ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence. It defines requirements for establishing, implementing, maintaining, & continually improving an Artificial Intelligence Management System (AIMS). In structure it is similar to ISO 27001 (information security) and ISO 9001 (quality management) a Plan-Do-Check-Act loop wrapped around AI-specific controls.
ISO 42001 does not certify a model or an AI product. It certifies an organization’s management system for AI. That distinction matters for buyers who see vendors claiming “ISO 42001 compliance” — what is being certified is the management system, not the underlying technology.
Three reasons.
First, certification is now meaningfully adopted. Microsoft, Anthropic, BCG, UiPath, Pegasystems, & Talkdesk are among the companies whose ISO/IEC 42001 certification has been publicly announced via LinkedIn signal during late 2024 and 2025. The standard has crossed the threshold from “interesting paper” to “buyer expectation,” particularly for vendors selling AI-powered services into regulated industries.
Second, ISO 42001 maps cleanly onto other frameworks security teams
already operate. The NIST AI Risk Management Framework’s four functions Govern, Map, Measure, Manage — overlap heavily with ISO 42001’s clauses. Organizations that have implemented NIST AI RMF have done most of the foundational work already.
Third, the EU AI Act’s Article 16 obligations for high-risk AI providers — quality management, technical documentation, logging, conformity assessment, corrective action, and registration — overlap substantially with ISO 42001 controls. Implementing ISO 42001 produces evidence usable in an EU AI Act conformity assessment.
The checklist has 25 items grouped into five categories:
Leadership commitment,AI policy, roles & responsibilities.
AI risk assessment, treatment, residual risk acceptance.
Design, development, validation, deployment, decommissioning.
Change management, incident response, supplier management.
Performance, audit, management review, continual improvement.
Each item includes a status (Not started / In progress / Complete), a brief evidence note (what artifact demonstrates this is in place), and a NIST AI RMF / EU AI Act overlap note where relevant.
Evidence: signed AI policy, agenda item in board minutes. NIST AI RMF: Govern function. EU AI Act: Article 16(a).
Evidence: the document; communications log.
Evidence: RACI matrix or org chart with named owners for AIMS, model risk, data governance, incident response.
Evidence: AI objectives document with measurable targets.
Evidence: training records, competency framework.
Evidence: risk methodology doc. NIST AI RMF: Map function.
Evidence: risk methodology doc. NIST AI RMF: Map function.
Evidence: risk register with named systems.
Many buyers benefit from running Nudge plus Portal26 in parallel during a 30-day evaluation — the SaaS-heritage discovery and the fast-deploy module surface different parts of the same problem.
Evidence: change records.
Evidence: incident playbook, drill records. EU AI Act: Article 16(j).
Evidence: supplier risk assessments. NIST AI RMF: Manage function.
Evidence: logging architecture, retention policy. EU AI Act: Article 12 (logging obligation for high-risk systems).
Evidence: runbooks, on-call rosters, SLOs.
Evidence: risk methodology doc. NIST AI RMF: Map function.
Evidence: improvement actions traceable to audit findings or KPIs.
The 25-item checklist maps onto the four NIST AI RMF functions and onto specific EU AI Act articles as follows:
Risk
Lifecycle
Operations
Govern
Map, Measure
Map, Measure
Manage
Measure, Manage
Article 16(a) — quality management system
Article 9 — risk management system
Articles 10, 11, 14 — data, technical documentation, human oversight
Articles 12, 16(j) — logging, corrective action
Article 17 — post-market monitoring (where applicable)
NIST AI RMF function
NIST AI RMF function
NIST AI RMF function
NIST AI RMF function
NIST AI RMF function
Walk through the 25 items with the heads of AI governance, security, data, & engineering. Mark status, note evidence, & identify the top three gaps to close in the next quarter. Most organizations finish this in four hours.
Use the checklist as the starting point for a formal ISO 42001 readiness gap assessment. Engage an accredited certification body for the formal Stage 1 audit; use the gap assessment to schedule the corrective work between Stage 1 and Stage 2.
Apply the checklist to AI vendors as part of third party risk assessment. The framework gives buyers a more useful structure than a free-text questionnaire & produces evidence usable in EU AI Act vendor due diligence.
Most organizations cannot complete all 25 items in parallel. The sequence we recommend, based on observed patterns in successful certification programs:
Items 1-10. Foundation. With out leadership commitment, AI policy, & a working risk register the rest of the program does not have the structural support to succeed.
Items 11-15. Codify the design, validation, deployment, and decommissioning processes. Most engineering organizations have informal versions of these; the work is to formalize and document them.
Items 16-20. Change managem ent, incident response, supplier risk, logging, & operational handover. Logging architecture is the single longest-lead-time item; start it in month one even though the formal item is sequenced here
Items 21-25. Internal audit, management review, corrective actions, continual improvement. The structural piece that closes the Plan-Do-Check-Act loop
Engage the certification body for Stage 1 (documentation review), close findings, schedule Stage 2 (operational audit), close findings, achieve certification.
Each item includes a status (Not started / In progress / Complete), a brief evidence note (what artifact demonstrates this is in place), and a NIST AI RMF / EU AI Act overlap note where relevant.
Three practical points.
First, choose an accredited certification body. ISO accreditation is published; verify that the body holds accreditation for ISO/IEC 42001 specifically (some bodies offer 27001 but not 42001 yet). The pool of bodies accredited for 42001 is smaller than for 27001 and queues are longer.
Second, engage early. Stage 1 / Stage 2 cycles take a few weeks each, but the queue to start can be months. Engage the certification body when you are 60-70% through the readiness work, not after you finish.
Third, treat the gap assessment as preparation, not pre-audit. The gap assessment is internal; it produces a candid view of where the program stands. The Stage 1 audit is external; it produces a formal record. Use the gap assessment to close the obvious gaps before Stage 1 so the formal record is as clean as possible.
