ISO/IEC 42001:2023 is the first international standard for an AI management system, published in December 2023. It applies the management-system pattern familiar from ISO/IEC 27001 for information security to the governance of artificial intelligence.
Certification asks an organisation to show that AI is managed as a continuous process rather than a one-off review. That means a defined AI policy, clear roles and accountability, risk and impact assessments for the systems in use, and records that demonstrate oversight over time. An accredited body audits the evidence before a certificate is issued.
How It Relates to the EU AI Act
The standard supports EU AI Act preparation without replacing it. A working management system produces much of the documentation, risk assessment and human-oversight evidence the Act expects, organised in one place rather than scattered across teams.
ISO/IEC 42001 is not a harmonised standard under the Act, so holding the certificate is not the same as legal conformity. What it gives you is a structure to build on, and a recognised signal of governance maturity that buyers, partners and regulators understand.
Where to Start
The first step is an inventory. An organisation cannot govern AI systems it has not catalogued, so a clear record of what is in use, who owns it and what it touches comes before any policy work. From there, the policy, risk assessments and oversight controls have something concrete to apply to.
Source: ISO/IEC 42001:2023, International Organization for Standardization (iso.org).
Part of our guide: EU AI Act compliance for UK organisations.
Build governance on a recognised structure
HEX 165 evaluates your AI systems against the EU AI Act and frameworks including ISO/IEC 42001 and the NIST AI RMF, then produces a gap analysis with prioritised actions. Book a demo or learn more about the platform.