In 2026, every organisation that builds, deploys, or even meaningfully uses AI is being asked the same question — by customers, regulators, investors, and internal risk committees — and most are still working out how to answer it.
How do you govern your AI?
It is a deceptively simple question. The honest answers — we have an internal policy, we use the OpenAI API, our data science team is careful — increasingly fail to satisfy the people asking. The pattern that worked for cybersecurity over the last fifteen years (start with ad-hoc practices, formalise into policies, eventually pursue ISO 27001) is now repeating for AI, just compressed into a much shorter window.
ISO/IEC 42001 is the standard that has emerged at the centre of that compression. Published in December 2023, it is the world's first international standard for an Artificial Intelligence Management System (AIMS), and the only AI governance framework that organisations can be formally certified against by an accredited third party.
This post is a ground-up explainer: what ISO 42001 actually is, how it is structured, who needs it, how it relates to the EU AI Act, and why 2026 has become the decisive year for adoption.
What ISO 42001 Actually Is
ISO 42001 — formally ISO/IEC 42001:2023, Information technology — Artificial intelligence — Management system — is a management system standard. That single phrase carries most of what you need to understand about the standard's character.
A management system standard does not certify a specific product or technical artefact. It does not test whether your machine learning model is accurate, fair, or safe at a particular moment in time. What it certifies is that your organisation has a deliberate, documented, leadership-driven framework for managing AI responsibly across its full lifecycle — from the decision to build or buy a system, through its design, deployment, monitoring, and eventual retirement.
If that sounds familiar, it should. ISO 42001 follows the same Plan-Do-Check-Act structure as ISO 9001 (quality management) and ISO 27001 (information security management). It uses the harmonised "Annex SL" structure that runs through most modern ISO management system standards, which is part of why organisations already certified to ISO 27001 find the journey to ISO 42001 considerably shorter than starting fresh.
What makes ISO 42001 distinct is what it asks the management system to govern: artificial intelligence specifically, with all the unusual properties that brings — opacity, data dependence, the capacity to learn and drift, the potential to affect people's lives in ways traditional software does not.
What an AI Management System Actually Looks Like
The heart of ISO 42001 is the AIMS — the AI Management System. The simplest definition: a coordinated set of policies, processes, roles, and controls through which an organisation governs the responsible development, provision, and use of AI systems.
A mature AIMS answers questions like:
- What AI systems do we have? (Including the ones embedded in vendor platforms.)
- Who is accountable for each one?
- What risks do they create — to the organisation, to individuals, to society?
- What controls do we apply to manage those risks?
- How do we know whether those controls are working?
- How do we improve the system as the technology, the regulation, and our use cases evolve?
That last point is what differentiates a real AIMS from a one-time compliance exercise. ISO 42001 explicitly requires continual improvement. Certification is valid for three years, with annual surveillance audits and a full recertification at the end of the cycle. The standard assumes — correctly — that AI risk is not a static problem.
How the Standard Is Structured
ISO 42001 is organised into two layers: the main clauses and Annex A.
The main clauses (Clauses 4 through 10)
These specify the requirements of the management system itself. Read in sequence, they describe how an organisation should set up, run, and improve its AIMS:
- Clause 4 — Context of the organisation: Understand your internal and external environment, identify stakeholders, and define the scope of the AIMS — including which AI systems and which parts of the business are covered.
- Clause 5 — Leadership: Top management must own the AIMS, set an AI policy, and assign clear roles and responsibilities.
- Clause 6 — Planning: AI risk assessment, AI risk treatment, and a uniquely important addition — AI system impact assessment, which evaluates the effect of AI on individuals and society, not just on the organisation.
- Clause 7 — Support: Resources, competence, awareness, communication, and documented information.
- Clause 8 — Operation: Implementation in practice — operational planning, lifecycle management, risk and impact assessments executed in real conditions.
- Clause 9 — Performance evaluation: Monitoring, measurement, internal audits, and management review.
- Clause 10 — Improvement: Nonconformities, corrective action, continual improvement.
The structural similarity to ISO 27001 is intentional. Organisations with a mature ISMS can layer the AIMS on top, reusing the underlying management discipline rather than building a parallel system from scratch.
Annex A — the AI control reference set
Annex A provides a catalogue of AI-specific controls that organisations can choose from to treat the risks they identify. The current edition contains roughly 38 controls organised into 9 control domains:
- Policies related to AI — the AI policy and supporting policies
- Internal organisation — roles, responsibilities, governance structures, reporting concerns
- Resources for AI systems — data, tooling, computing, human resources
- Assessing impacts of AI systems — the AI impact assessment process and documentation
- AI system lifecycle — controls across design, development, verification, deployment, operation, and retirement
- Data for AI systems — data governance, quality, provenance, and management
- Information for interested parties — transparency obligations to users, subjects, and other stakeholders
- Use of AI systems — controls on how AI systems are deployed and used in practice
- Third-party and customer relationships — supply chain and downstream user controls
As with ISO 27001, organisations document their decisions about each control in a Statement of Applicability (SoA), indicating which controls they have implemented and justifying any they have excluded.
Two other annexes are worth knowing about: Annex B provides implementation guidance for the controls in Annex A, and Annex C maps AI-related objectives to organisational risk sources. Annex D provides sector-specific guidance and links to related standards.
Three Roles, Not Two
Most management system standards distinguish between two parties: the certifying organisation and the customer. ISO 42001 expands this and explicitly recognises three categories of organisations to which it applies:
- AI providers — organisations that develop or place AI systems on the market
- AI producers — organisations that design, develop, test, and deploy AI systems (often overlapping with providers)
- AI users — organisations that deploy and use AI systems in their operations, even if they did not build them
The third category matters more than first-time readers often realise. ISO 42001 applies to organisations using AI — not just to those building it. A bank using a third-party fraud detection model, an HR team deploying a CV-screening tool, a marketing function running campaigns through generative AI — all are in scope. The governance burden is calibrated to the role, but the standard does not let deployers off the hook simply because they did not write the model.
For Indian organisations, this is significant. Most Indian companies are AI users today, not foundation model builders. ISO 42001 applies to them squarely.
What ISO 42001 Adds That Existing Standards Do Not
It is reasonable to ask why ISO 42001 needs to exist at all if an organisation is already certified to ISO 27001 and has policies covering data protection, model risk, and software quality. The honest answer is that existing standards cover important parts of AI governance but leave specific gaps:
- ISO 27001 covers information security and the confidentiality, integrity, and availability of data. It does not cover model bias, model drift, or the societal impact of AI decisions.
- ISO 27701 extends ISO 27001 to privacy management. It addresses how personal data is processed but not how AI systems are governed across their lifecycle.
- NIST AI RMF is a voluntary risk management framework — a methodology, not a certifiable standard.
- The EU AI Act is binding legislation, but it tells you what to achieve, not how to organise yourself to achieve it.
ISO 42001 fills the operational management-system gap. It is the operating model that turns AI governance principles into a documented, auditable, continually improving discipline. It is also the only AI standard against which an organisation can earn a third-party-issued certificate today.
The EU AI Act Connection — Why 2026 Is Decisive
The single biggest force behind ISO 42001's rapid adoption is the EU AI Act's phased enforcement timeline. The Act entered into force on 1 August 2024 and applies its obligations in waves:
| Date | Obligations that take effect |
|---|---|
| 2 February 2025 | Prohibited AI practices banned. AI literacy obligations begin for providers and deployers. |
| 2 August 2025 | General-purpose AI (GPAI) model obligations begin. National competent authorities, the AI Office, and governance infrastructure become operational. |
| 2 August 2026 | High-risk AI system requirements (Annex III) take full effect — covering AI in employment, education, credit, critical infrastructure, law enforcement, and similar areas. |
| 2 August 2027 | Extended deadline for high-risk AI embedded in regulated products such as medical devices and vehicles. |
The August 2026 deadline is what is driving most of the current activity. High-risk AI providers and deployers selling into the EU need a defensible governance posture by then, and ISO 42001 is the most operationally complete framework available to demonstrate one.
The relationship between ISO 42001 and the EU AI Act is worth stating precisely: ISO 42001 certification is not the same as EU AI Act compliance, but it builds the management infrastructure that EU AI Act compliance requires. Article 9 (risk management), Article 10 (data governance), Article 11 (technical documentation), Article 14 (human oversight), and Article 72 (post-market monitoring) all map onto specific clauses and Annex A controls of ISO 42001. Estimates of overlap range between 40% and 60% depending on the specific use case.
A separate process is underway at CEN-CENELEC — Europe's standards bodies — to adapt ISO 42001 into a European Norm (the draft prEN ISO/IEC 42001 was circulated for public enquiry from November 2025 to February 2026). Once that process completes and the standard is published in the EU's Official Journal, ISO 42001 certification will move from "useful preparation" to "presumption of conformity" with parts of the AI Act. That is a material upgrade in legal weight.
For Indian organisations selling to EU customers, the practical takeaway is unchanged: implement ISO 42001 now, layer EU AI Act-specific requirements on top, and you have a defensible position when the August 2026 obligations bite.
Who Actually Needs ISO 42001
ISO 42001 is voluntary. Whether to pursue certification is a market and risk question, not a legal one. The strongest current drivers:
Companies selling AI-enabled products to enterprise buyers. Procurement teams are increasingly adding ISO 42001 to security and compliance questionnaires. The pattern that played out with ISO 27001 over the last decade is repeating, faster.
Companies selling into the EU. Whether or not your AI is classified as "high-risk" under the EU AI Act, ISO 42001 certification is becoming a default trust signal for European customers and regulators.
Organisations in regulated industries — financial services, healthcare, critical infrastructure. These sectors already operate under risk-management expectations that AI deployment intensifies. ISO 42001 provides a defensible governance backbone.
Indian IT services and BPO firms operating client AI systems. As AI delivery becomes a larger share of services revenue, client contracts are starting to require AIMS certification — much as they once started requiring ISO 27001.
Organisations that have made public AI commitments. Publicly committing to "responsible AI" without an auditable management system is increasingly seen by regulators and the press as a credibility risk. ISO 42001 gives those commitments operational substance.
Companies preparing for fundraising or M&A. AI governance maturity is now a standard line item in technical due diligence at growth and late stages.
It is worth being honest about who does not need it yet. A small organisation using mainstream AI tools (Copilot, ChatGPT, Gemini) without building or operating its own AI systems may be better served, today, by an internal AI usage policy and a watching brief on regulation. The cost-benefit shifts as soon as you start integrating AI into customer-facing products or making decisions about people with AI assistance.
Adoption Signals: Where the Market Is
Adoption has moved faster than most observers predicted when the standard was published in late 2023. By 2026, certified organisations include major enterprise AI vendors — Microsoft (for AI services within its 365 ecosystem), SAP (for its Joule and AI Core platforms), and several large foundation model and applied-AI providers — alongside professional services firms, SaaS companies, and operationally critical infrastructure providers in Asia-Pacific.
Major certification bodies (BSI, DNV, TÜV SÜD, NSF, A-LIGN, and others) have operationalised ISO 42001 audit services. The companion auditor competence standard, ISO/IEC 42006, was finalised in 2025, which has improved consistency in audit quality — a meaningful signal for buyers evaluating certificates.
The trajectory mirrors what happened with ISO 27001 between roughly 2010 and 2018: from "nice differentiator" to "expected baseline" in a relatively short window. Organisations pursuing ISO 42001 in 2026 are still ahead of the curve, but the curve is steepening fast.
Cost and Timeline
For a moderately complex organisation, realistic benchmarks for first-time ISO 42001 certification are:
- Timeline: 6 to 12 months from kickoff to certification, with 8 to 9 months typical. Organisations already certified to ISO 27001 can often compress this.
- Direct costs: Certification body fees (Stage 1 documentation audit + Stage 2 implementation audit), the ISO standards documents themselves, training, and any consulting or platform support.
- Indirect costs: Internal time across data science, engineering, legal, risk, and leadership functions; AI inventory work; tooling for AI lifecycle monitoring and evidence collection.
The single most consistent finding from early implementations: organisations underestimate their AI inventory at the scoping stage. Once you start looking systematically, you find AI in places you did not expect — in vendor SaaS platforms, in marketing tools, in HR software, in features your engineering teams shipped without flagging them as AI. Plan for the inventory to grow, not shrink, as the project progresses.
How to Start
If you are considering ISO 42001 seriously, the most effective sequence in our experience is:
- Confirm the commercial driver. EU AI Act exposure, an enterprise customer asking, an investor expectation, a regulatory mandate — be specific. "We should be more responsible with AI" is true but not enough to sustain a 9-month project.
- Build the AI system inventory. Before scoping the AIMS, know what AI you actually have. Include third-party tools.
- Run a gap analysis. Compare your current state against Clauses 4–10 and the Annex A controls. The output is your remediation roadmap.
- Define a sensible scope. Most first-time projects scope too broadly. It is better to certify a defined set of products and operations well than to attempt enterprise-wide coverage on the first pass.
- Build the AIMS. Risk assessment, impact assessment, Statement of Applicability, policies, controls, evidence collection. This is where most of the project time lives.
- Operate it. Auditors want to see the system running, not just designed. Three to six months of operational evidence is typical.
- Internal audit and management review. Required precursors to external audit.
- Engage a certification body. Choose one whose accreditation specifically covers ISO 42001 — auditor competence in AI is uneven, and an accredited certificate from a credible body is materially more valuable than one without.
A Closing Note
ISO 42001 is not the answer to every question about responsible AI. It will not, by itself, make a model fair, an organisation ethical, or a regulator satisfied. A poorly implemented AIMS — paper-heavy, leadership-light, disconnected from how AI actually flows through the business — is an expensive way to learn this lesson, just as it is with ISO 27001.
What ISO 42001 does offer is a structured, auditable, continually improving discipline for governing AI in organisations that have moved past the experimentation phase. For the growing number of Indian companies building AI products, deploying AI in regulated workflows, or selling AI-enabled services to global customers, that discipline is no longer optional — it is the operating cost of doing business credibly in 2026.
The question is not whether AI governance will become a standard expectation. It already has. The question is whether your organisation builds that governance proactively, on its own timeline — or reactively, on someone else's.
If you are scoping an ISO 42001 implementation in 2026 — whether as a standalone project or as an extension of an existing ISO 27001 management system — the highest-leverage early steps are an honest AI system inventory and a defensible scoping decision. Both repay the time invested several times over later in the project.