ISO/IEC 42001 — AI management system
Note: this explainer is informational and framework references are never a compliance guarantee — certification against ISO/IEC 42001 is granted by an accredited body, not by any single tool. Align your program with your auditor.
ISO/IEC 42001:2023 is the world's first AI management system (AIMS) standard, published in December 2023. It specifies the requirements to establish, implement, maintain, and continually improve a management system for the responsible development and use of AI within an organisation. Official standard: ISO/IEC 42001:2023.
Who it applies to
The standard is written for any organisation that provides or uses AI-based products or services, regardless of size or sector. It sits alongside familiar management-system standards (like ISO/IEC 27001 for information security) and follows the same structure, so it slots into an existing governance program.
The core requirements
An AIMS under 42001 asks an organisation to run AI governance as a continual cycle:
- Context and leadership — define the scope of AI use and assign accountability.
- AI risk and impact assessment — identify and evaluate risks the AI systems pose to people and the organisation.
- Operational controls — apply controls across the AI system lifecycle, including oversight of third-party tools and suppliers (Annex A).
- Monitoring and improvement — measure performance and correct course over time.
Much of this depends on a truthful, current picture of which AI systems are in use — the part that is hardest to keep accurate by hand.
How Shield maps to it
Shield is an operational control that contributes to specific parts of an AIMS — it does not, on its own, certify you:
- Discovery maintains a live inventory of the AI tools in use, including unsanctioned and third-party ones — evidence for the operational-control and monitoring clauses: review discovered tools.
- Policies and enforcement modes are documented, enforceable controls over AI data flows: enforcement modes.
- The audit log provides the tamper-resistant records that monitoring and internal-audit steps rely on: audit log and export.
Applying the ISO 42001 / NIST bundle from the preset library gives you framework-labelled policies that map to these controls in minutes.
Was this article helpful?
Related articles
Apply policy presets and bundles
Deploy compliance-ready policies from the preset library — EU AI Act, GDPR, DIFC, Korea AI Basic Act, US AI in Employment, and ISO 42001/NIST bundles.
Read articleNIST AI Risk Management Framework (AI RMF)
The NIST AI Risk Management Framework (AI RMF 1.0) is a voluntary framework for managing AI risk. Its four functions — Govern, Map, Measure, Manage — and how Shield supports them.
Read articleDIFC Regulation 10 — AI & autonomous systems
DIFC Regulation 10 governs personal data processed through autonomous and semi-autonomous systems. Who counts as Deployer and Operator, the core duties, and how Shield helps you meet them.
Read articleEU AI Act Article 26 — Deployer obligations
Article 26 defines your duties when deploying high-risk AI — applicable from December 2027 under the Digital Omnibus. What paragraphs (1), (5), and (6) require and how Shield prepares you now.
Read articleStill stuck?
Send us the details — we answer within one business day.