Framework
ISO/IEC 42001:2023
The first international, certifiable AI Management System standard. Structured like ISO 27001 (clauses 4–10 plus Annex A) so it integrates cleanly with an existing ISMS — most certified organisations are getting both.
Annex A — 9 areas
| Area | Theme | What it covers |
|---|---|---|
| A.2 | AI policies | Documented direction for responsible AI |
| A.3 | Internal organisation | Roles and responsibilities for AI |
| A.4 | Resources for AI systems | Data, tooling, compute, human resources |
| A.5 | Assessing impacts | Impacts on individuals, groups, society |
| A.6 | AI system lifecycle | Design, develop, verify, deploy, operate, retire |
| A.7 | Data for AI systems | Provenance, quality, preparation |
| A.8 | Information for interested parties | Stakeholder transparency |
| A.9 | Use of AI systems | Responsible deployment and operation |
| A.10 | Third-party + customer relationships | Supply-chain AI risk |
Like 27001, Annex A is selectively applied; the Statement of Applicability must justify inclusions and exclusions.
Why it matters now
ISO 42001 maps directly to the EU AI Act's management-system and risk-governance obligations. NIST has published a formal crosswalk between the AI RMF and ISO/IEC 42001. CSA and EU AI Compass analyses suggest implementing 42001 + NIST AI RMF gets organisations roughly 60–70% of the way to EU AI Act compliance for the management-system side, with the remaining 30–40% being EU-specific regulatory artefacts (conformity assessments, registration, post-market monitoring).
Boards and CISOs are using 42001 as the "show your work" answer to AI Act readiness.
Real adopters
First major hyperscaler with accredited 42001, announced November 2024. Scope: Amazon Bedrock, Q Business, Textract, Transcribe.
Certified by Schellman, effective January 6, 2025.
Public certificate dated 2025.
Among early-mover names certified via BSI / other accredited bodies.
Adoption is in the early-mover phase: roughly 25 certified organisations worldwide as of mid-2025. Schellman (ANAB-accredited) and BSI are the most-cited certification bodies.
What Argitron delivers
| Area | Coverage |
|---|---|
| AI-system inventory | First-class data model |
| A.5 impact assessments | Templated DPIA + fundamental-rights + ethics workflows |
| A.6 lifecycle controls | Stage gates from design to retirement |
| A.7 data governance | Lineage records + policy templates |
| AI policies (A.2) + roles (A.3) | Templated; tailoring required |
| A.10 supply-chain AI | Vendor-risk workflow extended for AI suppliers |
| EU AI Act crosswalk | Built into the control library |
Bring an AIMS into the same operating model as your ISMS.
One Statement of Applicability covers ISO 27001 + ISO 42001. One auditor visit. One signed bundle.