Skip to Content
Governance and Compliance

What is ISO/IEC 42001 (the AI management standard)?

ISO/IEC 42001 is the world's first certifiable international standard for managing artificial intelligence. Published in 2023 by ISO and IEC, it defines how an organization should build an AI Management System (AIMS): a use policy, risk and impact assessment, controls and continual improvement across the entire AI lifecycle. It is, for AI, the equivalent of what ISO/IEC 27001 is for information security: a company can be audited by an independent third party and earn certification to prove it uses AI responsibly.

Zamak TechnologiesUpdated on July 10, 2026

How ISO/IEC 42001 works in practice

The standard is not a tool you install; it is a management system the company builds and maintains over its use of AI, on the same continual-improvement model (plan, do, check, act) as other ISO standards. The cycle has four parts.

1

Set the policy and accountability

The company puts in writing what it uses AI for, what is allowed, who approves each tool and who owns the program. With no owner and no rule, there is no management system.

2

Assess AI risk and impact

Each use of AI goes through a risk and impact assessment: what data goes in, what decision the AI influences, who could be affected. This is what sets an AI standard apart from a security-only one.

3

Apply the controls and record the evidence

From the standard's Annex A, the company selects the applicable controls, puts them into practice and keeps the proof that they work, in a Statement of Applicability.

4

Audit, certify and improve

An independent certification body audits the system in two stages (documentation and operation). Once approved, it issues the certificate; the cycle then repeats to improve continually.

Source: ISO/IEC 42001:2023 (Artificial Intelligence Management System) and the ISO management-system model.

What an AI Management System (AIMS) covers

  • AI policy and governance The rules of use, the roles and the accountability: who decides, who approves tools and who answers for the outcome.
  • Risk and impact assessment A repeatable method to judge each use of AI before it is released, including the impact on people and on the business.
  • Annex A controls A catalog of reference controls (data, transparency, human oversight, lifecycle) from which the company picks the applicable ones and proves adoption.
  • Data and lifecycle management Rules over the data that feeds the AI and over every phase of the system's life, from design to retirement.
  • Continual improvement and certification Periodic audits, fixing what fails, and certification by a third party as external proof that the program exists and works.

Why ISO/IEC 42001 became the trustworthy-AI seal the market started to require

63%
of organizations that suffered a breach had no AI governance policy at all (IBM, Cost of a Data Breach 2025)
20%
of breaches were linked to unauthorized AI use, or shadow AI (IBM, 2025)
US$ 670K
the average extra cost a shadow-AI incident adds to a breach (IBM, 2025)

AI adoption ran ahead of governance, and the market responded. Just as ISO/IEC 27001 became a prerequisite in technology procurement, ISO/IEC 42001 is becoming the seal large buyers ask for before signing: instead of asking whether your AI is safe, the customer now asks whether you are ISO 42001 certified. Because it is international, it works as a single proof before regulators and clients across several markets at once, from the Americas to Europe and Asia, where new AI laws (such as the European Union's AI Act) demand exactly this kind of demonstrable governance. For the business, certification stops being a cost and becomes a differentiator that opens doors.

How a company prepares for ISO/IEC 42001

Preparing for the standard is less about a last-minute certificate and more about starting to govern the AI use that is already happening. The most direct path:

  1. See which AI the company already usesBefore any policy, you have to see the shadow AI: which tool each department uses, with what data. What you cannot see, you cannot govern.
  2. Write the policy and name the ownerA clear rule of use and one person accountable for the program. It is the base the standard requires and that most companies still lack.
  3. Assess risk and apply the controlsRun the risk and impact assessment, select the Annex A controls and start collecting the evidence that they work.
  4. Treat it as a continuous postureCertification is not a snapshot, it is a film: evidence is gathered continuously, not assembled in a rush the night before the audit.
  5. Only then pursue certificationWith the system running, an independent body audits and certifies. Reaching the auditor with the system already live shortens the road.

In practice

The question that reveals the real risk: if a major client demanded AI certification tomorrow as a condition of the contract, would the company know where to begin, or would it discover it never wrote a single line of AI policy?

How Zamak handles ISO/IEC 42001 compliance

Zamak Technologies supports the journey toward ISO/IEC 42001 as part of the Governance and Compliance of the Zamak Method: AI use policy, data classification, risk assessment, tool approval and auditable evidence on a compliance platform. One honest distinction: the standard documents and proves responsible AI use, it does not technically block data from leaving, which is a separate technical defense layer, scoped on its own. A good starting point is the AI exposure self-check, which shows in minutes where the company is most exposed.

Frequently asked questions about ISO/IEC 42001

Is ISO/IEC 42001 mandatory?
No. It is a voluntary standard. But, as happened with ISO/IEC 27001 in information security, large clients and regulated sectors increasingly require it in contracts, which makes it effectively mandatory for anyone who wants to sell to them.
What is the difference between NIST AI RMF and ISO/IEC 42001?
NIST AI RMF is a voluntary, free framework, created in the United States, that gives a shared language and a process to manage AI risk, with no certification. ISO/IEC 42001 is a certifiable international standard: an independent third party audits it and issues a certificate. Many companies use NIST AI RMF to structure risk management and pursue ISO 42001 for external, certifiable proof. The two complement each other.
Do I need my own AI to adopt the standard?
No. ISO/IEC 42001 applies to anyone who develops, provides or merely uses AI systems. A company that only uses third-party AI tools still has an AI management system to look after.
How long does it take to get certified?
It depends on the size and maturity of the company, but the time is dominated by preparation: building the policy, assessing the risks and collecting the evidence. The audit itself happens in two stages, and the certificate must be maintained with periodic audits.
Does certification guarantee our AI will never fail?
No. No standard removes risk. ISO/IEC 42001 proves the company manages AI risk in a structured way and improves continually, which reduces the chance and the impact of an incident, not to zero.
Does adopting the standard slow the team down?
That is not the goal. The standard helps you decide and prove AI use, not ban AI. Applied well, it gives the team freedom to use AI under clear rules, instead of everyone improvising on their own.

Related terms

Endpoint and Identity
MFAPAM (privileged access)SSO (single sign-on)
Detection and Response
EDRMDRXDRMITRE ATT&CKSIEMSOC (security operations center)
Network and Access
ZTNAFirewallVPNSASE
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessmentHIPAAPCI DSSGDPRCMMCCIS ControlsISO 42001 (AI management)NIST AI RMFNIST 800-171FTC SafeguardsISO 27701 (privacy)FedRAMPGRC (governance, risk, compliance)vCIOvCISO
Concepts and Fundamentals
Deep webZero TrustDefense in depthAttack surfaceEndpointLeast privilege
AI and Security
Shadow AIAI governancePrompt injectionOWASP LLM Top 10Deepfake