ISO/IEC 42006
ISO/IEC 42006:2025 is the ISO/IEC requirements standard for bodies that audit and certify artificial intelligence management systems against ISO/IEC 42001.
Definition
ISO/IEC 42006:2025, Information technology - Artificial intelligence - Requirements for bodies providing audit and certification of artificial intelligence management systems, is an International Standard from ISO and IEC. ISO lists it as Edition 1, published in July 2025, under ISO/IEC JTC 1/SC 42. The ISO and IEC pages identify the publication date as July 7, 2025, and list the document as 31 pages.
The standard addresses the certification bodies, not only the organizations seeking certification. Its subject is the competence, consistency, reliability, impartiality, and process discipline of bodies that audit and certify artificial intelligence management systems, usually shortened to AIMS, according to ISO/IEC 42001.
Scope
ISO/IEC 42006 is best read as an assurance-infrastructure standard. It specifies additional requirements to ISO/IEC 17021-1 for bodies performing audit and certification of an AIMS. IEC also describes AIMS certification as a third-party conformity assessment activity and says the document can be used as a criteria document for accreditation or peer assessment.
That scope is narrower than many public claims about AI certification. A certification body can assess whether an organization's AI management system conforms to ISO/IEC 42001, but that does not prove that every model, dataset, interface, vendor dependency, or deployed use case inside the organization is safe, lawful, fair, or fit for a particular setting. The certificate attaches to a management system and its audited scope. It should not be converted into a blanket claim about all AI outputs.
Relationship to ISO/IEC 42001
ISO/IEC 42001 specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS within an organization. ISO/IEC 42006 sits one layer above that organizational system. It asks what must be true of the bodies that audit and certify those systems, including their competence and procedures for assessing organizations that provide, develop, or use AI systems.
The distinction matters. ISO/IEC 42001 is about the management system inside the audited organization. ISO/IEC 42006 is about the certifier's ability to audit that management system credibly. ISO/IEC 23894, by contrast, gives AI risk-management guidance; ISO/IEC 42005 gives impact-assessment guidance. The standards can reinforce one another, but they do different work in the assurance chain.
Governance and Safety
The practical value of ISO/IEC 42006 is that it professionalizes the people and institutions who issue AIMS certificates. As AI governance becomes a market, buyers, regulators, boards, and insurers will be tempted to treat certification marks as shorthand for real assurance. That shorthand is only useful when the certifier has relevant competence, clear audit methods, independence, documented evidence, and a defensible scope.
For agentic and generative systems, this is especially important. A management system can look orderly while the deployed system depends on changing prompts, retrieval sources, tool permissions, third-party models, identity infrastructure, human review, and post-market monitoring. A serious certification practice should test whether those dependencies are governed, not merely whether an organization has policy language.
Evidence Record
A strong ISO/IEC 42006-aligned audit record should make the certification decision reconstructable. It should identify the audited scope, applicable ISO/IEC 42001 requirements, audit team competence, conflicts and impartiality controls, sampling choices, evidence reviewed, unresolved findings, corrective actions, surveillance plan, and the basis for granting, refusing, suspending, or withdrawing certification.
The record should also preserve what the certificate does not cover. If a certified organization launches a new model family, adds autonomous tool use, changes cloud providers, enters a regulated sector, or deploys into a new jurisdiction, the certifier and customer need a way to know whether the old audit still says anything useful.
Source Discipline
Use the official ISO page for the title, reference number, responsible committee, status, edition, publication month, page count, and the plain-language description of the standard. Use the IEC Webstore page for the July 7, 2025 publication date, the page count, and the description of third-party conformity assessment. Use the ISO/IEC 42001 page for claims about the underlying AI management-system standard. Use NIST sources only for NIST AI RMF claims; NIST AI RMF is voluntary and is not a certification-body standard.
Spiralist Reading
ISO/IEC 42006 is a ritual for auditing the auditors. The first ritual asks an organization to write down how it governs AI. The second asks who is allowed to say that the first ritual was performed well enough.
Spiralism treats that second question as political. Certification can discipline organizations, but it can also launder uncertainty into a logo. The useful certificate is not the one that ends doubt. It is the one that leaves a trail of scope, method, evidence, exceptions, and limits, so that later reviewers can see exactly what was inspected and what was not.
Open Questions
- How specific should AIMS certificates be about the AI systems, units, geographies, and lifecycle stages included in scope?
- What audit-team competence is necessary for systems using generative models, agent tools, or high-impact decision support?
- When should a model update, vendor change, or new deployment context trigger reassessment?
- How should certification bodies explain residual uncertainty to customers and affected communities?
- What evidence should buyers demand before treating an ISO/IEC 42001 certificate as relevant to a particular AI product?
Related Pages
- AI Governance
- AI Audits and Assurance
- ISO/IEC 42001
- ISO/IEC 23894
- ISO/IEC 42005
- NIST AI Risk Management Framework
- AI Safety Cases
- AI Post-Market Monitoring
- AI System Inventory
- AI Procurement
Sources
- ISO, ISO/IEC 42006:2025 Artificial intelligence - Requirements for AIMS audit and certification bodies, reviewed June 25, 2026.
- IEC Webstore, ISO/IEC 42006:2025, reviewed June 25, 2026.
- ISO, ISO/IEC 42001:2023 Artificial intelligence management system, reviewed June 25, 2026.
- NIST, AI Risk Management Framework, reviewed June 25, 2026.