Skip to main content
ISO/IEC 42001:2023 is the international standard for AI management systems. Observatory maps 12 of its key clauses to operational controls. Unlike the EU AI Act (regulatory) and NIST RMF (voluntary framework), ISO 42001 is the certifiable standard your auditor will audit against.

What ISO 42001 expects

ISO 42001 follows the same plan-do-check-act structure as other ISO management-system standards (9001, 27001). Observatory’s mappings focus on the AI-specific clauses where evidence is hardest to gather by hand.

Mapped clauses


Status semantics

ISO 42001 audits typically reach a binary conformance per clause. Observatory’s three-state status reflects how close you are to that bar:
  • Met — conformant
  • Partial — conformant for some sub-elements only (likely a finding at audit)
  • Gap — non-conformant
  • Out of scope — clause excluded from scope statement (rare)

What auditors typically want

Most ISO 42001 auditors ask for:
  1. The AI management system scope document (clause 4.4) — manual evidence
  2. Risk register with treatment plans (clause 6.1) — Risk Dashboard export + treatment notes
  3. Records of operational telemetry (clauses 7.5, 8.5) — Observatory’s standard retention
  4. Internal audit reports (clause 9.2) — manual evidence
  5. Continual-improvement evidence (clause 10.1) — improvement log
The export bundle covers items 2 and 3 directly; items 1, 4, and 5 need manual evidence in Observatory.

Overlap with EU AI Act

Clause 6.1 (risk treatment) overlaps with EU AI Act Article 9. Clause 8.5 (operation) overlaps with Article 17. The gap analysis treats these as joint priorities.

EU AI Act

Regulatory framework that overlaps with ISO 42001 risk treatment.

Audit Trail

Where ISO auditors expect to find every change.
Last modified on June 1, 2026