ISO 42001 is the first international standard you can hold a certificate against for governing artificial intelligence. Every other AI framework to date has been guidance, principles, or a maturity model you grade yourself against. This is the first one an accredited auditor can assess you to and issue a certificate for, the same way ISO 27001 works for information security. Which is why your enterprise customers are about to start asking whether you have it.

Plenty of businesses meet ISO 42001 the same way they met every other standard. A customer names it in a tender. A board member reads about it somewhere. Someone in procurement asks how you govern the AI you switched on last year. Better to understand it before that conversation than during it.

What is ISO 42001?

ISO/IEC 42001:2023 is the international management-system standard for artificial intelligence, published in December 2023 as the world’s first certifiable AI management system standard. Its full title is Information technology โ€” Artificial intelligence โ€” Management system. It specifies how an organisation establishes, runs, and continually improves an Artificial Intelligence Management System, usually shortened to AIMS.

If you have come across ISO 27001 for information security or ISO 9001 for quality, this is the same idea pointed at AI. It will not tell you which tools to buy or ban. Its job is to wrap governance, accountability and risk management around the AI you build, sell or use, so the decisions those systems make can be explained, challenged and corrected.

Australia adopted it without changes. Standards Australia published it as AS ISO/IEC 42001:2023 in February 2024, describing the text as an identical adoption of the international standard, governed locally by the IT-043 Artificial Intelligence committee. So the Australian version and the global version are the same document, which matters if you trade across borders.

How does ISO 42001 work?

The standard runs on the same Plan-Do-Check-Act cycle as every other modern ISO management standard, with its requirements set out across Clauses 4 to 10, running from context and leadership through planning, support, operation, performance evaluation and improvement. In plain terms, it asks you to understand where AI sits in your business, put someone in charge of it, plan for the risks, run the controls, measure how they are working, and fix what is not.

The part people skip to is Annex A, which sets out 38 AI-specific controls organised under 9 control objectives. Those controls map to what tends to go wrong with AI in practice, from whether you have an AI policy at all and who is accountable, through the quality of the data your models learn from, transparency with the people affected by a decision, logging what the system did, keeping a human in the loop on high-impact decisions, and managing the AI suppliers and customers in your chain.

Supporting annexes give you implementation guidance and a structure for AI impact assessments, which is the AI-governance equivalent of a privacy impact assessment, a documented look at who could be harmed and how before you deploy.

The Plan-Do-Check-Act cycle at the heart of an ISO 42001 AI management system: plan for the AI risks, operate the controls, measure how they perform, then improve, with the AI system held at the centre of the loop

Why does ISO 42001 matter now?

ISO 42001 turns “we take AI seriously” from a claim into something an auditor can sign off. Three things are pushing it up the agenda.

Buyer pressure is the one you will feel first. Enterprise and government procurement teams have spent two years learning to ask vendors about AI risk, and the answers have been vague. A certificate, or a credible management system on the way to one, is the cleanest reply a vendor can give. ISO 27001 walked this exact path a decade ago, when “are you ISO 27001 certified?” went from a niche question to a standard line in security questionnaires.

Regulation is slower but heading one way. Australia’s AI governance posture is still largely voluntary as of mid-2026, built on guidance rather than statute. But APRA has already told boards their AI literacy is not good enough, and regulators tend to move in formation. A management system you can point a regulator at beats a folder of policies no one has tested.

Then there is the EU AI Act, sitting over the top of both. If you sell into Europe, it sets binding, risk-tiered obligations, and ISO 42001 is widely treated as the practical operating system underneath it. The certificate does not equal AI Act compliance, but the evidence a 42001 system produces feeds straight into it, so you do the governance work once rather than twice.

Does ISO 42001 apply to me?

On paper, ISO 42001 applies to any organisation that develops, provides or uses AI systems, regardless of size or sector, which is now almost everyone. So the question that matters is less whether it could apply than whether to act on it yet.

Take it seriously now if:

  • You build or sell AI features, because your buyers will increasingly expect you to prove how you govern them.
  • You use AI in higher-stakes decisions like hiring, lending, eligibility, or anything affecting health or safety, where bias and oversight are not optional.
  • Enterprise or government customers have started asking how you manage AI risk in procurement.
  • You sell into the EU and need a defensible governance baseline for the AI Act.
  • Your board wants demonstrable AI accountability ahead of regulation rather than after it.

It is probably not your first move if AI is a minor part of what you do, you have no contractual pressure, and you have not yet sorted out basic information security. In that case the governance practices matter more than the certificate, and you can adopt the useful parts of the standard without paying for an audit you do not need yet.

Telling those two apart, needing the governance versus needing the certificate, is where a lot of businesses slip. They either ignore the standard or rush at certification well before they need to. Usually neither fits. Build the management system at a size that suits you, and certify when a contract demands it.

How does ISO 42001 relate to ISO 27001?

ISO 42001 and ISO 27001 are siblings built on the same skeleton, which is good news if you already hold one. They share ISO’s harmonised management-system structure, so the clauses, the leadership requirements, the risk-based thinking, and the audit rhythm all rhyme. Industry mapping suggests a meaningful portion of 42001’s controls have direct ISO 27001 equivalents, with the remainder being specific to AI.

In practice that means an organisation with a working information security management system can extend it to cover AI rather than stand up a second, parallel system. The data-quality, logging, and supplier controls in particular overlap with what a mature ISMS already does. If you have neither standard and AI is your sharper risk, you can still start with 42001, though in practice securing your information and governing your AI lean on the same disciplines.

Start with the governance, not the certificate

ISO 42001 is early, voluntary, and already on the radar of your largest customers. Panic-certifying the day a tender mentions it is the wrong reflex. The work that pays is deciding, ahead of time, who owns AI risk and what would force you to switch a system off. The standard puts a frame around that work, and it earns its keep whether or not you ever sit an audit.

In a lot of Australian SMBs, AI strategy, AI policy and AI risk are technically everyone’s job and in practice no one’s. The CEO assumes IT has it, IT assumes the board has it, and it sits unowned until something forces the question. That is the gap a Fractional Chief AI Officer fills, with one accountable owner on a retainer rather than a full-time hire. Our pillar on Fractional CAIO services for Australian SMBs walks through when the role makes sense and how it sits next to a CIO or CTO. If you would rather start with the security foundation, our Fractional Leadership practice covers both.

Underneath the clauses, one test matters more than the rest. Can you explain in writing how your biggest AI use case runs, where it could fail, and what would make you pull it? If not, that is where to begin, certificate or not.

Frequently asked questions

No. ISO 42001 is voluntary. There is no Australian law as of mid-2026 that requires a business to hold it. What makes it matter is contractual and commercial pressure, not statute. Enterprise and government buyers are starting to ask how you govern AI, and a certificate is the cleanest way to answer. Australia adopted the standard identically as AS ISO/IEC 42001:2023, so the local and international versions are the same document.

ISO 42001 is a management system you can certify against. The EU AI Act is binding law with risk-tiered obligations and penalties. They are complementary, not interchangeable. A 42001 management system gives you the governance machinery and much of the evidence the AI Act expects, but holding the certificate does not by itself make you AI Act compliant. If you sell into the EU, treat 42001 as the operating system and the AI Act as the legal requirement it helps you meet.

Not strictly, but it helps. The two standards share ISO’s harmonised management-system structure, and industry mapping suggests a meaningful share of ISO 42001’s controls have direct ISO 27001 equivalents. If you already run a certified information security management system, you can extend it to cover AI rather than build a second system from scratch. If you have neither, decide which problem is more urgent first, securing your information or governing your AI.

Yes. The standard is designed to scale to the size and risk of the organisation, so a small business with a handful of AI use cases carries far less scope than a multinational building models. The harder question is usually whether certification is the right spend right now, or whether you need the governance practices without the audit. For many Australian SMBs the answer is to build the management system first and certify later, once a customer or tender requires the certificate.

AI governance review

Not sure where ISO 42001 fits your business?

Book a free Discovery Call with InnovateX Solutions. We'll work through whether a formal AI management system makes sense for you yet, or whether you need the governance without the certificate.

Senior-led and Australian-owned. We'll tell you where your AI governance lands against ISO 42001, and give you a phased plan that fits the size you are, not the size a standard assumes.