Most organizations preparing for ISO 42001 certification spend weeks writing AI policies. Then the Stage 2 auditor arrives and asks for evidence. Here is a clause-by-clause breakdown of what gets examined, what evidence auditors expect to see, and the gaps that consistently derail certification.

What ISO 42001 Actually Governs and Why It's Different from What You're Used To

ISO 42001 is an international standard for AI management systems. It governs how organizations develop, deploy, and monitor artificial intelligence responsibly covering algorithmic risk, the potential impact of AI on people and society, human oversight of automated decisions, and AI bias monitoring across the full system lifecycle.

This is meaningfully different from ISO 27001, which governs information security protecting data confidentiality, integrity, and availability. The two standards share the same High-Level Structure (HLS), which means organizations with an existing ISO 27001 program can reuse their management system infrastructure: internal audit programs, document control, management review cycles, and risk methodology frameworks. That head start is real. But the control requirements in ISO 42001 address a completely different category of risk.

A healthcare company using AI to support clinical triage decisions, or a fintech using AI to score loan applications, faces risks that ISO 27001 was never designed to address what happens when the model is biased, when its outputs affect people disproportionately, or when it behaves unpredictably at the edge of its training distribution. ISO 42001 is the framework built specifically for those risks. An organization can be fully ISO 27001 certified and have zero adequate governance over its AI systems

Why ISO 42001 Certification Has Become a Procurement Requirement in 2026

In 2023, ISO 42001 was a forward-looking standard that a handful of early adopters were tracking. By 2026, it has moved into enterprise procurement questionnaires, regulatory reference frameworks, and vendor assessment requirements across financial services, healthcare, and government contracting. Three forces drove that shift.

The EU AI Act. The Act's first compliance deadlines landed in August 2024. The conformity assessment requirements for high-risk AI systems explicitly reference management system approaches, and ISO 42001 has emerged as the primary framework for demonstrating structured AI governance in EU regulatory contexts.

Enterprise procurement pressure. Large buyers have begun requiring evidence of AI governance from vendors that use or build AI in services they procure. ISO 42001 certification provides that evidence at scale without bespoke audits for each customer relationship.

Ubiquitous AI use, minimal governance. By 2026, most technology companies use AI tools in some capacity for code generation, customer service, data analysis, or product features. The majority have no structured governance over those systems. ISO 42001 gives organizations a framework to build that governance in a way that is auditable, internationally recognized, and scalable.

The 6 Audit Domains: What Auditors Actually Examine

ISO 42001 certification follows a two-stage audit process. Stage 1 is documentation review does the management system exist on paper? Stage 2 is where certification is won or lost: auditors verify that documented controls are implemented and operational. The six domains below are the areas most heavily examined at Stage 2, with the specific evidence auditors request in each.

The 3 Things Most Companies Get Wrong

These patterns recur across ISO 42001 Stage 2 audits. They are not failures of intent organizations pursuing certification are genuinely trying to get it right. They are failures of implementation design: confusing the existence of a document with the operation of a control.

How to Prepare for ISO 42001 Certification: A Stage-by-Stage Approach

The preparation sequence that consistently works follows the same logic: scope first, gap second, evidence third, internal audit fourth, then certify. Rushing the evidence accumulation phase the most common shortcut is the single most frequent cause of deferred certification.

How Long Does ISO 42001 Certification Take?

Timeline varies significantly by organization maturity. The two most important variables are the number of AI systems in scope and whether a management system is already in operation at the organization.

The critical path is evidence accumulation, not documentation. Policies can be written in days. Operational evidence requires controls to be running long enough to produce a meaningful record human oversight logs, monitoring data, management review minutes, training records all need time to exist. Organizations that begin implementation and immediately target certification without allowing adequate evidence accumulation consistently encounter deferrals.

One timeline variable most organizations underestimate: assessor availability. ISO 42001 is a newer standard and the pool of accredited auditors is smaller than for ISO 27001. Booking your Stage 1 audit with a certification body before you expect to be ready is a sensible approach audit slots fill, and a confirmed date often focuses preparation effort effectively.