ISO 42001: building an AI management system that passes audit

ISO 42001 is the first international standard built specifically for managing artificial intelligence. If 2025 was the year of adoption, 2026 is the year customers, partners, investors, and regulators start asking for proof. The certificate is not the point. A management system that actually runs is.

An AI management system asks for three things most teams can write and few can show. Commitment from top management. An inventory of every AI system. And a risk assessment for each one across technical, ethical, legal, social, and security dimensions. Writing the policy is the easy half. Showing it ran on a recurring cadence is the half that fails.

This is where it breaks in the audit, and anyone who has been through SOC 2 or ISO 27001 already knows the shape of it. The auditor does not want the policy. They want evidence. The date each AI system was risk-assessed, who signed off, which mitigations were applied, when it was last reviewed. If that lives in scattered documents, certification turns into a quarter-end scramble.

Run the controls instead of documenting them. An AI-system intake as a workflow: classification, risk assessment by role, mitigation plan, sign-off. A recurring review cycle per system on a schedule. Each run becomes the exact evidence the auditor asks for, retrievable in one timeline instead of reconstructed from memory and email.

“The auditor wants the date it ran, not the policy.”

Budget the timeline honestly. For a mid-size company, implementation runs eight to twelve months. The long pole is not the documentation. It is building the habit, the per-system reviews that keep happening after the consultant leaves and the certificate is on the wall.

Start with the inventory. You cannot risk-assess AI systems you have not listed, and the list is almost always longer than leadership thinks. Shadow tools, embedded model features, a vendor that quietly added AI to a product you already use. Find them first, then govern them.