ISO/IEC 42001, published in late 2023, is the first certifiable management-system standard for AI. Demand has followed the familiar arc: first the early adopters, then the procurement questionnaires, and now boards asking management directly — should we certify? Our answer is a question back: do you want an AI management system, or a certificate? They are not the same purchase.

What 42001 actually certifies

Like ISO 27001 before it, 42001 certifies a management system, not the AI itself. It attests that you have defined scope, roles, risk criteria and controls for how AI is developed and used — and that the system operates: risks get assessed, controls get reviewed, incidents get handled, management actually looks at it. A certificate does not say your model is fair or your chatbot is safe. It says your organisation runs a disciplined process for finding out.

The signal, when it's real

For organisations selling into regulated or enterprise markets, certification answers a real question — "can we trust your AI governance without auditing you ourselves?" — at a fraction of the cost of every client running its own assessment. It also forces internal clarity that most AI programmes lack: an inventory, an accountable owner per system, a risk method. In the GCC, where boards request third-party AI assurance more each quarter, a certified AIMS is becoming the credible baseline.

A certificate does not say your AI is safe. It says you run a disciplined process for finding out — which is exactly what boards and regulators can verify.

The checkbox, when it isn't

The failure mode is equally familiar from 27001's history: a documentation sprint before the certification audit, a management system that exists in SharePoint and nowhere else, and twelve dormant months until the surveillance audit forces another sprint. Certifiers test the system's records; a determined organisation can manufacture records. The market eventually notices — and a regulator examining an incident notices immediately. A paper AIMS at that moment is worse than none: it documents that you knew what good looked like.

How to decide, and how to sequence

  • Certify if a market or client base will rely on it — that is what certificates are for. Skip it if no one outside will ever ask; run the management system anyway.
  • Build the AIMS to run first, certify second. Operating the system for two quarters before the stage-one audit is the single best predictor of a clean certification.
  • Size the scope honestly. Certifying a narrow scope you actually operate beats certifying the whole enterprise on paper.
  • Keep the internal audit of the AIMS genuinely independent — it is both a 42001 requirement and the early-warning system for drift back to paper.

Key takeaways

  • 42001 certifies the management system, not the AI — discipline, not safety.
  • Certification pays for itself where clients or regulators would otherwise audit you individually.
  • Operate first, certify second; a paper AIMS is worse than none in front of a regulator.
  • Scope small and real rather than broad and theoretical.