ISO/IEC 42001 for AI Management Systems

Key takeaways

ISO/IEC 42001 is the first international management system standard designed specifically for AI — it applies directly to organizations deploying autonomous AI agents.
The standard requires structured risk and impact assessments, traceable audit records, and a human oversight mechanism as core obligations, not optional extras.
Annex A controls map cleanly to agent governance capabilities: budget policies, version tracking, PII handling, connection registries, and tamper-evident logs.
Certification is not mandatory — organizations can self-declare conformance and move toward third-party certification as AI becomes more central to the business.
A mature ISO 42001 AIMS substantially overlaps with EU AI Act conformity assessment requirements, making the two compliance efforts complementary.

ISO/IEC 42001 is the first international management system standard designed specifically for artificial intelligence. Published in 2023, it gives organizations a structured way to identify, manage, and demonstrate responsible AI practices across the full lifecycle of AI systems. If your organization deploys AI agents, the standard is directly relevant: agents are autonomous AI systems operating within or on behalf of your organization, and every clause that applies to AI systems applies to them. For teams also navigating the EU AI Act alongside ISO 42001, see The EU AI Act Explained for Engineering Teams for a side-by-side comparison of obligations.

What ISO/IEC 42001 actually requires

The standard follows the familiar ISO high-level structure (Annex SL), so it integrates cleanly with ISO 27001, ISO 9001, and other management system standards you may already hold. Its scope is an AI Management System (AIMS) — a set of policies, processes, and controls that govern how an organization develops, deploys, and monitors AI.

The headline requirements cluster into four areas:

Context and scope. Define which AI systems are in scope, identify internal and external stakeholders with interests in those systems, and document the organization's roles (developer, deployer, or both).
Risk and impact assessment. Conduct structured assessments of the risks AI systems pose — to individuals, groups, and society — and document how those risks are treated.
Controls and objectives. Select controls from Annex A (or justify their exclusion), set measurable objectives, and demonstrate that controls are operating effectively.
Monitoring, measurement, and improvement. Continuously evaluate control performance, audit the AIMS, and act on findings.

The standard does not prescribe specific technologies. It defines what you must achieve — accountability, traceability, risk management, continuous improvement — and leaves the implementation to you.

Where agents create specific compliance obligations

A traditional AI deployment might be a single model embedded in a product. AI agents are different: they act autonomously, make sequential decisions, call external tools, delegate tasks to other agents, and accumulate costs — all without a human approving each step. This makes several ISO 42001 requirements more demanding in practice.

Accountability and traceability. The standard requires that actions taken by AI systems be attributable and auditable. With agents, attribution is harder because a single request can trigger a cascade of agent actions, tool calls, and sub-delegations. The audit trail must capture not just the initial request but every downstream action, which agent took it, which tool was invoked, and what data was touched.

Impact assessment. Annex B of the standard provides guidance on AI system impact assessment. For agents that process personal data, make decisions with material consequences, or interact with external parties, the assessment must reflect the autonomous nature of the system — including failure modes like runaway loops, prompt injection, and cost overruns.

Data governance. Agents often ingest data from multiple sources and pass it between systems. The standard expects controls over what data AI systems can access and process. Applying the principle of least privilege — giving each agent access only to the data it needs for its specific task — is a natural fit for this requirement.

Human oversight. ISO 42001 places significant weight on human control and the ability to intervene. For agents, this means having a clear mechanism to pause, revoke, or constrain agent activity, not just after an incident but as a routine operational capability.

Mapping controls to Annex A

Annex A of ISO 42001 lists controls organized into domains. The following table maps the most agent-relevant control domains to the governance capabilities that address them.

Annex A domain	Agent governance capability
Policies for AI (A.2)	Organizational AI use policy, per-agent deployment scope
Roles and responsibilities (A.2)	Role-based access control, per-role permissions on agent management
Resources for AI systems (A.3)	Budget policies, spend attribution per agent
Assessing AI system impacts (A.4)	Risk classification per agent, documented impact assessments
AI system lifecycle (A.5)	Version tracking, deployment controls, rollback capability
Data for AI systems (A.6)	Data access scoping, PII detection and handling
Third-party relationships (A.9)	Agent connection registry, per-connection trust and spend limits
Logging and monitoring (A.10)	Tamper-evident audit logs, real-time behavioral monitoring

Not every organization will need every control. The standard allows you to exclude Annex A controls where they are not applicable, provided the exclusion is justified in your Statement of Applicability.

Risk assessment for agentic AI

The risk assessment process is where ISO 42001 diverges most from general security standards. The standard is concerned with AI-specific risks: bias, safety, explainability, and the welfare of people affected by AI decisions — not just confidentiality and availability.

For agents, a practical risk assessment should consider:

Task scope risk. What harm could result if the agent acts correctly but on bad input, or incorrectly on good input?
Autonomy risk. At what point in a task does a human need to approve an action? Does the agent have a mechanism for escalation?
Data risk. What categories of data can the agent access? Is access proportionate to the task?
Delegation risk. If the agent can call other agents or external tools, what controls exist on that delegation chain?
Cost risk. Can the agent consume resources in ways that create financial harm?

Documenting these assessments per agent, and revisiting them when an agent's capabilities or deployment context changes, is the core of the AIMS for agentic systems. Organizations subject to the EU AI Act will find that a mature AIMS substantially overlaps with the Act's conformity assessment requirements. A practical framework for tracking maturity across these dimensions is described in An AI Governance Maturity Model.

Evidence and audit readiness

One of the most practical aspects of ISO 42001 compliance — and the one teams underestimate — is the evidence requirement. A certification auditor will ask not just what controls you have, but whether they are operating as intended. For each control in scope, you need to be able to produce:

A policy or procedure that describes the control
Records showing the control operated during the audit period
Evidence of any findings and their remediation

For agent governance, this means audit logs are not optional. They are the primary evidence source for most Annex A controls. The logs need to be retained long enough to cover the audit period, protected against tampering so their integrity can be demonstrated, and organized so that a specific agent's activity during a specific time window can be reconstructed on demand.

Evidence for risk and impact assessments should be stored alongside the agent records they relate to, so a reviewer can link an agent's current configuration to the documented rationale for its permissions and deployment scope.

Internal audit and management review

ISO 42001 requires periodic internal audits of the AIMS and management reviews that evaluate whether the system is achieving its objectives. For AI agents, this means:

Periodic access reviews. Who has permission to deploy, modify, or revoke agents? Are those permissions still appropriate? Access-review reports that surface inactive accounts, over-privileged roles, and stale connections make this tractable at scale.
Control effectiveness reviews. Are guardrails triggering at the expected rate? Are budget controls preventing overruns? Are audit logs complete? These metrics feed the management review.
Incident review. Any agent incident — a runaway loop, a data access violation, an unexpected external call — should be logged, root-caused, and fed back into the risk assessment for that agent type.

The management review is also where you set or revise objectives. Examples: "All high-risk agents have a documented impact assessment reviewed within the last 12 months" or "No agent credential remains active after the agent is decommissioned."

How a governance platform supports an AIMS

Assembling the controls and evidence for ISO 42001 manually is feasible for a small number of agents. At scale — dozens or hundreds of agents across multiple teams and integrations — the operational burden becomes a blocker.

An AI control plane like Praesidia is designed to make the AIMS operational rather than theoretical. It provides structured agent registration (so every agent in scope is known and documented), role-based access controls tied to human identities, per-agent risk classification aligned with ISO 42001 and the EU AI Act, behavioral guardrails that enforce AIMS policies, tamper-evident audit logging with configurable retention, budget controls for the resource management requirements of Annex A, and access-review workflows that generate the evidence auditors expect.

The key principle is that governance should be a property of the platform, not a set of manual processes layered on top. When an agent is deployed, its scope, permissions, and risk classification are documented at that moment. When it acts, those actions are logged automatically. When its credentials are revoked, the revocation is immediate and auditable. This makes the AIMS a living system rather than a compliance exercise conducted once a year. For a deeper look at how audit trails satisfy the evidence requirements auditors expect, see How to Audit AI Agent Activity.

Common questions

Does ISO 42001 certification guarantee AI Act compliance? The two frameworks overlap significantly but are not equivalent. ISO 42001 certification demonstrates that you have a functioning management system for AI. The EU AI Act imposes specific requirements for high-risk AI systems — including conformity assessments, technical documentation, and transparency obligations — that go beyond what a management system standard alone covers. A mature AIMS, however, produces much of the documentation and evidence the AI Act requires, which makes compliance efforts substantially more efficient.

Do we need to certify, or is self-declaration sufficient? ISO 42001 supports both paths. Organizations can self-declare conformance, obtain second-party assurance from a customer or partner, or pursue third-party certification from an accredited conformity assessment body. The right approach depends on your customer commitments, regulatory context, and risk appetite. Many organizations start with self-declaration using the standard as a framework, then move toward third-party certification as AI becomes more central to their business.

How often should we reassess agent risk? The standard does not prescribe a fixed cadence, but it requires that assessments remain current. A practical approach is to trigger a reassessment whenever an agent's capabilities change materially, when the data it can access changes, or when an incident reveals a risk that was not previously documented — and to conduct a scheduled review at least annually for all agents classified above your lowest risk tier.