> ## Documentation Index
> Fetch the complete documentation index at: https://docs.flowx.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# ISO 42001

> 12 ISO/IEC 42001:2023 requirements mapped to Observatory controls for AI management systems.

ISO/IEC 42001:2023 is the international standard for AI management systems. Observatory maps 12 of its key clauses to operational controls. Unlike the EU AI Act (regulatory) and NIST RMF (voluntary framework), ISO 42001 is the certifiable standard your auditor will audit against.

***

## What ISO 42001 expects

ISO 42001 follows the same plan-do-check-act structure as other ISO management-system standards (9001, 27001). Observatory's mappings focus on the AI-specific clauses where evidence is hardest to gather by hand.

***

## Mapped clauses

| Clause | Title                               | Backing controls                  |
| ------ | ----------------------------------- | --------------------------------- |
| 4.1    | Understanding the organization      | AI Registry + manual evidence     |
| 4.4    | AI management system scope          | Manual evidence (scope document)  |
| 5.1    | Leadership and commitment           | Manual evidence                   |
| 6.1    | Actions for risks and opportunities | Risk Dashboard + Assessments      |
| 7.4    | Communication                       | Audit Trail + Alerts              |
| 7.5    | Documented information              | Evidence + retention setting      |
| 8.1    | Operational planning and control    | Policies + Audit Trail            |
| 8.4    | AI system development               | Assessments (release-readiness)   |
| 8.5    | Operation                           | Telemetry + Drift Monitor         |
| 9.1    | Performance evaluation              | Analytics + Experiments           |
| 9.2    | Internal audit                      | Audit Trail + manual evidence     |
| 10.1   | Continual improvement               | Manual evidence (improvement log) |

***

## Status semantics

ISO 42001 audits typically reach a binary conformance per clause. Observatory's three-state status reflects how close you are to that bar:

* **Met** — conformant
* **Partial** — conformant for some sub-elements only (likely a finding at audit)
* **Gap** — non-conformant
* **Out of scope** — clause excluded from scope statement (rare)

***

## What auditors typically want

Most ISO 42001 auditors ask for:

1. The AI management system scope document (clause 4.4) — manual evidence
2. Risk register with treatment plans (clause 6.1) — Risk Dashboard export + treatment notes
3. Records of operational telemetry (clauses 7.5, 8.5) — Observatory's standard retention
4. Internal audit reports (clause 9.2) — manual evidence
5. Continual-improvement evidence (clause 10.1) — improvement log

The export bundle covers items 2 and 3 directly; items 1, 4, and 5 need manual evidence in Observatory.

```http theme={"system"}
POST /api/compliance/export?framework=iso-42001&app_id=...
```

***

## Overlap with EU AI Act

Clause 6.1 (risk treatment) overlaps with EU AI Act Article 9. Clause 8.5 (operation) overlaps with Article 17. The [gap analysis](./gap-analysis-heatmap) treats these as joint priorities.

***

## Related resources

<CardGroup cols={2}>
  <Card title="EU AI Act" icon="building" href="./eu-ai-act">
    Regulatory framework that overlaps with ISO 42001 risk treatment.
  </Card>

  <Card title="Audit Trail" icon="clipboard-list" href="../governance/overview">
    Where ISO auditors expect to find every change.
  </Card>
</CardGroup>