Framework guide

ISO/IEC 42001: the one AI framework you can actually be certified against.

ISO/IEC 42001:2023, published in December 2023, is the first international standard for an AI management system (AIMS), and among the major AI governance frameworks it is the only certifiable one. Three facts worth holding onto: ISO itself certifies nobody, accredited certification bodies do the auditing under ISO/IEC 42006:2025, and an AIMS audit runs on evidence. We are not ISO 42001 certified, and we say so on this page, because the disclosure test is the fastest way to sort real governance from marketing.

What the standard actually is

ISO/IEC 42001 is a management system standard, structural cousin to ISO 27001 for security and ISO 9001 for quality. It does not prescribe specific model techniques. It requires an organization to establish policies, assign accountability, assess AI risks and impacts, implement controls, keep records, and continually improve on a Plan-Do-Check-Act cycle. Because it uses the ISO Harmonized Structure, organizations already running 27001 or 9001 can integrate it rather than bolt it on. A companion standard, ISO/IEC 42005, covers AI system impact assessment.

Who certifies, and who does not

ISO publishes the standard but certifies no one. Certification is performed by independent certification bodies, which are themselves accredited by national accreditation bodies, and ISO/IEC 42006:2025 now sets the requirements those auditing bodies must meet. So a real ISO 42001 claim always has two checkable parts: a certificate number and the name of the accredited body that issued it. Ask for both. A vendor who answers with a logo and no certificate has answered your question.

Our honest disclosure

Article 11 AI is not ISO 42001 certified. What we operate, in public, is the layer an AIMS audit runs on: rules published as a plain-language constitution locked by a SHA-256 hash, receipts for actions, denials, and corrections in an append-only ledger, and tiered human oversight with quotas and a kill switch. That is the evidence discipline the standard's record-keeping and accountability requirements point at, published where any outsider can check it in minutes, no NDA required. If we pursue certification later, this page will say so, with the certificate number.

Relationship to the EU AI Act

ISO 42001 certification does not automatically make anyone compliant with the EU AI Act, but the two point in the same direction: risk management, documentation, record-keeping, and oversight. European harmonized standards work is expected to reference the 42000-series, which would strengthen that bridge. For the current legal dates, including what the 2026 Digital Omnibus changed and what it did not, see our EU AI Act key dates guide, and for the American voluntary counterpart, the NIST AI RMF explainer.

Sources

Primary sources: the ISO/IEC 42001 standard page and ISO's own explainer. Last verified: July 8, 2026. This page is plain-language education, not legal or compliance advice. See the procurement checklist for the ten questions that test any vendor's claims, or explore services.