ISO/IEC 42001:2023 is the first certifiable management-system standard for AI. It specifies requirements for establishing, implementing, maintaining, and continually improving an AI Management System (AIMS) — covering AI policy, risk and impact assessments, lifecycle controls, data and model governance, human oversight, and third-party AI management.

Do I need ISO 42001 if I have to comply with the EU AI Act?

They are complementary. The EU AI Act is law — you must comply if in scope. ISO 42001 is a certifiable management system that demonstrates how you govern AI; it is the natural evidence backbone for AI Act compliance, and certification is fast becoming the way vendors prove AI trustworthiness to enterprise buyers worldwide.

How does ISO 42001 relate to ISO 27001?

Both use the Annex SL management-system structure, so clauses 4–10 (context, leadership, planning, support, operation, evaluation, improvement) carry over directly. If you run an ISO 27001 ISMS, you extend it with AI-specific controls — inventory, impact assessments, model governance — rather than building a second system from scratch.

We only consume third-party AI APIs — does ISO 42001 still apply?

Yes. The standard covers organizations that use AI, not just those that build it. Supplier due diligence, use-case risk classification, human oversight, and transparency to your customers all apply when the model behind your features belongs to someone else.

How does Compliance Enablers support ISO 42001?

The AI Governance module is operational today: AI system registry, model cards, risk classification, and bias testing. NIST AI RMF and the EU AI Act ship in the native framework library, and an ISO 42001 readiness assessment is rolling out on the same gap-assessment engine used for ISO 27001. We also run our own AI under this governance — Anthropic Claude as disclosed provider, logged actions, human approval.

Framework · Compliance Enablers

ISO42001

AI Governance You Can Certify — and Demonstrate

ISO/IEC 42001 is the management-system standard for trustworthy AI. Stand up an AI management system with an AI system registry, model cards, risk classification, and bias testing — on a platform that governs its own AI the same way.

Who needs it: Any organization deploying AI in products or operations — especially SaaS vendors whose enterprise customers now ask AI questions in security reviews, and AI companies selling globally.

Start Free Trial

Book a Demo

1st

Certifiable AI Management Standard

Annex SL

Shared Structure with ISO 27001

EU AI Act Risk Tiers Supported

Sage AI Agents — Governed

The framework

What is ISO 42001?

ISO/IEC 42001:2023 is the world's first certifiable management-system standard for artificial intelligence (an AIMS — AI Management System). Like ISO 27001 for information security, it uses the Annex SL structure: organizational context, leadership and AI policy, planning, support, operation, performance evaluation, and continual improvement — plus Annex A controls covering the AI system lifecycle, impact assessments, data and model governance, and third-party AI.

It certifies how you govern AI rather than any single model: AI inventories, documented risk and impact assessments, human oversight, transparency to affected parties, and supplier due diligence. That makes it complementary to the EU AI Act (a law you must comply with) and NIST AI RMF (a voluntary framework) — one management system can evidence all three.

Demand is commercial, not theoretical: enterprise buyers now push AI-governance questionnaires onto every vendor that ships AI features. A working AIMS turns those questionnaires from a fire drill into a lookup.

The requirements

What you'll need to satisfy.

The core categories ISO 42001 auditors evaluate — and what we ship to cover each one.

AIMS Core (Clauses 4–10)

Organizational context and scope of the AIMS
Leadership commitment and AI policy
Planning: AI risk and opportunity treatment
Support: competence, awareness, documentation
Operational planning and control
Performance evaluation and internal audit
Management review and continual improvement

AI System Lifecycle

AI system inventory and registry
Design and development controls
Verification and validation
Deployment and monitoring
Decommissioning and retirement

AI Impact Assessment

System impact assessments for individuals and society
Affected-party analysis
Risk classification and documented treatment
Records maintained for auditors and regulators

Data & Model Governance

Training-data provenance and quality
Model documentation and model cards
Bias and fairness testing
Human oversight of AI decisions

Third-Party AI

Supplier AI due diligence
API and model vendor management
Transparency obligations to customers
Contractual AI commitments tracked

Before → After

The problem we solve.

Why teams pick Compliance Enablers for ISO 42001 compliance.

Common challenges

Enterprise security reviews now include AI-governance sections — "show us your AI policy and inventory" is the new "show us your SOC 2"
The EU AI Act timeline overlaps your ISO 42001 work, and running them as separate projects doubles the effort
AI inventories live in spreadsheets — nobody can say which models, vendors, and use cases are actually in production
Most GRC tools bolted AI governance on as a policy-template pack: no registry, no model cards, no testing workflows

What we provide

AI Governance module operational today: AI system registry, model cards, risk classification, and bias testing workflows
EU AI Act risk-classification support that doubles as your ISO 42001 impact-assessment groundwork
NIST AI RMF and EU AI Act in the native framework library, with the SCF crosswalk to your existing ISO 27001 controls
Policy and procedure templates for AI acceptable use, AI development, and model lifecycle management
Risk register integration: AI risks scored and treated alongside your full risk program
ISO 42001 readiness assessment rolling out on the AI Governance module — built on the same gap-assessment engine as ISO 27001
We hold ourselves to the same standard: Sage AI runs under documented governance — provider disclosed (Anthropic Claude), actions logged, humans approving

Your journey

From kickoff to
audit-ready.

Step-by-step, exactly how we'll get you there.

AI Inventory

Register every AI system, model, vendor, and use case in the AI Governance registry — the single source of truth your auditors and customers will ask for.

Risk Classification

Classify each system by risk. EU AI Act tier work doubles as ISO 42001 impact-assessment groundwork.

Policy & Controls

Deploy AI policy templates and map controls onto your existing ISMS — Annex SL means the management system is shared.

Impact Assessments

Run AI system impact assessments with affected-party analysis and documented treatment decisions.

Testing & Oversight

Bias testing workflows, model cards, and human-oversight gates — operational controls, not shelf-ware documents.

Audit Readiness

Internal audit and management review on the same engine you use for ISO 27001 — one cadence, two certificates.

Time to value

AI inventory and governance baseline in days

AI-governance coverage is closing enterprise deals today — buyers' customers ask AI questions in every security review.

ISO 42001

Your existing
framework

Cross-framework

ISO 42001 follows the same Annex SL management-system structure as ISO 27001 — your ISMS clause 4–10 work carries straight over. We show you exactly what is net-new.

How we're different

Most platforms treat AI governance as a policy-template pack. Compliance Enablers ships a working AI Governance module — registry, model cards, risk classification, bias testing — and applies it to its own AI: Sage AI runs on Anthropic Claude with disclosed data flows, logged actions, and human approval. Governance you can inspect, not a marketing page.

Key modules for ISO 42001.

Everything these modules ship, included in every tier.

AI GovernanceRisk ManagementDocument ManagementControls LibraryAudit Management

ISO 42001 FAQ

14-day free trial · no card required

Get ISO 42001
audit-ready.

AI inventory and governance baseline in days. 513 pre-generated policies. 50+ evidence collectors. Everything you need to pass ISO 42001, out of the box.