ISO/IEC 42001, published in late 2023, is the first certifiable management-system standard for AI. Demand has followed the familiar arc: first the early adopters, then the procurement questionnaires, and now boards asking management directly — should we certify? Our answer is a question back: do you want an AI management system, or a certificate? They are not the same purchase.
What 42001 actually certifies
Like ISO 27001 before it, 42001 certifies a management system, not the AI itself. It attests that you have defined scope, roles, risk criteria and controls for how AI is developed and used — and that the system operates: risks get assessed, controls get reviewed, incidents get handled, management actually looks at it. A certificate does not say your model is fair or your chatbot is safe. It says your organisation runs a disciplined process for finding out.
The signal, when it's real
For organisations selling into regulated or enterprise markets, certification answers a real question — "can we trust your AI governance without auditing you ourselves?" — at a fraction of the cost of every client running its own assessment. It also forces internal clarity that most AI programmes lack: an inventory, an accountable owner per system, a risk method. In the GCC, where boards request third-party AI assurance more each quarter, a certified AIMS is becoming the credible baseline.
A certificate does not say your AI is safe. It says you run a disciplined process for finding out — which is exactly what boards and regulators can verify.
The checkbox, when it isn't
The failure mode is equally familiar from 27001's history: a documentation sprint before the certification audit, a management system that exists in SharePoint and nowhere else, and twelve dormant months until the surveillance audit forces another sprint. Certifiers test the system's records; a determined organisation can manufacture records. The market eventually notices — and a regulator examining an incident notices immediately. A paper AIMS at that moment is worse than none: it documents that you knew what good looked like.
How to decide, and how to sequence
- Certify if a market or client base will rely on it — that is what certificates are for. Skip it if no one outside will ever ask; run the management system anyway.
- Build the AIMS to run first, certify second. Operating the system for two quarters before the stage-one audit is the single best predictor of a clean certification.
- Size the scope honestly. Certifying a narrow scope you actually operate beats certifying the whole enterprise on paper.
- Keep the internal audit of the AIMS genuinely independent — it is both a 42001 requirement and the early-warning system for drift back to paper.
Key takeaways
- 42001 certifies the management system, not the AI — discipline, not safety.
- Certification pays for itself where clients or regulators would otherwise audit you individually.
- Operate first, certify second; a paper AIMS is worse than none in front of a regulator.
- Scope small and real rather than broad and theoretical.