ISO/IEC 42001:2023 Information Technology — Artificial Intelligence — Management System
Overview
ISO/IEC 42001 is the world's first international standard for an Artificial Intelligence Management System (AIMS), published in December 2023 jointly by ISO and IEC. The standard specifies requirements for establishing, implementing, maintaining, and continually improving a management system for AI within an organization. Like ISO 9001 (quality) and ISO 27001 (information security), 42001 follows the high-level structure for management-system standards (Annex SL) and is designed to be auditable and certifiable by third-party accredited bodies. The standard includes core management-system clauses (context, leadership, planning, support, operation, performance evaluation, improvement) plus AI-specific Annexes: - **Annex A** — reference controls covering policy, internal organization, AI resources, impact assessment, system lifecycle, third-party relationships, and use information - **Annex B** — implementation guidance for the controls - **Annex C** — AI-related organizational objectives and risk sources - **Annex D** — domain or sector-specific use considerations Certification provides a credible, internationally recognized signal of AI governance maturity that maps to obligations in the EU AI Act, NIST AI RMF, and emerging US state AI laws. Certification audits are typically conducted on a 3-year cycle.
Certification
Certifiable via Accredited certification bodies under ISO/IEC 17021-1.
Core controls / obligations
- governanceClauses 4-5
Establish, implement, maintain, and continually improve an AI management system (AIMS) covering policies, leadership commitment, roles, and integration with other management systems.
- risk assessmentClause 6 + Annex A.5
Conduct AI system impact assessments and risk assessments addressing intended uses, deployment context, affected stakeholders, and mitigation of identified risks per Annex A.5 controls.
- documentationClause 8 + Annex A.6
Maintain documentation throughout the AI system lifecycle including data management, system development, verification and validation, and deployment per Annex A.6 controls.
- transparencyClause 8 + Annex A.8
Provide information to users and affected stakeholders about the AI system's intended use, capabilities, limitations, and how to interpret outputs per Annex A.8 controls.
Mapped to state laws
Common controls in ISO/IEC 42001 that satisfy or overlap with US state AI law obligations.
- partialCalifornia Generative AI: Training Data Transparency
- strongTransparency in Frontier Artificial Intelligence Act (TFAIA)
- strongColorado Artificial Intelligence Act
- partialNYC Local Law 144 (Automated Employment Decision Tools)
- partialTexas Responsible Artificial Intelligence Governance Act (TRAIGA)
- weakUtah Artificial Intelligence Policy Act
Sources
Last verified: April 25, 2026
We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.