SO/IEC 42001 is the first international standard for AI management systems, and its real value is that it forces an organisation to turn good intentions about AI governance into evidence that can survive an audit, a regulator's query, or an enterprise buyer's due diligence. Intent is never in short supply; every organisation means to govern its AI responsibly. Evidence is the scarce thing: the ability to demonstrate, to someone who was not in the room and is not inclined to take your word for it, that the intention was actually carried out. Good intent is invisible in an incident review and useless in a procurement questionnaire. Evidence is what those situations actually require, and producing it reliably is what ISO 42001 is for.

What is ISO 42001, and what is it not?

ISO/IEC 42001, published in late 2023, is a management system standard in the same family as ISO 27001 for information security. It is worth being precise about what it does and does not certify, because both are routinely misunderstood.

It is not a certification of any particular model's accuracy at a moment in time. It does not bless an algorithm. It certifies something more durable: that your organisation has a working system for governing AI across its lifecycle, real enough to survive an independent audit. It is voluntary and certifiable, you can adopt its structure without certifying, and many organisations should begin there, because the value comes from building the system rather than from the badge, while accredited third-party certification adds the independent assurance that increasingly shortens enterprise procurement. And it runs on the plan-do-check-act loop common to every serious management system: establish governance, operate it, check whether it actually works, and improve it. The documentation is the output of that loop, not the point of it.

The standard has moved unusually fast from publication to expectation. By some market estimates, the question "are you ISO 42001 certified, or implementing it?" now appears in a substantial share of enterprise AI vendor assessments in Europe and a growing share in North America, and major providers including Microsoft and SAP have certified core AI services against it. It is becoming the common language for proving that AI is governed rather than merely intended to be.

What ISO 42001 actually asks of you

Strip the clauses back to what they require in practice and a clear set of demands emerges, none exotic, all of which map onto governing AI well regardless of any standard.

It asks you to know what AI you have: an inventory of your AI systems, what they do, and where they sit. This is the unglamorous step most organisations skip and most regret, because everything else depends on it.

It asks you to assess the impact of each system, not only its technical risk but its effect on the people it touches, which is where bias, unfairness, and unexplainable decisions get caught before they become incidents rather than after.

It asks you to govern the lifecycle, not just the launch. AI systems drift, retrain, and get modified, so the standard expects governance that follows a system through its life, not a one-off sign-off that is stale within months.

It asks you to oversee your suppliers' AI, not only your own. Most organisations consume far more AI than they build, embedded in tools they procure, and the standard expects that third-party AI is governed too, which is precisely the assurance your own customers are now demanding of you.

And underneath all of it, it asks you to keep the evidence: documented information showing that the controls exist, operate, and are reviewed. Not a policy asserting good behaviour, a record demonstrating it.

Why ISO 42001 is the same work as your regulatory obligations

There is a reasonable worry that ISO 42001 is one more framework to satisfy on top of the EU AI Act, UK sector rules, and UK GDPR. It is the opposite. The governance infrastructure the standard asks you to build, risk assessment, impact assessment, lifecycle controls, data governance, human oversight, and the evidence of all of it, is the same infrastructure the EU AI Act requires of high-risk systems, maps cleanly onto the NIST AI Risk Management Framework's functions, and underpins what UK regulators expect when they apply existing rules to AI. Build it once, properly, and you satisfy the others as a by-product. For a UK enterprise weighing multiple overlapping obligations, this is the practical case for treating ISO 42001 as the operating system rather than as another tick-box: it turns scattered compliance into one coherent piece of work, and turns intent into evidence.

The evidence problem is a run-time problem

Here is the part most ISO 42001 implementations underestimate. The standard's plan-do-check-act loop is not satisfied by evidence gathered once at certification. The "check" is continuous, which means the evidence has to be too. An auditor asking whether your controls work does not want last year's policy; they want to see that the control has been operating, and being reviewed, across the period. A regulator asking whether a system has been under control wants the same. That is an ongoing, production-level requirement, not a point-in-time document.

This is where evidence meets run-time governance. The records that genuinely demonstrate control, what each system did, when a control intervened, how a system performed against its thresholds over time, who owns it, are generated while the system runs, not written up beforehand. An evidence trail that only captures design-time decisions proves you intended to govern. An evidence trail that captures run-time behaviour proves you actually did. The second is what survives scrutiny. The first is what collapses under it.

How continuous evidence works in practice

We implement AI governance on IBM watsonx.governance as an IBM Gold partner, and it is worth being concrete about how continuous evidence is produced, because the gap between intending to keep evidence and actually having it is where most programmes fail an audit.

watsonx.governance uses AI Factsheets, which IBM describes as nutritional labels for models, to automatically capture metadata and an audit trail across the lifecycle: the rationale for choosing a model, who was involved at each stage, and how the system behaved once in production, all exportable for an audit rather than reconstructed under pressure. Watson OpenScale monitors deployed systems against the thresholds you set, for fairness, drift, and quality, with the results feeding the same record, so the evidence of ongoing control accumulates automatically rather than depending on someone remembering to document it. The Governance Graph maps the whole estate, tracing what AI is in use, for what purpose, under what controls, and whether those controls are working across platforms and providers, which is exactly the connected, queryable picture an auditor or regulator wants. Integration with OpenPages ties AI evidence into enterprise risk and compliance workflows. IBM was named a Leader in the 2026 Gartner Magic Quadrant for AI Governance Platforms, which matters here only as confirmation that the evidence capability is enterprise-grade.

The platform produces the evidence. It does not decide what evidence your obligations require, what thresholds matter, or how your ISO 42001 management system is scoped. That mapping, from the standard's requirements and your regulatory obligations to the specific controls and records that satisfy them, is the implementation work, and it is where certification is actually earned.

Where to start

For an organisation that already runs ISO 27001, much of the management-system scaffolding is familiar, and the realistic effort is months rather than years, with the longest poles usually the AI risk register, impact assessments per system, and supplier AI assurance. For an organisation starting without an existing management system, it is a larger build, but the sequence is the same: a gap analysis that finds where the evidence does not yet exist, followed by the deliberate work of closing those gaps.

That gap analysis is the honest first step, and it is uncomfortable in the productive way, because it surfaces the distance between what you intend and what you can prove. Closing that distance is the whole exercise. Intent gets you to the starting line. Evidence is what lets you cross every line that matters after it: the incident review, the regulator's query, the customer's questionnaire, the board's question. Evidence beats intent, every time it is actually tested.

Frequently asked questions

What is ISO 42001?ISO/IEC 42001 is the first international standard for AI management systems, published in 2023. It specifies requirements for establishing, operating, and continually improving a system to govern AI responsibly across its lifecycle, and it is voluntary and certifiable by accredited third parties.

Is ISO 42001 mandatory in the UK?No. It is a voluntary standard, not a legal requirement. However, it is increasingly expected in enterprise procurement and maps closely to obligations under the EU AI Act and to UK regulators' expectations, so many UK organisations adopt it as the most efficient way to satisfy multiple requirements at once.

How long does ISO 42001 implementation take?For organisations with an existing ISO 27001 management system, typically several months to implementation and longer to first certification, with the AI risk register, per-system impact assessments, and supplier assurance the longest tasks. Organisations starting from scratch should expect a larger effort following the same sequence.

How does ISO 42001 relate to the EU AI Act?ISO 42001 provides the management-system infrastructure, risk and impact assessment, lifecycle controls, human oversight, and evidence, that the EU AI Act requires of high-risk systems. Building the ISO 42001 system once delivers much of the EU AI Act's governance requirements as a by-product, though certification does not by itself constitute legal compliance.

Why is continuous evidence important for ISO 42001?Because the standard's plan-do-check-act cycle requires ongoing verification that controls work, not a one-off snapshot. Evidence of control has to be generated while systems run in production, which is why run-time monitoring and automated audit trails, rather than static documents, are what actually satisfy an audit.

Our in-person governance clinics start with the gap analysis: where your AI estate has evidence and where it only has intent, and how to close the distance. Aligne is an AI governance advisory and implementation partner for UK enterprises, an IBM Gold partner, and a run-time governance specialist.

Blog

Our latest news

Stay Informed: Engage with our Blog for Expert Analysis, Industry Updates, and Insider Perspectives

All Posts
Services Image
ISO 42001 and the Evidence Problem: Why Good Intentions Don't Survive an Audit
ISO/IEC 42001 is the first international standard for AI management systems, and its real value is that it forces an organisation to turn good intentions about AI governance into evidence that can survive an audit, a regulator's query, or an enterprise buyer's due diligence.
Read Details
Services Image
The EU AI Act and UK Enterprises: What Actually Applies, and When
UK enterprises are caught by the EU AI Act whenever they place an AI system on the EU market, or where the output of their AI system is used in the EU, regardless of the UK's departure from the bloc.
Read Details
Services Image
Who Is Accountable When the Software Decides? AI, Automated Decisions and the Ownership Gap
When an AI system decides something about a person, a loan declined, an application screened out, a claim flagged, a price set, the organisation deploying that system is accountable for the decision, not the software.
Read Details

Ready to Take the First Step?

let’s design the governance framework your AI strategy deserves

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
bg elementbg elementLet's Talk