ISO/IEC 42001:2023 Explained: Requirements, Controls and Certification

Many AI governance programs are policy-first and process-weak. When models move from development into production, a new data source is added, or a vendor updates a feature, the controls that seemed adequate at deployment quickly fall short — and there’s no built-in mechanism to catch the gap.

ISO/IEC 42001:2023 is the first international standard for an AI management system, and it gives organizations that operating model. It specifies how organizations can establish, implement, maintain and continually improve the processes used to govern AI systems — turning AI governance from a document into an auditable management system with defined ownership, risk treatment, audit cycles and evidence requirements.

ISO/IEC 42001:2023 is an international standard that specifies requirements for an artificial intelligence management system (AIMS). An AIMS is the set of policies, roles, processes, controls and documented information an organization uses to govern the development, provision or use of AI systems.

Published in December 2023 by ISO/IEC JTC 1/SC 42, the standard applies across sectors and AI system types, including predictive ML, generative AI and agentic systems. It can apply to organizations that provide AI products, deploy AI systems in business processes or use AI systems in production contexts.

ISO/IEC 42001 follows the harmonized structure used by other ISO management system standards, including ISO 27001 and ISO 9001. This is beneficial because organizations with existing management system maturity can often reuse familiar practices — defining scope, assigning leadership accountability, maintaining documented information, conducting internal audits, reviewing performance and driving continual improvement.

The standard also includes Annex A controls, which address AI-specific governance topics such as AI policies, internal organization, resources, impact assessments, lifecycle processes, data, information for interested parties, use of AI systems and third-party relationships. Like ISO 27001, the Annex A controls are applicability-based, so organizations document which controls apply and why through a Statement of Applicability.

ISO/IEC 42001 gives organizations a way to show that AI governance is operating in practice, not just described. This distinction is important when customers, regulators, boards or procurement teams ask how an organization controls the AI systems it builds or uses.

Third-party attestation

Certification gives organizations independent assurance that their AIMS meets the standard’s requirements. ISO describes certification as written assurance from an independent body that a product, service or system meets specific requirements. For AI teams, this can help demonstrate responsible AI practices without exposing proprietary model details, internal architectures or sensitive customer data.

Procurement support

As enterprise buyers add AI governance questions to RFPs and vendor risk assessments, ISO 42001 gives providers and deployers a recognized standard to reference. A certificate doesn’t answer every technical question, but it can reduce ambiguity around whether the organization has formal AI governance processes, audit cycles and management oversight in place.

Regulatory alignment

ISO 42001 is voluntary, but its management system structure maps closely to emerging AI regulatory expectations. The EU AI Act requires providers of high-risk AI systems to maintain documented quality management systems, risk management systems and post-market monitoring processes. ISO 42001 can provide a structured foundation that organizations may use to support AI compliance efforts — the policies, procedures and evidence those obligations require.

Operating rhythm

AI governance needs a cadence. Risk assessments age, data changes, model behavior drifts and business use cases expand. ISO 42001 formalizes that rhythm through planning, performance evaluation, internal audit, management review, corrective action and continual improvement.

Customer trust

ISO/IEC 42001 certification is evidence to customers of an organization’s commitment to transparency, accountability and trust in AI safety practices. For example, Snowflake has achieved ISO/IEC 42001 certification, following an independent third-party audit, and customers can access related audit evidence through Snowflake’s Compliance Center.

ISO/IEC 42001 applies to organizations that provide, develop, deploy or use AI systems. AI risk doesn’t sit only with model developers. It can also arise when a business configures an AI-enabled SaaS product, integrates an AI system into a workflow, connects it to sensitive data or uses its outputs in decisions that affect customers, employees or operations.

The standard is relevant for several types of organizations:

• Providers develop AI systems, AI-enabled products or AI services that others use. A provider might build a fraud detection model, a gen AI assistant, a computer vision system or an AI application embedded in a larger product.

• Deployers put AI systems into use. A deployer might configure a vendor-provided AI service, integrate it with internal systems, connect it to governed data or define the workflow in which employees rely on AI outputs.

• Users operate AI systems in production contexts. In practice, this can include business teams, public-sector agencies, regulated organizations and internal functions that use AI for analysis, automation, decision support or content generation.

ISO 42001 is sector-agnostic, but early adoption is especially relevant for public-sector organizations, regulated industries and AI product companies because they often face stronger demands for documented controls, procurement evidence and defensible governance processes.

ISO/IEC 42001 follows the harmonized structure used by ISO management system standards. Clauses 1 through 3 define the scope, normative references, and terms and definitions; Clauses 4 through 10 specify the management system requirements an organization must implement and maintain.

Clauses 1–3: Scope, references and definitions

The opening clauses establish what the standard covers, which references apply and how key terms are defined. For AI governance programs, this common vocabulary matters because business, legal, data science, engineering and security teams often use the same words differently. The standard gives those teams a shared reference point for the AIMS.

Clause 4: Context of the organization

Clause 4 requires the organization to understand the internal and external factors that affect its AI management system. This includes stakeholder needs, legal and regulatory expectations, AI use cases, organizational boundaries and the AIMS scope.

In practical terms, a company needs to know which AI systems fall under the AIMS, which teams own them, which data sources they rely on and which external parties are affected by their outputs.

Clause 5: Leadership

Clause 5 addresses leadership commitment, AI policy, roles, responsibilities and authorities. It requires senior leaders to make AI governance part of the organization’s management system rather than a side process owned only by technical teams.

That usually means naming accountable owners, approving an AI policy, aligning responsibilities across business and technical teams, and ensuring that people with governance obligations have the authority to carry them out.

Clause 6: Planning

Clause 6 covers planning, including AI risk assessment, AI risk treatment and AI objectives. Organizations must identify risks and opportunities, decide how to address them and define measurable objectives for the AIMS.

A risk assessment might examine data quality, model performance, explainability, human oversight, security, privacy, algorithmic bias, operational resilience or downstream impact. The risk treatment plan then connects those risks to controls, owners and evidence.

Clause 7: Support

Clause 7 focuses on the resources needed to operate the AIMS: competence, awareness, communication and documented information. A policy is not enough if model owners do not know when to perform an impact assessment, reviewers cannot find required evidence or business users do not understand acceptable AI use.

This clause is where organizations define training, documentation practices, communication channels and the records that demonstrate governance activity.

Clause 8: Operation

Clause 8 addresses operational planning and control for AI systems. This is where lifecycle processes become concrete: requirements, design decisions, data preparation, verification and validation, deployment controls, operation, monitoring and decommissioning.

For example, an organization may need a documented process for approving a model before production, changing its data inputs, expanding its use to a new population or retiring it when it no longer meets policy or performance expectations.

Clause 9: Performance evaluation

Clause 9 requires monitoring, measurement, analysis, evaluation, internal audit and management review. The organization needs to know whether the AIMS is working and whether governance controls continue to fit the organization’s AI systems.

This can include control testing, audit findings, model monitoring results, incident trends, risk treatment status and management review records.

Clause 10: Improvement

Clause 10 covers nonconformity, corrective action and continual improvement. When an audit finding, incident, monitoring issue or process failure appears, the organization must respond in a structured way.

That response typically includes investigating the issue, correcting the immediate problem, addressing root causes and updating the AIMS so the same failure is less likely to recur.

Annex A provides 38 AI-specific controls grouped into control categories. These controls help organizations move from management system requirements to operational practices, but they are not automatically mandatory in every context. Organizations evaluate applicability and document their rationale in a Statement of Applicability.

A.2: AI policies

A.2 covers AI policies, including how the organization defines responsible AI expectations, assigns roles and addresses procurement. A policy should be specific enough to guide decisions about AI development and use, including who can approve an AI system, what risk criteria apply and how third-party AI systems are reviewed.

A.3: Internal organization

A.3 focuses on governance structure, reporting lines and resource allocation. AI governance often spans business owners, data teams, legal, compliance, security, privacy, procurement and platform teams, so the control objective is to make accountability visible before an issue appears.

A.4: Resources for AI systems

A.4 addresses the resources required to develop, deploy and operate AI systems, including data, tooling, infrastructure, system resources and human oversight. For a production AI system, this may include approved data sets, model development environments, monitoring tools, review workflows and escalation paths.

A.5: Assessing impacts of AI systems

A.5 covers impact assessments. These assessments help organizations evaluate how an AI system could affect individuals, groups, business processes or external stakeholders before and after deployment.

An impact assessment might examine whether an AI system influences access to a service, produces recommendations that affect people, processes sensitive attributes or creates operational dependency in a critical workflow.

A.6: AI system lifecycle

A.6 covers lifecycle processes, including requirements, design, verification, validation, deployment, operation and decommissioning. The control category reflects a basic governance reality: AI risk changes as systems move through stages.

A model that looks acceptable in development may behave differently after it connects to live data, receives new prompts, serves a broader user base or becomes part of an automated workflow.

A.7: Data for AI systems

A.7 addresses data acquisition, quality, provenance and preparation. These controls are especially important because AI systems often inherit risk from their data. If a training set, prompt context, feature table or retrieval corpus lacks ownership, lineage, quality checks or usage constraints, the model’s output can become difficult to trust or defend.

Strong controls in this category typically require teams to document where data came from, what transformations were applied, what quality thresholds apply and which usage restrictions follow the data into AI workflows.

A.8: Information for interested parties

A.8 covers information provided to interested parties, including documentation, communication and reporting. Depending on the AI system, those parties may include customers, regulators, internal reviewers, business users, auditors or people affected by the system’s outputs.

This category can include model documentation, user instructions, risk disclosures, known limitations, monitoring reports and incident communication processes.

A.9: Use of AI systems

A.9 focuses on responsible use and decommissioning. Organizations need processes that govern how AI systems are used after they go live, including acceptable use, user responsibilities, monitoring expectations and retirement criteria.

This matters for gen AI and agentic systems, where the same underlying capability can be used in different workflows with different risk profiles.

A.10: Third-party and customer relationships

A.10 addresses supplier and customer responsibilities. AI systems often depend on external models, SaaS products, data providers, integration partners or downstream customers. The controls help clarify who is responsible for what, what evidence is required and how changes in third-party services are reviewed.

ISO/IEC 42001 certification follows the familiar management system certification path used for other ISO standards. The details vary by organization, scope and certification body, but most programs move through the same basic sequence.

• Readiness or gap analysis: The organization assesses current AI governance practices against ISO 42001 requirements. This usually identifies missing scope definitions, undocumented responsibilities, inconsistent risk assessments, weak lifecycle controls or insufficient audit evidence.

• AIMS buildout: The organization establishes or updates the AIMS. This includes policies, procedures, risk assessments, impact assessments, lifecycle controls, documentation practices, training, reporting and a Statement of Applicability for Annex A controls.

• Internal audit: Before the certification audit, the organization performs an internal audit to test whether the AIMS meets requirements and whether controls are operating as described.

• Stage 1 certification audit: The certification body reviews readiness, scope and documentation. The goal is to determine whether the organization is prepared for the implementation audit.

• Stage 2 certification audit: The auditor verifies that the AIMS is implemented and operating. This may include interviews, evidence review, sampling, control testing and examination of management review records.

• Surveillance audits and recertification: Certification is not a one-time event. Organizations typically undergo annual surveillance audits and recertification every three years, which reinforces the standard’s continual improvement model.

Organizations may work with accredited certification bodies such as BSI, Schellman, A-LIGN, Mazars, TÜV or DNV, depending on geography, scope and availability. The time to certification varies widely, but many organizations should expect a 6–18 month effort, with shorter timelines more likely when they already operate mature ISO 27001, ISO 9001 or similar management systems.

ISO 42001 does not replace every AI governance framework or legal obligation. It works best when organizations understand what it’s designed to do: establish a certifiable AI management system.

Many organizations will use these frameworks together. A team might use NIST AI RMF to structure AI risk analysis, ISO/IEC 23894 to deepen risk management practices, ISO/IEC 22989 to align vocabulary and ISO 42001 to establish the AIMS that makes those practices repeatable and auditable.

Snowflake is ISO/IEC 42001 certified, meaning an accredited third party has audited Snowflake’s AIMS against the standard’s requirements for responsible AI governance, and audit evidence is available to customers through Snowflake’s Compliance Center.

For customers building their own ISO 42001 programs, a certified platform can support aspects of the data and AI governance control environment. It does not certify a customer’s own AIMS, because each organization still owns its AI use cases, risk assessments, impact assessments, policies and operational decisions. But it can help organizations organize evidence that core data and infrastructure controls are governed, documented and auditable.

Snowflake capabilities can support several Annex A control areas:

Snowflake Horizon Catalog is designed to provide broad traceability and visibility, helping teams govern data, apps and models with metadata, lineage, access history, classification, tagging and policy enforcement. Horizon is a way to manage data governance across Snowflake and external storage, with Access History and Time Travel features supporting review of past activity and data states. These capabilities are relevant to Annex A controls for AI data, lifecycle documentation, access governance and reporting.

Cortex Guard supports safer use of AI systems by helping filter potentially unsafe LLM inputs and outputs, which can support controls related to human oversight, responsible use and information provided to users.

Model Registry helps teams manage model lifecycle metadata, versions and deployment context, which supports controls for lifecycle governance, documentation and operational review.

Together, these capabilities help organizations attach governance to the objects AI systems depend on — data sets, models, policies, lineage paths, access history, documentation and usage signals. This is especially important for ISO 42001 because certification depends on evidence. A team must be able to show not only that a policy exists, but also that the relevant controls are applied, reviewed and improved over time.

ISO 42001 gives organizations a practical way to move AI governance from principle to process. A team still has to decide which AI systems are in scope, who owns them, what risks matter, which controls apply and what evidence proves those controls are working. But the standard provides the structure for making those decisions consistently. 

When an AI system relies on governed data, a documented model lifecycle, defined human oversight, supplier controls, impact assessments, monitoring and corrective action, governance becomes part of how the system operates. That’s the value of ISO 42001 — it gives AI programs a management system that can be reviewed, audited and improved as the technology, organization and regulatory environment continue to change.