Skip to main content
ISO/IEC 42001:2023 is the international standard for AI management systems. Observatory maps 12 of its key clauses to operational controls. Unlike the EU AI Act (regulatory) and NIST RMF (voluntary framework), ISO 42001 is the certifiable standard your auditor will audit against.

What ISO 42001 expects

ISO 42001 follows the same plan-do-check-act structure as other ISO management-system standards (9001, 27001). Observatory’s mappings focus on the AI-specific clauses where evidence is hardest to gather by hand.

Mapped clauses

ClauseTitleBacking controls
4.1Understanding the organizationAI Registry + manual evidence
4.4AI management system scopeManual evidence (scope document)
5.1Leadership and commitmentManual evidence
6.1Actions for risks and opportunitiesRisk Dashboard + Assessments
7.4CommunicationAudit Trail + Alerts
7.5Documented informationEvidence + retention setting
8.1Operational planning and controlPolicies + Audit Trail
8.4AI system developmentAssessments (release-readiness)
8.5OperationTelemetry + Drift Monitor
9.1Performance evaluationAnalytics + Experiments
9.2Internal auditAudit Trail + manual evidence
10.1Continual improvementManual evidence (improvement log)

Status semantics

ISO 42001 audits typically reach a binary conformance per clause. Observatory’s three-state status reflects how close you are to that bar:
  • Met — conformant
  • Partial — conformant for some sub-elements only (likely a finding at audit)
  • Gap — non-conformant
  • Out of scope — clause excluded from scope statement (rare)

What auditors typically want

Most ISO 42001 auditors ask for:
  1. The AI management system scope document (clause 4.4) — manual evidence
  2. Risk register with treatment plans (clause 6.1) — Risk Dashboard export + treatment notes
  3. Records of operational telemetry (clauses 7.5, 8.5) — Observatory’s standard retention
  4. Internal audit reports (clause 9.2) — manual evidence
  5. Continual-improvement evidence (clause 10.1) — improvement log
The export bundle covers items 2 and 3 directly; items 1, 4, and 5 need manual evidence in Observatory. 
POST /api/compliance/export?framework=iso-42001&app_id=...

Overlap with EU AI Act

Clause 6.1 (risk treatment) overlaps with EU AI Act Article 9. Clause 8.5 (operation) overlaps with Article 17. The gap analysis treats these as joint priorities.

EU AI Act

Regulatory framework that overlaps with ISO 42001 risk treatment.

Audit Trail

Where ISO auditors expect to find every change.
Last modified on June 2, 2026