Is ISO 42001 Just Another Compliance Box to Check?

It can be, and if it is, it is close to worthless. The value is in the underlying discipline, not the certificate that describes it.


It can be, and if it is, it is close to worthless. A paper AI management system that describes a governance process nobody actually follows is exactly the failure mode ISO 27001 already has, a Statement of Applicability written once for the audit and never revisited, applied to a newer and higher-stakes domain. But the underlying discipline ISO 42001 asks for, knowing what your AI does, reviewing what it changes or decides, keeping a human able to override it, monitoring it once it is in production, is not paperwork. It is the same discipline that makes AI-driven products trustworthy enough to use for something that matters.

That is worth taking seriously rather than dismissing either way. Our ISO 42001 framework page covers what the standard requires and who it applies to; a companion post covers how ISO 42001 actually plays out in AI product development, the practical mechanics of governing a model you probably did not train yourself. This post is about a more basic question underneath both: whether the whole exercise is worth taking seriously, or just another certificate for the wall.

Can ISO 42001 be treated as a compliance box to check?

Yes, easily. Nothing about the standard prevents a company from writing a scope document, running a risk assessment once, drafting policies that describe a review process, and then never touching any of it again until the surveillance audit reminds them it exists. An auditor can sample that system, find the documents present and internally consistent, and issue a certificate. The certificate would be accurate about what it examined. It would say almost nothing about whether the company's AI is actually governed.

This is not a hypothetical failure specific to ISO 42001. It is the well-worn failure mode of management-system standards generally: the system described on paper drifts away from the system actually running, and the audit checks the paper because the paper is what is available to check. ISO 27001 has been living with a version of this for two decades, most visibly in the Statement of Applicability that gets assembled for the initial audit and then quietly stops reflecting reality as the environment changes underneath it. ISO 42001 inherits the same structural risk, and arguably a worse version of it, because AI systems change faster than most infrastructure. A model gets swapped, a prompt gets rewritten, a feature ships that uses a large language model for something the original risk assessment never considered. A governance document that goes stale in an information-security program is a real gap. A governance document that goes stale for a system making decisions a customer or regulator cares about is a bigger one.

What does the discipline ISO 42001 is actually asking for look like, done for real?

Stripped of certification language, it is four habits. Know what your AI does, specifically, not in the abstract, for each feature that uses it. Review what it changes or decides before that change or decision reaches a customer, rather than trusting it by default. Keep a human able to override it, which means the override path has to actually work and someone has to actually own it, not just exist in an org chart. Monitor it once it is running in production, because a model that behaved acceptably in testing can drift once it meets real inputs at scale.

None of that is paperwork. It is the same practice that separates a trustworthy AI feature from an unsupervised one, independent of whether a certificate is involved at all. A company that does this well because the underlying risk is real will find the ISO 42001 audit mostly confirms what is already true. A company that does not do this, and tries to produce the documentation anyway, is doing more work to describe a system than it would take to build the system, and getting nothing real for it.

What is the honest test for whether a company ISO 42001 program is real?

Pick a specific AI feature and ask someone on the team, without warning, to explain what it does, what could plausibly go wrong, and who is accountable when it does. Not the category of risk from a template, the actual answer for that feature. If they can walk through it directly, from memory, the certificate sitting on top of that answer is a formalization of something already true, and worth having for exactly that reason: it lets a buyer or investor who cannot ask that question themselves trust that someone already could answer it.

If the honest answer is "let me pull up the policy," the program is theater, and the more important point is that the theater does not change the underlying risk either way. The AI system is exactly as governed, or ungoverned, as it was before anyone wrote the policy. The certificate did not add oversight; it added a description of oversight that may or may not correspond to anything running. That gap is the real cost of treating ISO 42001 as a box to check, not that the standard itself is wrong to ask the question.

Frequently asked questions

Is ISO 42001 just another compliance box to check? It can be treated that way, and if it is, the certificate is close to worthless. A paper AI management system that describes a governance process nobody actually follows is the same failure mode ISO 27001 already has, a Statement of Applicability nobody revisits, applied to a newer and higher-stakes domain. The underlying discipline ISO 42001 asks for is not paperwork; it is the practice that makes AI-driven products trustworthy enough to use for something that matters.

What does compliance theater look like for an AI management system? A policy document that describes how AI decisions get reviewed, while nobody on the team could actually walk through what a specific AI feature does, what could go wrong, or who is accountable when it does, without pulling up that document first. The system exists on paper and nowhere else, which means the actual risk the standard was written to manage is still unmanaged, certificate or not.

What is the honest test for whether a company ISO 42001 program is real? Ask someone on the team to explain, specifically, what a particular AI feature does, what could go wrong, and who is accountable when it does, without opening a policy document to check. If they can answer directly, the certificate is a formalization of something already true. If the answer only exists in the document, the program is theater, regardless of what the audit found.

Is the ISO 42001 certificate worthless if the underlying practice already exists? No, the opposite: it is most valuable exactly there. A company that already knows what its AI does, reviews what it changes, and keeps a human able to override it gets a credible, externally checked way to say so to a buyer or investor who has no other way to verify it. The certificate adds real value on top of real practice. It adds nothing on top of a policy binder.

Why does ISO 42001 risk repeating a problem ISO 27001 already has? ISO 27001 programs commonly produce a Statement of Applicability that gets written once for the audit and rarely revisited as the environment changes. ISO 42001 governs AI systems that change faster than most infrastructure, new models, new prompts, new use cases, so a governance document that goes stale is a worse gap here than it was for information security, not a smaller one.

Does ISO 42001 apply if a company only calls a third-party AI model rather than training its own? Yes. The standard still expects the company to know what the model does, monitor its outputs, document its oversight, and keep a human able to intervene, even when the model itself belongs to a different vendor. Governing a system you did not build is a real discipline, not a lighter version of governing one you did.

Last reviewed: July 12, 2026.

Where Scadable fits

Scadable's own AI-driven remediation work is held to exactly this standard internally, a human-reviewable diff, never a silent change, before anything an agent proposes reaches a customer's code or infrastructure. That is not a policy statement written to satisfy an auditor; it is how the remediation pipeline actually has to work for us to trust it ourselves. Building a customer's ISO 42001 program means implementing that same real practice for their AI systems, not producing a policy binder that describes it. Book a call to see what that looks like for your company.