ISO/IEC 42001:2023 (AI Management System)

AI Management System (AIMS) standard published December 2023 by ISO/IEC JTC 1/SC 42. The first international management system standard dedicated to AI governance. Adopts Harmonized Structure (Clauses 4-10) aligned to ISO/IEC 27001. Annex A contains 38 AI-specific controls organised into 9 control objectives (A.2 Policies, A.3 Internal organisation, A.4 Resources, A.5 Impact assessment, A.6 Life cycle, A.7 Data, A.8 Information for interested parties, A.9 Use, A.10 Third-party). Risk-based; Statement of Applicability required. Certifiable. Three-year certification cycle with annual surveillance.

Composition

45 controls currently indexed; participates in 21 cross-framework synthesis clusters.

Participates in synthesis

Each cluster listed below combines this framework's controls with operationally equivalent controls from other frameworks, resolving the overlap into a single audit-defensible specification.

• AI conformity assessment, EU database registration, regulatory sandbox
• AI data governance — provenance, preparation, external reporting
• AI governance lifecycle — GOVERN function and inventory
• AI lifecycle — policies, safety mindset, environmental impact
• AI policy and AIMS leadership commitment
• AI post-deployment monitoring and incident response
• AI principles — Seven Sutras + ISO 42001 + NIST + EU AI Act literacy
• AI resource inventory — data, tooling, systems, people across AI lifecycle
• AI roles and responsibilities across the lifecycle
• AI supplier management — third-party AI systems and components
• AI system impact assessment (AISIA / FRIA / DPIA convergence)
• AI transparency — fairness, explainability, deep fake disclosure
• AI-generated content provenance — C2PA, watermarking, SGI
• Automated Decision-Making Technology — pre-use notice, opt-out, access rights
• Data Protection Impact Assessment / risk assessment for high-risk processing
• General-Purpose AI model provider obligations
• India-specific AI risk classification reflecting societal context
• PIMS context — Clauses 4-5 management system context and leadership
• Processing integrity — change management, redundancy, clock synchronisation, storage integrity
• Responsible AI use — operational guardrails
• SDF algorithmic due diligence and traffic-data localisation