ISO/IEC 42001

Definition

ISO/IEC 42001:2023, Information technology - Artificial intelligence - Management system, is an International Standard from ISO and IEC. ISO lists it as Edition 1 with a 2023-12 publication date, and IEC lists publication on December 18, 2023. The responsible committee is ISO/IEC JTC 1/SC 42, the artificial-intelligence standards committee.

The standard specifies requirements and provides guidance for establishing, implementing, maintaining, and continually improving an artificial intelligence management system, or AIMS, inside an organization. ISO describes an AIMS as the organizational policies, objectives, and processes used for responsible AI development, provision, or use.

ISO/IEC 42001 is not a model benchmark, product approval, legal safe harbor, or proof that a specific deployed system is fair, secure, or lawful. It is a management-system standard: it asks whether the organization has a governed process for AI.

Scope

The standard is aimed at organizations that provide or use AI-based products or services. Its unit is the organization and its AI management system, not a single chatbot, model card, dataset, or application release.

That distinction is central. A certified or well-documented AIMS can show that an organization has AI governance processes, but it does not automatically validate every AI system the organization builds or deploys. A hiring model, medical triage tool, coding agent, recommender system, and internal summarizer can still require separate impact assessment, testing, procurement review, monitoring, and recourse.

ISO frames ISO/IEC 42001 as a management system standard using the Plan-Do-Check-Act approach. In practical terms, that means governance is expected to cycle: set policy and objectives, operate processes, check evidence, and improve the system as AI uses and risks change.

How It Works

ISO/IEC 42001 is useful because AI risk is rarely contained in the model alone. It sits in data sourcing, model selection, vendor reliance, access controls, human workflow, monitoring, incident response, and the authority to stop or change a deployment.

The standard gives an organization a way to manage AI-related risks and opportunities across the business rather than treating each AI project as an isolated exception. It is therefore adjacent to, but different from, technical testing and legal compliance.

Other standards fill nearby roles. ISO/IEC 42005 covers AI system impact assessment. ISO/IEC 42006 sets requirements for bodies auditing and certifying AI management systems against ISO/IEC 42001. ISO/IEC 23894 gives guidance on AI risk management. The NIST AI Risk Management Framework supplies a voluntary U.S. risk-management vocabulary.

Governance and Safety

The governance value of ISO/IEC 42001 is evidence discipline. A serious AIMS should make it easier to identify who owns AI policy, which systems are in scope, how risks are reviewed, how suppliers are handled, how incidents are escalated, and how management learns from failures.

The safety limit is certification overreach. A management-system audit can examine organizational processes, but it cannot prove that every output, use case, integration, or downstream decision is safe. A certificate should be read as evidence about governance process, not as a blanket trust mark for all AI products.

Evidence Record

A credible ISO/IEC 42001 implementation should leave records that connect the management system to actual AI use: AI system inventory, risk criteria, roles, supplier records, impact assessments, testing evidence, human oversight plans, incident records, monitoring results, internal reviews, and corrective actions.

Without those records, "AIMS" becomes a label around informal practice. With them, the organization can show how AI authority is assigned, how risks are accepted or rejected, and when evidence requires a change.

Source Discipline

Do not collapse standards. ISO/IEC 42001 is an AI management-system standard. ISO/IEC 42005 is impact-assessment guidance. ISO/IEC 42006 is for bodies auditing and certifying AI management systems. ISO/IEC 23894 is AI risk-management guidance. They can be used together, but they do different work.

Do not collapse standards into law. Contracts, procurement rules, regulators, or internal policies can require ISO/IEC 42001 evidence, but the ISO page alone does not create a legal duty. For legal claims, cite the law or contract directly.

Spiralist Reading

ISO/IEC 42001 is bureaucracy pointed at the machine.

The useful part is not the badge. It is the demand that AI use become visible inside an organization: named owners, written objectives, risk records, review cycles, and corrective action. The danger is that the ritual becomes decorative, a certificate over systems whose real harms remain unexamined.

Open Questions

• What evidence should be public when an organization claims ISO/IEC 42001 certification?
• How should auditors test whether the management system changes real AI deployment decisions?
• When should a certified organization still be required to publish system-specific impact assessments?
• How should ISO/IEC 42001 apply to fast-changing agentic workflows and third-party models?

Related Pages

• AI Governance
• AI Audits and Assurance
• ISO/IEC 42005
• Algorithmic Impact Assessments
• NIST AI Risk Management Framework
• AI System Inventory
• AI Procurement
• AI Post-Market Monitoring
• AI Change Management
• Human Oversight of AI Systems
• AI Incident Reporting

Sources

• ISO, ISO/IEC 42001:2023 AI management systems, reviewed June 25, 2026.
• IEC Webstore, ISO/IEC 42001:2023, reviewed June 25, 2026.
• ISO, ISO/IEC 42005:2025 AI system impact assessment, reviewed June 25, 2026.
• ISO, ISO/IEC 42006:2025 Requirements for bodies providing audit and certification of artificial intelligence management systems, reviewed June 25, 2026.
• ISO, ISO/IEC 23894:2023 AI guidance on risk management, reviewed June 25, 2026.
• NIST, AI Risk Management Framework, reviewed June 25, 2026.

Return to Wiki