ISO/IEC 42001 and What It Entails

ISO/IEC 42001 and What It Entails

June 7, 2026

Article Summary

• ISO/IEC 42001 provides a structured framework for AI governance, helping organizations manage AI-related risks such as bias, transparency, accountability, data quality, and human oversight through an Artificial Intelligence Management System (AIMS).
• Organizations with existing SOC 2 controls can build upon their current compliance programs by adding AI-specific governance measures, including AI policies, governance committees, inventories, impact assessments, lifecycle controls, monitoring, and transparency documentation.
• A SOC 2 + ISO/IEC 42001 report demonstrates both security and AI governance maturity, helping organizations provide stakeholders with independent assurance that AI-related risks are being managed in a structured, auditable, and responsible manner. 

The need for an AI governance framework becomes clearer when looking at real-world examples of what can go wrong. For example, Amazon had an experimental hiring tool to help identify best candidates for hiring. However, they discounted it after discovering that it produced biased outcomes against women because the model had learned from historical recruiting patterns that reflected past imbalances. Google Photos also drew significant criticism after its image-labeling system produced a deeply inappropriate and harmful label for Black users. These examples show that AI risk is not limited to cybersecurity or system uptime; it also includes data quality, model boundaries, fairness, human oversight, and the potential for harm to individuals and society. As such, organizations need a formal management system or framework to help them address these new risks. ISO/IEC 42001 provides a structured framework for helping organizations govern those risks in a more disciplined, transparent, secure, and accountable manner.

How ISO/IEC 42001 Is Structured

At a high level, ISO/IEC 42001 helps organizations establish an Artificial Intelligence Management System (AIMS) through both management system requirements, referred to by ISO as clauses, and more detailed technical and operational controls contained in Annex A. The core clauses address foundational governance areas such as organizational context, leadership, planning, support, operation, performance evaluation, and continual improvement. In essence, they help organizations identify AI-related risks and determine how those risks should be managed. In addition, Annex A provides a more specific set of AI-focused technical and operational controls to address those risks, including policies, defined roles and responsibilities, resource documentation, data and tooling, impact assessments, development and deployment practices, monitoring, transparency communications, responsible use, and supplier relationship management. Together, the clauses and Annex A controls move organizations beyond broad AI principles and into documented, repeatable, and auditable practices.

Incremental ISO 42001 Technical and Operational Requirements

Organizations that have already undergone a SOC 2 audit often have many of the foundational security, risk assessment, control, and monitoring practices already in place. As a result, they are not starting from zero when considering ISO/IEC 42001. Instead, they can build on their existing SOC 2 control environment by incorporating additional AI-specific governance, risk, transparency, and lifecycle controls into their existing control framework. These incremental controls may include the following:

• AI Policy – A documented policy should define the organization’s principles for responsible AI use, governance expectations, risk management approach, roles, and compliance commitments. The policy can also address how the organization handles deviations and exceptions, aligns AI requirements with existing security and privacy policies, and restricts the use of company or customer data in external public AI models.

• AI Governance Committee – Organizations should establish a cross-functional oversight group responsible for decision-making, accountability, escalation, and ongoing review of AI-related risks and initiatives. In practice, this committee often oversees strategic direction, ethical guidelines, data quality, privacy, security, and resource allocation for AI initiatives, with representation from relevant stakeholders.
• AI Inventory – Organizations should maintain a current inventory of AI systems, models, tools, use cases, owners, vendors, and business purposes so they know what AI exists in their environment. This inventory should also document data resources, tooling resources, system and computing resources, and human resources and competencies that support the AI system lifecycle.
• AI System Impact Assessments – Before deployment and as systems change, organizations should assess the potential operational, regulatory, ethical, privacy, and business impacts of AI use cases. This includes defining when assessments are required, who performs them, how results are documented, and how they are used to evaluate impacts related to fairness, accountability, transparency, privacy, security, accessibility, and broader societal effects.
• AI SDLC Controls – AI should be governed throughout the system development lifecycle, including design, development, testing, validation, implementation, change management, and retirement. Practical examples include requiring an AI system implementation plan before development, documenting responsible AI objectives such as fairness and non-discrimination, performing peer review and security impact analysis before release, requiring human approval over final code merges, restricting AI agents from moving code into production, and limiting AI configuration access to authorized personnel.
• AI Monitoring Controls – Once in use, AI should be subject to ongoing monitoring for access, model drift, performance, ethics, bias, fairness, and audit log activity to support continued trust and accountability. Examples of monitoring controls include reviewing AI-related audit logs, monitoring for unusual trends and inappropriate AI use, performing periodic internal audits of AI systems, and using tools such as bias detection, data profiling, data lineage, and security monitoring where appropriate.
• AI Transparency Documents (External Facing) – Where appropriate, organizations should prepare external disclosures or transparency documentation that explain how AI is used, what users should know, and what limitations or safeguards apply. These materials can communicate intended purpose, usage expectations, human oversight needs, technical limitations, monitoring capabilities, and relevant impact information to customers and other interested parties.

SOC 2 + ISO/IEC 42001 Report

Organizations can include ISO/IEC 42001 controls as part of their existing SOC 2 report through a SOC 2 + ISO/IEC 42001 report. Such a report demonstrates both traditional SOC 2 and AI governance controls in one integrated report that illustrates the organization’s commitment to these standards by a third-party which ensures these controls are properly implemented and operating effectively. Obtaining a SOC 2 + ISO/IEC 42001 report can help demonstrate to the organization’s customers, users, and other stakeholders the organization is actively addressing AI-related risks in a structured and auditable way.

In short, ISO/IEC 42001 is not just about having AI tools in place; it is about governing AI responsibly. For organizations pursuing a SOC 2 + ISO/IEC 42001 report, focusing on these core areas can provide a practical starting point for building a defensible and auditable AI governance program. If you are interested in obtaining a SOC 2 + ISO/IEC 42001 report, please contact one of our Larson advisors for details.

Note: Larson and Company is not a certifying body. As such, SOC 2 + ISO/IEC 42001 reports are not certificates, but reports that illustrate how the organization complies with these standards.

For additional guidance, please contact the Larson & Company SOC Team.

Frequently Asked Questions About ISO/IEC 42001

What is ISO/IEC 42001?
ISO/IEC 42001 is an international standard that helps organizations establish and maintain an Artificial Intelligence Management System (AIMS). It provides governance, risk management, operational, and technical requirements for the responsible development, deployment, and oversight of AI systems.

What additional controls are needed for ISO/IEC 42001 if an organization already has SOC 2?
Organizations with SOC 2 controls often already have foundational security and risk management practices in place. To align with ISO/IEC 42001, they typically add AI-specific controls such as AI governance policies, AI inventories, impact assessments, AI lifecycle management procedures, monitoring controls, transparency documentation, and governance oversight committees.

What is a SOC 2 + ISO/IEC 42001 report?
A SOC 2 + ISO/IEC 42001 report is a combined examination that evaluates both traditional SOC 2 controls and AI governance controls based on ISO/IEC 42001 requirements. The report provides independent assurance that an organization has implemented and operates controls to manage cybersecurity, privacy, and AI-related risks effectively.