Skip to content
shadowiq
Regulation · ISO/IEC 42001:2023

ISO 42001 certification, in a quarter — not a year.

42001 is the first management system standard for AI. ShadowIQ ships with a mapped policy library, pre-built evidence, and monitoring aligned to the standard's clauses.

Get a ISO/IEC 42001 readiness planPlatform overview
What this is

Summary

ISO/IEC 42001:2023 is the international standard for Artificial Intelligence Management Systems (AIMS), specifying requirements for establishing, implementing, maintaining, and continually improving AI governance. ShadowIQ provides pre-mapped policies, controls, and cryptographic evidence for clauses 4–10 and Annex A controls.

How it fits · explainer

The crosswalk: article → control → signed evidence.

ISO/IEC 42001 · ARTICLEREQUIREMENTSHADOWIQ CONTROLSIGNED EVIDENCEClause 6.1.2AI risk assessmentRisk register + eval engineSigned risk + eval recordsClause 6.1.4AI system impact assessmentDPIA / Article-25 templatesSigned impact assessmentClause 8.2AI system developmentLifecycle registry + gatewaySigned change + decision logClause 9.1Performance monitoringOTel + Prom dashboardsSigned metric snapshotsAnnex A.6.2AI system objectivesRegistry metadataSigned objectives recordCROSSWALK · 5 SHOWN · FULL MAP IN /DOCS/COMPLIANCE · SIGNED ED25519
Where it hurts

You've heard this one before.

  • Annex A has 39 controls; you need evidence for each one.
  • Clause 9 (performance evaluation) requires metrics nobody is collecting.
  • External auditor wants artifacts you only have in slide decks.
  • Your existing ISMS (27001) doesn't cover AI lifecycle.
What we do about it

Three moves.

  1. 1
    Annex A · 39 controls, pre-mapped.

    A.2 internal organization, A.3 leadership, A.4 resources, A.5 impact analyses — each ships with a policy template and automated evidence.

  2. 2
    Clause 9 metrics, automated.

    Performance monitoring (9.1), internal audit (9.2), management review (9.3) fed by live operational data, not quarterly snapshots.

  3. 3
    27001-compatible, not duplicative.

    Shared controls (access management, cryptography, SDLC) reuse 27001 evidence. AI-specific controls add on top.

Outcomes

Numbers, not adjectives.

< 90 days
to certification-ready
39
Annex A controls pre-built
27001-native
evidence reuse
Full crosswalk

ISO/IEC 42001 article → ShadowIQ control → signed evidence.

Article
Requirement
ShadowIQ control
Signed evidence
Clause 6.1.2
AI risk assessment
Risk register + eval engine
Signed risk + eval records
Clause 6.1.4
AI system impact assessment
DPIA / Article-25 templates
Signed impact assessment
Clause 8.2
AI system development
Lifecycle registry + gateway
Signed change + decision log
Clause 9.1
Performance monitoring
OTel + Prom dashboards
Signed metric snapshots
Annex A.6.2
AI system objectives
Registry metadata
Signed objectives record
Annex A.9.3
Impact on individuals
Explainability artifacts
Signed Article-22 responses
Frequently asked

Asked, answered, sourced.

No — ISO 42001 is management-system certification; the EU AI Act is law. But many AI Act requirements map cleanly to 42001 controls, so certification typically accelerates AI Act readiness by 40-60%.

Yes — Schellman, BSI, TÜV SÜD, and DNV have all consumed our evidence in 42001 pilots. We introduce customers to the audit partner best matched to their geography and scope.

ISO 42001 is designed to extend an existing 27001 ISMS. Shared clauses (leadership, planning, support, operation) reuse your ISMS framework; AI-specific clauses and Annex A controls add on top.

Related

Keep going.

Regulation
EU AI Act
Regulation
SOC 2
Ready to see the signet in motion?

Your 30-minute demo. A signed audit trail by the end of it.

We'll wire ShadowIQ into one live workload, block a prompt injection in real time, and hand you a cryptographic receipt — before the meeting ends.

Schedule a 30-minute walkthroughReview pricing