← All briefings
Briefing 03 · ISO/IEC 42001

ISO/IEC 42001 in plain English: what certification actually requires.

AI management systems · ~6 min read

ISO/IEC 42001 is not a technical test of your model. It is a test of whether your organization manages AI on purpose. That distinction explains almost everything about what certification asks of you.

What kind of standard this is

42001 is a management-system standard, the same family as ISO 9001 (quality) and ISO/IEC 27001 (information security). It does not certify that a given model is “safe” or “unbiased.” It certifies that you have a functioning system — policies, roles, processes, records — for governing AI across its life, and that the system actually runs. Auditors look for evidence that you do what you say, not for a perfect algorithm.

The two halves you must satisfy

The clauses (4–10) are the management-system backbone, and they are non-negotiable for certification:

  • Context & scope — what AI you govern and why.
  • Leadership & policy — a top-level AI policy with real ownership.
  • Planning — risk and impact assessment, objectives.
  • Support — competence, awareness, documented information.
  • Operation — the controls running in practice.
  • Performance evaluation — internal audit and management review.
  • Improvement — corrective action when things go wrong.

Annex A is the catalogue of 39 controls — data governance, human oversight, transparency, lifecycle management, third-party AI, and more. You select what applies through a Statement of Applicability, justifying every inclusion and exclusion. There is no “turn everything on” shortcut; the justification is the point.

What an auditor actually wants

Three things, repeatedly: Is it written? Is it followed? Can you prove it? A policy nobody references fails. A control you perform but never record fails. The organizations that struggle are not the ones with weak AI — they are the ones whose good practices live in people’s heads instead of in evidence.

How to read your own readiness

Walk the clauses and ask, for each: do we have a document, is there proof we follow it, and could a stranger audit it? Where the answer is “it’s informal,” you have found your gap. That walk is exactly what a diagnostic produces — mapped to all 39 Annex A controls and prioritized.

Certification is earned by an accredited certification body, not by us — we prepare you and stay on the right side of that line. But the work to get there is knowable, sequenced, and far less mysterious than the market makes it sound.

This briefing is general information from Sentinel Assurance Group, not legal advice. Regulatory dates and requirements change — we maintain these briefings, but verify against primary sources and counsel before acting. Last reviewed June 5, 2026.

See the ISO/IEC 42001 service tiers →

Not sure which of these reach you?
Find out in 30 minutes.

The free AI Risk Exposure call maps your AI footprint to the obligations that actually apply — and the ones that don’t.

Book the call →