Skip to content
IAC Verifiable Registry
Verify code

Editorial · Standards & Research

ISO/IEC 42001 and the accreditation of an AI management system

A commercial noise about "AI certification" grew around ISO/IEC 42001 that is worth ordering. The standard defines a management system, not a technical seal over a model. This reading separates what 42001 requires, how the AI evaluation chain works and the real state of its accreditation today.

Published 2026-06-17 International Accreditation Center Institutional analysis

What 42001 solves

ISO/IEC 42001:2023 is the first international management-system standard dedicated to artificial intelligence: an AIMS, an AI management system. It does not evaluate a specific model nor certify that an algorithm is "safe" or "unbiased". It establishes how an organization governs, over time, the design, acquisition, deployment and use of its AI systems.

The distinction matters because the commercial noise erases it. An organization does not certify its AI: it certifies that it has a system to manage the risks and the impacts of that AI, auditable against requirements. The object of the evaluation is the organization and its governance, not the technological piece in isolation. That is the difference between a management system and a product test.

42001 shares the high-level structure of the rest of the ISO management standards. Whoever already operates under ISO 9001 or ISO/IEC 27001 recognizes the scaffolding: context, leadership, planning, support, operation, evaluation and improvement. What is specific to AI lives in Annex A and in the concepts proper to the domain, such as the AI system impact assessment.

An organization does not certify its AI: it certifies that it has a system to govern it, auditable against requirements.

The structure: clauses 4-10 and Annex A

Like every management system, 42001 is organized into auditable clauses, from 4 to 10. The first three clauses are references and terms; the certifiable content begins at 4. One precision is worth making, as it is often confused: clause 8.4 is the AI system impact assessment, not human oversight, which belongs to the use domain of Annex A.

  1. 4 Context of the organization

    Defines the scope of the AI management system, the interested parties and the internal and external factors that condition the responsible use of AI.

  2. 5 Leadership

    Requires top-management commitment, an AI policy and a clear assignment of roles and responsibilities over the AI systems.

  3. 6 Planning

    Identifies risks and opportunities, sets objectives and links the risk assessment to the selection of Annex A controls.

  4. 7 Support

    Covers resources, competence, awareness, communication and documented information that sustain the system.

  5. 8 Operation

    Turns planning into practice. Clause 8.4 corresponds to the AI system impact assessment (AIIA), not to human oversight.

  6. 9 Performance evaluation

    Defines monitoring, measurement, internal audit and management review of the management system.

  7. 10 Improvement

    Closes the cycle: 10.1 continual improvement and 10.2 nonconformity and corrective action.

Annex A gathers the AI-specific controls that the organization selects according to its risk assessment. It adds up to 38 controls organized in 9 groups. The count is not an ornamental detail: the scope of the system is built on which controls apply, which are discarded and with what justification.

  1. A.2 AI policies

    3 controls.

  2. A.3 Internal organization

    2 controls.

  3. A.4 Resources for AI systems

    5 controls.

  4. A.5 Assessing impacts of AI systems

    4 controls.

  5. A.6 AI system life cycle

    9 controls.

  6. A.7 Data for AI systems

    5 controls.

  7. A.8 Information for interested parties

    4 controls.

  8. A.9 Use of AI systems

    3 controls.

  9. A.10 Third parties and customers

    3 controls.

Clause 10 closes the improvement cycle in two components: 10.1 continual improvement and 10.2 nonconformity and corrective action. The management of AI, like any management system, is not demonstrated with a founding document, but with its maintenance over time.

The evaluation chain for AI

Whether a 42001 certificate means anything depends on the chain that backs it. That chain has three links, each with its reference standard and its own function. The first evaluates the organization; the second, the body that evaluates it; the third sustains recognition across borders.

  1. 01 Certification of the organization

    A certification body audits the organization’s AI management system against ISO/IEC 42001 and, where appropriate, issues the certificate. The activity is governed by ISO/IEC 17021-1:2015, the requirements standard for bodies that certify management systems.

  2. 02 Accreditation of the body

    An accreditation body evaluates the technical competence of that certification body within the AI scope. The accreditation of bodies is governed by ISO/IEC 17011:2017. It is the link that sustains trust in the certificate issued.

  3. 03 International recognition

    International cooperation sustains mutual recognition between national accreditation bodies. The IAF performed that function until it ceased operations on 1 January 2026; since then this level has been in transition.

The scheme is the same one that sustains any certifiable management system. The general structure of the chain —certification body, national accreditation body, international recognition— is developed in The global trust map 2026, which documents the IAF’s closure and the reordering of the international level. The difference between accrediting and certifying —who does what, and why they must stay apart— is set out in Accreditation vs. certification.

The real state of 42001 accreditation

Here the candor that the market avoids is in order. The 42001 standard exists and is auditable; the accreditation chain that gives it full international recognition is still forming. The accreditation schemes specific to 42001, the sectoral criteria and the competence of the auditors are consolidating, and they advance at different rates depending on the national body.

The practical result is that today certificates issued under different degrees of backing coexist. Each one is best read by its concrete chain —which body certified, under what accreditation, with what scope— rather than by the acronym of the standard. The question is not whether 42001 is useful, but what sustains a particular 42001 certificate.

42001 and the EU AI Act

42001 is a voluntary management standard; the European AI Act is mandatory legislation within its scope. They are not interchangeable. A well-implemented management system orders the evidence, processes and responsibilities that help demonstrate regulatory compliance, but certifying 42001 does not amount to complying with the AI Act, nor does the AI Act require 42001 certification.

The AI Act application calendar is relevant for planning, with an explicit caveat: the dates were modified by the Digital Omnibus 2026, pending formal adoption. For that reason they are best treated as a reference subject to confirmation, not as closed milestones.

AI Act calendar · subject to the Digital Omnibus 2026

2 August 2026
Transparency obligations (article 50) under the current calendar. Date modified by the Digital Omnibus 2026, pending formal adoption.
2 December 2027
High-risk systems under Annex III, under the current calendar and subject to the same Digital Omnibus caveat.
2 August 2028
High-risk systems associated with products under Annex I, under the current calendar and the same caveat.

How to prepare and how to verify

Useful preparation does not begin with the certificate, but with the diagnosis. An organization weighing 42001 can inventory its AI systems, map their impacts against the Annex A groups and review what governance already exists under other management systems. The design of the system precedes the audit; the audit does not invent what the organization did not do.

On the side of whoever receives a 42001 certificate —a buyer, a compliance area, a third-party auditor— verification follows the circuit of any certificate: identify the issuing body, confirm its accreditation within the AI scope and match the declared scope against the concrete decision. The broader map of standards and the conformity-assessment chain is in Standards & Research; any credential with an IAC code is checked at /verify.

From the standard to the evidence

AI governance is demonstrated with verifiable evidence.

42001 orders the system; verification orders the trust. Read a certificate by its concrete chain, and check any credential with a public code directly, without intermediaries.