Framework · ISO/IEC 42001:2023

ISO 42001 (AI management system) compliance

ISO 42001 certifies how a company governs the AI it ships, not just how well the model performs. Scadable builds that governance system and keeps it running.

What is ISO 42001?

ISO 42001 is the first international standard for an Artificial Intelligence Management System, an AIMS: the governance, risk-management, and lifecycle controls a company runs around any AI it develops, deploys, or uses. It is a management-system standard in the same family as ISO 27001, not a model-performance benchmark.

It is newest of the frameworks Scadable covers, published in December 2023, and the least settled: the market, the buyers, and the audit ecosystem around it are all still forming through 2026.

Who does ISO 42001 apply to?

Any company that builds AI-driven features, or whose product relies on AI to make decisions a customer or regulator cares about, is a candidate. That includes companies using third-party foundation models, not just companies training their own.

Nobody is legally required to hold it today. It is emerging the way SOC 2 once did: as a buyer and investor diligence question, and increasingly as evidence a company takes its own AI governance seriously rather than shipping AI features with no oversight.

ISO 42001 or the EU AI Act, or both?

They answer different questions and are frequently confused. The EU AI Act is binding law with its own risk tiers and obligations for AI systems placed on the EU market. ISO 42001 is a voluntary certification of your internal AI governance system. Holding ISO 42001 does not automatically satisfy EU AI Act obligations, but a working AIMS makes demonstrating AI Act compliance meaningfully easier, since the underlying governance, risk assessment, and documentation habits overlap.

What you actually have to do

Define the scope of your AI management system. Run risk assessments specific to AI systems: bias, safety, transparency, data governance, and human oversight, not just information security. Document the lifecycle of each AI system you use or build, from data sourcing through deployment and monitoring. Implement the Annex A controls relevant to your scope and run internal audits and a management review, the same pattern as ISO 27001, applied to AI governance specifically.

The hard part: governing AI you did not build yourself

Most companies shipping AI features today are calling a third-party model, not training their own. ISO 42001 still expects you to govern that: know what the model does, monitor its outputs, document your oversight, and be able to show a decision was reviewable, not just fast. That is a genuinely new discipline for most engineering teams, closer to how Scadable already treats its own remediation agents internally than to a typical infosec control.

Scadable's own remediation agents make real changes to customer code and infrastructure, so this is not abstract for us: the same higher trust bar Scadable applies to its own AI-proposed code fixes (heavier review, presented as a diff, never silent) is the discipline ISO 42001 is asking every company to formalize.

What's actually at stake

No statutory penalty for skipping ISO 42001 itself, though the EU AI Act it sits alongside carries real fines for in-scope systems. The nearer-term cost is diligence and procurement risk: investors and enterprise buyers are starting to ask how a company governs the AI it ships, and "we don't have an answer yet" is a worse position every quarter this framework matures.

How Scadable gets you through ISO 42001

Scadable maps your AI management system scope, runs the AI-specific risk assessment, implements the governance and oversight controls that are missing, and keeps the documentation current as your product's AI usage changes. Where it overlaps with EU AI Act obligations or with ISO 27001 controls you already hold, Scadable builds the AIMS to reuse that work rather than duplicate it.

Delivered concierge, like every framework new to Scadable's coverage: real work behind the curtain, not a dashboard claiming automation this framework does not have yet.

Frequently asked questions

They cover different risks. ISO 27001 governs information security. ISO 42001 governs how you build, deploy, and oversee AI systems specifically: bias, transparency, human oversight, AI-specific lifecycle risk. Companies shipping AI features typically need both eventually, and having ISO 27001 first makes ISO 42001 faster to implement.
The EU AI Act is binding law with its own risk-tiered obligations for AI systems on the EU market. ISO 42001 is a voluntary certification of your internal AI governance system. Holding ISO 42001 does not by itself satisfy AI Act obligations, but the governance habits it requires make demonstrating AI Act compliance significantly easier.
No. It is a voluntary international certification, not a legal requirement anywhere. The EU AI Act, a separate binding regulation, is what actually carries legal obligations for in-scope AI systems.
It requires documenting the lifecycle of each AI system you use or build, running AI-specific risk assessments, and maintaining human oversight and monitoring. For teams using third-party models rather than training their own, it means governing and monitoring what you call, not just what you build.
Not universally yet, but AI governance is increasingly a diligence question, especially for companies whose product makes autonomous decisions. Being able to show a real AI management system, rather than an ad hoc one, is a genuine advantage in that conversation.
It can be treated that way, but the underlying discipline (knowing what your AI does, reviewing what it changes, keeping a human able to override it) is the same discipline that makes AI-driven remediation trustworthy in the first place, not a separate cost layered on top.

Get ISO 42001-ready. Without the busywork.