timeline. Document population affected, potential harms, controls implemented, and residual impact. Obtain sign-off from the AI risk owner and retain as documented information. Update AIIAs when AI systems change materially.
  • Annex A — Select and Implement Applicable Controls Prepare a Statement of Applicability (SoA) documenting which Annex A controls are applicable, which are implemented, and the justification for any exclusions. Implement all applicable controls with documented procedures and evidence of operation. The SoA is a key certification audit artifact.
  • Annex A.6 — Implement Third-Party AI Vendor Due Diligence Establish a formal process for assessing AI vendor risk management practices before procurement. Create standard due diligence questionnaires addressing vendor AI governance, testing practices, incident notification procedures, and data handling. Document assessment results and retention period. For current vendors, complete assessments within 90 days of ISO 42001 implementation.
  • Clause 7.2 — Implement AI Competence Training Program Assess AI competence requirements for all roles that interact with, develop, or oversee AI systems. Identify competence gaps. Design and deploy training appropriate to each role — from executive AI literacy briefings to technical AI system management training for IT staff. Document completion and assess effectiveness quarterly.
  • Clause 9.2 — Conduct Internal Audit of AI Management System Establish an internal audit program that covers all ISO 42001 requirements at least annually. Train internal auditors or engage qualified external auditors for the internal audit role. Conduct first internal audit within 3 months of completing implementation. Document findings, assign corrective actions, and verify effectiveness. The internal audit report is required certification evidence.
  • Clause 9.3 — Conduct Management Review Hold a formal management review meeting with top management at least annually to review AI management system performance. Agenda must cover: audit results, performance against AI objectives, incidents and near-misses, stakeholder feedback, and risks and opportunities. Document minutes and decisions as formal management review records.
  • Clause 10 — Establish Nonconformity and Corrective Action Process Document a procedure for identifying, recording, and addressing nonconformities with ISO 42001 requirements. Procedure must include root cause analysis, corrective action planning, implementation verification, and effectiveness review. Apply the procedure to any significant AI management failures or audit findings. The corrective action register is reviewed at management review.
  • EU AI Act Integration — Supplement ISO 42001 for High-Risk AI For AI systems classified as high-risk under EU AI Act Annex III, identify the gap between ISO 42001 implementation and EU AI Act-specific requirements: CE marking, EU Declaration of Conformity, EU database registration, and Article 12 immutable logging. Document a supplementary compliance plan addressing these EU AI Act-specific items as extensions to the ISO 42001 framework.
Section 08

How Claire Aligns with ISO 42001

Claire's design and governance architecture was built to enable deploying organizations to satisfy ISO 42001 requirements efficiently. Rather than requiring organizations to independently document all AI management system requirements from scratch, Claire provides deployer-facing compliance infrastructure that covers key ISO 42001 requirements for the AI systems in scope.

Claire's ISO 42001 Alignment Architecture

Clause 8.4 — Pre-Built AI Impact Assessment Template: Claire's Deployer Compliance Package includes a completed AI Impact Assessment template for each deployment context (healthcare, legal, finance, hospitality). The template documents Claire's intended use, affected populations, potential impacts, implemented controls, and residual impact — addressing Clause 8.4 requirements with minimal deployer effort. Organizations customize the template for their specific deployment context.
Annex A Technology Controls — Documented Architecture: Claire provides technical documentation covering all Annex A technology control areas: system access controls, operational logging (append-only, integrity-verified), accuracy monitoring dashboards, input security controls, and model performance benchmarks. This documentation supports the Statement of Applicability and certification audit evidence requirements.
Annex A.6 — Third-Party AI Transparency Documentation: The Algorithm LLC provides ISO 42001 Annex A.6-compatible vendor documentation including: AI governance policy, TEVV testing results, incident notification procedures, data processing agreements, and sub-processor documentation. Deploying organizations can submit this documentation as evidence of their third-party AI risk management for ISO 42001 certification audits.
Annex B AI Objectives — Trustworthy AI by Design: Claire implements all six Annex B AI objectives: transparency (always identifies as AI), accountability (full audit logging), human oversight (configurable escalation), privacy (ephemeral sessions, no PII retention), safety (harm avoidance guardrails), and fairness (bias monitoring in response generation). Deployers receive Annex B objective evidence for their management review records.
Clause 9 — Performance Monitoring Dashboard: Claire's deployer dashboard provides real-time and historical AI system performance data suitable for Clause 9 performance evaluation requirements. Monthly performance reports are automatically generated and can be incorporated into management review documentation. Alert thresholds and performance trend analysis support the continuous monitoring requirements of Clause 9.1.
NIST AI RMF and ISO 42001 Dual Alignment: For organizations that need to satisfy both NIST AI RMF (EO 14110, federal contracting) and ISO 42001 simultaneously, Claire's compliance documentation is structured to address both frameworks. The GOVERN-MAP-MEASURE-MANAGE activities documented in the Deployer Compliance Package map directly to ISO 42001 Clauses 5, 6, 7, 8, and 9 respectively.

Organizations pursuing ISO 42001 certification with Claire as part of their in-scope AI systems can expect the certification audit to proceed more efficiently than organizations deploying AI systems without pre-built compliance documentation. The Algorithm LLC can provide a Certification Support Package with formatted evidence artifacts designed for ISO 42001 auditor review. Contact us for details on certification support engagements.

Schedule an ISO 42001 implementation consultation →

C
Ask Claire about ISO 42001 implementation