Enterprise Security in the Agentic AI Era

ISO/IEC 42001 — AI Management Systems

3 min read

ISO/IEC 42001 — AI Management Systems

ISO/IEC 42001:2023 is the first (and only) certifiable AI Management System standard. It provides a governance framework for organizations developing or using AI, with 38 Annex A controls covering data governance, bias mitigation, and third-party management. The standard is certified by accredited certification bodies against defined requirements.

Structure

ISO/IEC 42001 follows the ISO High-Level Structure (HLS) used by ISO 27001 and ISO 9001, enabling integration with existing management systems. Annex A provides 38 AI-specific controls. The standard does not include technical security controls; those are delegated to ISO 27001.

The emerging “triple stack”: ISO 42001 + ISO 27001 + ISO 27701 is increasingly positioned as a comprehensive governance package.

Q1 2026 Developments

Base standard: unchanged. No amendment or revision published or planned for 2026.

Key companion developments:

  • ISO/IEC 42006:2025 — Published (date confirmed Q1 2026); establishes formal requirements for AI management system audit and certification bodies, including auditor competence, audit time calculation, and certification documentation. This resolves the critical gap in certification body consistency.
  • ISO/IEC 27090 — AI cybersecurity guidance; registered FDIS on March 12, 2026; entered the 8-week approval ballot; publication expected mid-2026. This will be the first ISO AI cybersecurity standard, though guidance-only (not certifiable).
  • Schellman became the first ANAB-accredited ISO 42001 certification body (January 2026); market demand described as “surging”
  • Microsoft expanded ISO 42001 certification scope to cover Microsoft 365 Copilot; plans for Copilot Studio, Dragon Copilot, Security Copilot, GitHub Copilot, and Microsoft Foundry
  • 100+ organizations certified within 18 months of publication, including AWS, Anthropic, and KPMG

Strengths

  • The only certifiable AI management system standard — unlike NIST AI RMF or OWASP, it enables third-party verification
  • ISO 42006 resolves the certification body competence gap — credible, consistent audits now possible
  • Major vendors pursuing certification lends credibility and market signal
  • HLS structure enables integration with ISO 27001 (security) and ISO 27701 (privacy)
  • Aligns with EU AI Act compliance trajectories

Gaps and Shortcomings

  • Governance framework that delegates all technical security controls to ISO 27001, which itself has no AI-specific controls — a structural limitation
  • No guidance on agentic AI, MCP/A2A security, plugin supply chains, agent identity, or runtime enforcement
  • ISO/IEC 27090, even when published, will be guidance-only (not certifiable) and separate from EU AI Act harmonized standards being developed (prEN 18282, ETSI prEN 304 223)
  • No AI-BOM requirements
  • 38 Annex A controls are governance-oriented; no testable technical assertions — organizations cannot verify whether a certified entity has functional defenses against prompt injection or supply chain attacks
  • Implementation cost remains prohibitive for smaller organizations
  • Does not cover agentic AI-specific risk categories (ASI06–ASI08 have zero coverage)

Coverage Against OWASP ASI Top 10

ASI CategoryCoverage
ASI01: Agent Goal Hijack○ None
ASI02: Tool Misuse○ None
ASI03: Identity & Privilege○ None
ASI04: Supply Chain○ None
ASI05: Data Disclosure◐ Partial (governance)
ASI06: Memory Poisoning○ None
ASI07: Insecure Inter-Agent○ None
ASI08: Cascading Failures○ None
ASI09: Missing Guardrails○ None
ASI10: Rogue Agents○ None

Watch Items (2026)

  • ISO/IEC 27090 publication (mid-2026) — first ISO AI cybersecurity standard; will influence EU AI Act harmonized standards
  • EU AI Act harmonized standards (CEN/CENELEC, targeting end of 2026) — relationship between ISO 42001 and EU compliance pathways
  • Whether ISO 42001 issues an AI-safety or agentic AI technical specification

See Also

Graph View

Backlinks