ISO/IEC 42001:2023
is an international standard for AI management systems. It provides a
structured framework for AI governance: transparency requirements,
risk management systems, and responsible oversight of automated
decision-making. Those elements map directly to what the EU AI Act
requires from high-risk AI system operators, risk management systems,
technical documentation, human oversight design.
The alignment is documented in EU AI Act implementation guidance
and acknowledged by
NIST’s AI Risk Management Framework, which cross-references
ISO/IEC 42001 as a complementary governance standard. On March 6, 2026,
NIST’s Information Technology Laboratory AI Program hosted a webinar
on the international AI standards landscape, including ISO standards,
the clearest recent signal that standards bodies are actively working
the alignment question.
One important distinction: ISO/IEC 42001 certification is not the same
as EU AI Act compliance. Certification demonstrates that an organization
has implemented a structured AI management system meeting the standard’s
requirements. It is one pathway that supports the governance documentation
and risk management elements of EU AI Act conformity assessment,
but it does not substitute for conformity assessment itself,
and it does not address all high-risk AI system obligations under the Act.
Compliance Group announced on March 5, 2026 that it had received
ISO/IEC 42001:2023 certification, according to a company press release.
This has not been independently verified beyond the company’s announcement.
For compliance teams navigating the August 2 deadline, the practical
question is whether an ISO/IEC 42001 implementation project is the
right starting structure for EU AI Act preparation. For organizations
that have not yet established formal AI governance documentation,
the answer is often yes, with the explicit understanding that
the standard gets you structured, not compliant.