ISO/IEC 42001 AI Management System

Jurisdiction:

OECD

voluntary

Effective:

Dec 18, 2023

Authority:

International Organization for Standardization

Official text Verified Mar 26, 2026

Obligations Covered

Risk Assessment Data Governance Record-Keeping & Documentation

Regulatory Crosswalk

Binding regulations that require the same obligations this standard addresses. Implementing this standard can help satisfy these regulatory requirements.

Regulation	Jurisdiction	Shared Obligations
Work Health and Safety Amendment (Digital Work Systems) Act 2026	New South Wales	1
Privacy Act 1988 — Automated Decision-Making Reforms	Australia	2
Brazil AI Bill (PL 2338/2023)	Brazil	1
California Employment Regulations Regarding Automated-Decision Systems	California	1
California CCPA ADMT Regulations	California	1
Provisions on the Management of Algorithmic Recommendations	China	1
Provisions on the Management of Deep Synthesis	China	1
Interim Measures for Generative AI Services	China	1
Framework Convention on AI, Human Rights, Democracy and Rule of Law (CETS 225)	Council of Europe	2
Colorado Privacy Act Rules (4 CCR 904-3)	Colorado	1
Colorado Protecting Consumers from Unfair Discrimination in Insurance Practices	Colorado	1
EU AI Act	European Union	2
Digital Operational Resilience Act (DORA)	European Union	2
Digital Personal Data Protection Act 2023 (DPDP)	India	1
IT (Intermediary Guidelines) Amendment Rules 2026 — Synthetic Media	India	1
Law on Artificial Intelligence	Italy	1
AI Promotion Act	Japan	1
AI Basic Act	South Korea	1
Law on Artificial Intelligence	Kazakhstan	2
Artificial Intelligence Regulations 2025	Malta	1
New York RAISE Act	New York	1
QCB Artificial Intelligence Guideline	Qatar	1
Law for the Promotion of Artificial Intelligence and Technologies	El Salvador	1
Artificial Intelligence Basic Act	Taiwan	1
UK Online Safety Act 2023	United Kingdom	1
EO 14319 — Preventing Woke AI in the Federal Government	United States	2
Executive Order on AI State Law Preemption	United States	1
Law on Artificial Intelligence	Vietnam	1

AI Risk Management System #

Obligation:

Risk Assessment

voluntary

Effective:

Dec 18, 2023

Risk tier:

all

Scope:

providers, deployers

Requirements

Requirement	Details
Risk assessment	Establish processes to identify and assess AI-related risks
Risk treatment	Implement controls to treat identified risks
Objectives	Set measurable AI management objectives
Leadership commitment	Top management must demonstrate commitment to the AI management system

Penalties

Violation	Fine
Non-compliance	Voluntary — certification-based, no direct penalties

AI Data Governance #

Obligation:

Data Governance

voluntary

Effective:

Dec 18, 2023

Risk tier:

all

Scope:

providers

Requirements

Requirement	Details
Data quality	Establish processes for ensuring AI training and operational data quality
Data provenance	Document data sources and lineage
Data lifecycle	Manage data throughout the AI system lifecycle

Penalties

Violation	Fine
Non-compliance	Voluntary — certification-based

AI Documentation and Record-Keeping #

Obligation:

Record Keeping

voluntary

Effective:

Dec 18, 2023

Risk tier:

all

Scope:

providers, deployers

Requirements

Requirement	Details
Documented information	Maintain documented information required by the AI management system
Performance evaluation	Monitor, measure, analyze, and evaluate AI system performance
Internal audit	Conduct internal audits at planned intervals
Management review	Top management must review the AI management system at planned intervals

Penalties

Violation	Fine
Non-compliance	Voluntary — certification-based