ISO/IEC 42001 AI Governance Alignment Assessment

ISO/IEC 42001:2023 defines requirements for an AIMS , how your organization governs AI across policy, risk, lifecycle, and improvement. We map your boundary, find the gaps against the standard and Annex A, and build the evidence a certification audit needs.

Start with a fixed-scope gap analysis →

The Standard

What ISO/IEC 42001 is and why it applies to you.

ISO/IEC 42001 sets the requirements for an AIMS , the policies, objectives, and processes for developing, providing, and using AI responsibly.

It applies to any organization that develops, provides, or uses AI, any size, any sector, public or private.

It governs the AI-specific concerns, ethics, transparency, accountability, and lifecycle risk, and slots into ISO 9001, 27001, and 27701 where you already run them.

Why this matters now

Published December 2023, it gives boards a common language for AI oversight, just as customers, regulators, and procurement teams start demanding documented AI governance.

ISO/IEC 42001 ↗

Scope

Who is subject, and where the boundary sits.

Who is in scope

Any organization that builds, deploys, or procures AI, developers and deployers alike, of any size or sector. Private companies, public bodies, and non-profits all fall in scope.

Clause 1

Defining your AIMS boundary

You define your own AIMS scope, the activities, processes, and AI systems inside the boundary. That means weighing internal and external issues, interested-party requirements, and your roles across the lifecycle: design, development, procurement, deployment, and operation.

Clause 4.3

What sits outside the standard

ISO/IEC 42001 certifies your AI management system, not individual AI products. It is voluntary, statutory obligations still come from law and regulators. Product approvals and sector authorizations stay outside the assessment, though a strong AIMS helps you meet them.

Introduction

Overlap with other standards

It shares the harmonized management-system structure of ISO/IEC 27001, 27701, and 9001, so AI governance overlaps your existing security, privacy, and quality scopes. The AIMS coordinates with those systems, it does not replace them.

Annex D

Core Requirements

What the standard requires of your organization.

Context & scope of the AIMS

Identify the internal and external issues, interested parties, and requirements relevant to AI, then define and document the AIMS scope. The boundary must match your actual roles across the lifecycle.

Clause 4

Leadership & AI policy

Top management owns the AIMS: set an AI policy aligned to organizational direction, and assign roles, responsibilities, and authorities. Governance ownership cannot be delegated away from leadership.

Clause 5

Planning, AI risk & impact

Assess and treat AI risks, and assess system impacts on individuals, groups, and society. Set measurable AI objectives and plan how you will meet them.

Clause 6

Support & competence

Provide the resources, competence, awareness, communication, and documentation the AIMS needs. Anyone working on AI systems must be demonstrably competent for the role.

Clause 7

Operation & lifecycle

Plan, run, and control the processes that meet AIMS requirements, including operational AI risk treatment and impact assessment, across the full lifecycle.

Clause 8

Evaluation & improvement

Monitor, measure, and evaluate the AIMS; run internal audits and management review; drive corrective action and improvement. Auditors look for evidence the loop closes.

Clause 9 & 10

Annex A Controls

The AI control set we audit against.

Annex A is the operational control set for the AIMS. We assess you against each control objective, evidence required at every finding.

Assessment Scope

Technical systems and organizational governance.

An assessment that covers only documentation misses the technical reality. One that covers only systems misses the governance gaps. We audit both.

Technical Systems

  • AI system inventory: internal, fine-tuned, and third-party models and versions
  • Training and fine-tuning data lineage, provenance, and residency
  • Prompts, RAG corpora, embeddings, and feature stores
  • Deployment surfaces: SaaS, on-prem, edge, agents, and copilots
  • MLOps pipelines, model CI/CD, and rollback controls
  • Model monitoring: drift, performance, and quality thresholds
  • Event logging and traceability for AI decisions
  • Access control, secrets, and isolation for AI pipelines
  • Third-party AI services, APIs, and subprocessors
  • Human-oversight interfaces: review queues and escalation
  • Data quality and preparation controls for AI inputs
  • Technical documentation maintained per AI system

Organizational Governance

  • AI policy and alignment with security, privacy, and quality policies
  • AI governance roles, accountable owner, and RACI
  • AI risk criteria, assessment, and treatment process
  • AI system impact assessment process and completed records
  • Intended-use and prohibited-use definitions per system
  • Transparency and disclosure commitments to users
  • Supplier and customer contractual AI obligations
  • AI incident and harmful-outcome response procedures
  • Change management when models or use cases change
  • Awareness and competence training for AI operators
  • Management review cadence and inputs
  • Continual improvement and corrective-action records

Methodology

Phase-gated. Evidence-required.

No phase begins until the previous one is signed off. No finding goes unvalidated. Every deliverable requires dual-reviewer sign-off before issuance.

PhaseDeliverableGate
0: Engagement MobilizationSigned engagement letter, NDA, AIMS applicability confirmation, certification objective, independence attestation, kickoff notes, Phase 0 out-briefSigned out-brief
1: DiscoveryAI system inventory, model and training-data registry, AI data-flow mapping, stakeholder and context note, Phase 1 out-briefSigned out-brief
2: Gap AssessmentGap assessment against ISO/IEC 42001 clauses 4–10 and Annex A applicability, human-oversight and impact-assessment review, risk register with dual-reviewer calibration, Phase 2 out-briefDual-reviewer sign-off
3: Remediation RoadmapControl-tagged recommendations, effort bands, owner assignments, certification milestones, executive summary, Phase 3 out-briefClient sign-off
4: Policy & Procedure AuthorshipAI governance policies, procedures, transparency documentation, implementation log (change, owner, date, control reference), Phase 4 out-briefSigned out-brief
5: Validation & CloseoutControls validation, human-oversight verification, residual-risk note, certification evidence pack, Final Engagement Report signed by practice lead and independent reviewerFinal Report issued
6: Monitor & MaintainSurveillance cadence, AI deployment-change monitoring, periodic status summary, escalation log triggered by new models, use cases, suppliers, incidents, or standard updatesAnnual review cycle

What Weak AI Governance Costs

The standard is voluntary. The exposure is not.

Certification

Certification audit failure

Unresolved nonconformities at Stage 1 or Stage 2 delay or block certification, and surveillance findings can suspend an existing certificate. Evidence gaps are the common cause.

Commercial

Lost contracts and procurement gates

Enterprise and public-sector buyers increasingly require documented AI governance. Without it, AI products stall in vendor risk review.

Regulatory

Regulatory overlap exposure

A strong AIMS supports, but does not replace, obligations under applicable AI and privacy laws. Weak governance leaves those obligations unevidenced. This is not legal advice.

Operational

Incident and reputational cost

Unmonitored models, undocumented intended use, and absent oversight turn foreseeable AI failures into public incidents with no defensible record of due care.

What You Receive

Audit-ready evidence. Not a slide deck.

Every engagement closes with documentation that holds up under a certification audit, not language that disappears when an auditor asks a specific question.

AI System Inventory & Boundary Diagram

A documented register of in-scope AI systems, models, and data flows with a clear AIMS boundary, the foundation every other deliverable references.

Applicability Matrix (SoA-style)

Which Annex A controls apply, which are excluded, and the justification for each, mapped to your AI systems and risks.

AI Impact Assessment Pack

Templates and completed assessments covering impacts to individuals, groups, and society, linked to risk treatment decisions.

Gap Assessment with Control References

Every finding scored, severity-rated, and tied to a specific ISO/IEC 42001 clause or Annex A control. Dual-reviewer sign-off before issuance.

Final Engagement Report

Signed by practice lead and independent reviewer. Audit-ready documentation of your AIMS posture and certification readiness at the date of assessment.

Standard References

ISO/IEC 42001:2023, AI management systemsISO, AI management systems overviewISO, Artificial intelligence sector pageISO/IEC 23894:2023, AI risk managementISO/IEC 22989:2022, AI concepts and terminologyNIST AI Risk Management Framework (AI RMF 1.0)

This page is governance guidance, not legal advice. ISO/IEC 42001 certification is issued by accredited certification bodies, not by Sovereign GRC; our engagements support your readiness for that process. Clause and Annex A references describe the structure of ISO/IEC 42001:2023. Consult the standard for authoritative text.

Next Step

Know if you’re ready.
Before the audit does.

One scoping session. AI systems inventoried, gaps mapped to ISO/IEC 42001, certification path set.

Get Your AI Governance Roadmap →View all advisory services