AAI Compliance Atlas
FrameworksState lawsIndustriesToolsNews
GuidesMap my obligations →
AAI Compliance Atlas

Structured, continuously verified reference for US AI compliance — federal frameworks, state laws, and the obligations that connect them.

Atlas

  • Frameworks
  • State laws
  • Industries
  • By role
  • Comparisons

Tools

  • Compliance Checker
  • Penalty Calculator
  • Impact Assessment

Resources

  • Guides
  • News
  • Blog

Company

  • About
  • Contact
  • Privacy
  • Terms
© 2026 AI Compliance Atlas. Informational only — not legal advice. Consult qualified counsel before making compliance decisions.Verified Jun 9, 2026
  1. Home/
  2. Frameworks/
  3. ISO/IEC 42001
standardInternational Organization for Standardization (ISO) / International Electrotechnical Commission (IEC)v2023Certifiable

ISO/IEC 42001:2023 Information Technology — Artificial Intelligence — Management System

Framework reference — controls, obligations, and mapping to US state AI laws.

Last verified April 25, 2026

Type
standard
Version
v2023
Released
December 18, 2023
Certifiable
Yes

Overview

ISO/IEC 42001 is the world's first international standard for an Artificial Intelligence Management System (AIMS), published in December 2023 jointly by ISO and IEC. The standard specifies requirements for establishing, implementing, maintaining, and continually improving a management system for AI within an organization.

Like ISO 9001 (quality) and ISO 27001 (information security), 42001 follows the high-level structure for management-system standards (Annex SL) and is designed to be auditable and certifiable by third-party accredited bodies.

The standard includes core management-system clauses (context, leadership, planning, support, operation, performance evaluation, improvement) plus AI-specific Annexes:

  • Annex A — reference controls covering policy, internal organization, AI resources, impact assessment, system lifecycle, third-party relationships, and use information
  • Annex B — implementation guidance for the controls
  • Annex C — AI-related organizational objectives and risk sources
  • Annex D — domain or sector-specific use considerations

Certification provides a credible, internationally recognized signal of AI governance maturity that maps to obligations in the EU AI Act, NIST AI RMF, and emerging US state AI laws. Certification audits are typically conducted on a 3-year cycle.

Certification

ISO/IEC 42001 is certifiable via Accredited certification bodies under ISO/IEC 17021-1. Certification typically requires a documented AI management system, internal audit, and external assessment by an accredited certification body.

Core controls & obligations

Specific controls and obligations from ISO/IEC 42001, with section references where available.

  • GovernanceRole: bothClauses 4-5

    Establish, implement, maintain, and continually improve an AI management system (AIMS) covering policies, leadership commitment, roles, and integration with other management systems.

  • Risk assessmentRole: bothClause 6 + Annex A.5

    Conduct AI system impact assessments and risk assessments addressing intended uses, deployment context, affected stakeholders, and mitigation of identified risks per Annex A.5 controls.

  • DocumentationRole: bothClause 8 + Annex A.6

    Maintain documentation throughout the AI system lifecycle including data management, system development, verification and validation, and deployment per Annex A.6 controls.

  • TransparencyRole: deployerClause 8 + Annex A.8

    Provide information to users and affected stakeholders about the AI system's intended use, capabilities, limitations, and how to interpret outputs per Annex A.8 controls.

Mapped to US state laws

Common controls in ISO/IEC 42001 that satisfy or overlap with US state AI law obligations. Mapping strength indicates how closely the framework control corresponds to the statutory requirement.

  • California Generative AI: Training Data Transparencypartial mapping
  • Transparency in Frontier Artificial Intelligence Act (TFAIA)strong mapping
  • Colorado Artificial Intelligence Actstrong mapping
  • NYC Local Law 144 (Automated Employment Decision Tools)partial mapping
  • Texas Responsible Artificial Intelligence Governance Act (TRAIGA)partial mapping
  • Utah Artificial Intelligence Policy Actweak mapping

Run AI risk and impact assessments faster with Credo AI

partner link

Specialized AI governance platform built around the NIST AI RMF and EU AI Act. Bias auditing, model registry, policy automation.

Get a Credo AI demo →

Sources

  • Officialwww.iso.org

Last verified April 25, 2026

Legal disclaimer

This content is informational only and does not constitute legal advice. Laws change frequently and vary by jurisdiction. Consult qualified legal counsel before making compliance decisions. Information accuracy not guaranteed as of any specific date.

We may receive referral commissions from recommended compliance tools. Recommendations are based on product fit and not on commission size. Links marked “partner link” include a tracked redirect.