ISO/IEC 42001 is the international standard published in December 2023 that defines requirements for an AI management system. It is the first ISO certification scheme built specifically for the AI domain, modeled on the structure of ISO 27001 (information security) and ISO 9001 (quality). It gives organizations a framework for managing AI risk, governance, and continual improvement, and it gives auditors a basis for certifying that the framework is in place.
The standard organizes AI governance around the familiar Plan-Do-Check-Act cycle. Context and scope. Leadership and policy. Planning, including risk and impact assessment. Support, including resources and competence. Operation, including the AI lifecycle from design through deployment. Performance evaluation. Continual improvement. Each section maps to specific operational practices an organization is expected to implement and document.
For SaaS and AI vendors, ISO 42001 certification is becoming a procurement asset. Enterprise buyers who used to ask "do you have an AI policy" are now asking "are you ISO 42001 certified, or working toward it." The certification process takes 9 to 18 months and runs through an accredited third-party auditor, similar to a SOC 2 Type II audit. The cost is not trivial, but for vendors selling into regulated industries the return on investment is real.
For in-house teams evaluating AI vendors, ISO 42001 is currently the strongest single signal of AI governance maturity available. It does not replace a real review of the vendor's specific practices, but it tells you the vendor has invested in a documented system and has been audited against an external standard.