866.254.0000
Contact Us
Services
Services
View All Services
SOC & Attestations
SOC & Attestations
SOC 1 / SSAE 18 Examination
SOC 2 Examination
SOC 3 Examination
SOC for Supply Chain
SOC for Cybersecurity
SOC Essentials for Early-Stage Companies
C5 Attestation
CSA STAR Programs
Payment Card Assessments
Payment Card Assessments
PCI DSS Validation
PCI SSF
PCI P2PE Validation
PCI PIN Assessments
PCI 3DS Compliance
ISO Certifications
ISO Certifications
ISO 27001
ISO 42001
ISO 27701
ISO 9001
ISO 22301
ISO 20000-1
ISO 14001
ISO 45001
ISO 50001
Privacy Assessments
Privacy Assessments
Global CBPR & PRP Certification
GDPR Assessment
International Privacy Assessments
US State Privacy Assessments
Microsoft SSPA/DPR Assessment
FERPA Assessment
EU Cloud Code of Conduct
Federal Assessments
Federal Assessments
FedRAMP®
CMMC / NIST SP 800-171
FISMA/NIST
ITAR
CJIS
IRAP
FTC Consent Decrees
DoD IL6
Healthcare Assessments
Healthcare Assessments
HITRUST Certification
HIPAA Compliance
HIPAA Express
EPCS-DEA Audits
Health Data Host (HDS) Certification
Penetration Testing
Penetration Testing
Application
Network
Mobile
Red Teaming
Social Engineering
Cloud
Physical
Hardware and IoT
Advanced Services
AI Red Teaming
Cybersecurity Assessments
Cybersecurity Assessments
Cloud Configuration Assessments
Ransomware Assessments
NIST Cybersecurity Framework Assessments
Schellman Software Security Assessment (S3A)
TISAX®
SWIFT Customer Security Programme
Internal Audit Co-Sourcing
MTCS Certification
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
Learning Center
About Us
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships
ISO Certificate Directory
Contact Us

«  View All Posts

Understanding ISO 42001: Responsible AI Governance in an Evolving Regulatory Landscape Blog Feature
Danny Manimbo

By: Danny Manimbo

Print/Save as PDF

Understanding ISO 42001: Responsible AI Governance in an Evolving Regulatory Landscape

ISO Certifications | Artificial Intelligence | ISO 42001

Published: Jan 20, 2026

Last Updated: Jan 21, 2026

The information in this article was originally presented on January 15, 2026, at a Public Hearing to the New York State Senate Standing Committee on Internet and Technology to discuss risks, solutions, and best practices with respect to the use of artificial intelligence in consequential or high-risk contexts, and related issues. 

In this blog post, Danny Manimbo, subject matter expert on AI governance standards and Managing Principal of Schellman's ISO and AI services, covers what ISO 42001 is and why it exists, as well as the types of organizations it was designed for, how it addresses AI governance issues, and the role of third-party auditors.  

What Is ISO 42001? 

ISO 42001 was published in late 2023 by the International Organization for Standardization (ISO) and developed by Joint Technical Committee 1, Subcommittee 42, which focuses on AI-related standards. ISO 42001 serves as the world’s first international management system standard dedicated specifically to AI.  

ISO 42001 does not regulate AI outputs or mandate specific technical approaches. Instead, it establishes an AI Management System, or AIMS, which provides a structured governance framework for how AI systems are designed, deployed, monitored, and maintained. In that sense, it is comparable to the more established ISO management system standards that exist for information security, privacy, and quality. 

ISO 42001 recognizes that many AI failures stem not from algorithms alone, but from organizational weaknesses—such as unclear accountability, insufficient oversight, data governance gaps, or lack of ongoing monitoring. To address these potential shortcomings, ISO 42001 tasks organizations with taking a risk-based approach in applying the requirements to AI use. 

ISO 42001 follows a three-year certification cycle, including a multiphase audit in year one, followed by surveillance reviews for system changes in years two and three. This framework is versatile in nature and results in a tangible deliverable in the form of certification. 

What Types of Organizations Should Consider ISO 42001 Certification? 

ISO 42001 is intentionally broad and sector-agnostic. It applies to any organization that develops AI systems, deploys AI in business or operational processes, uses AI for decision support, or provides AI-enabled services. 

The standard is particularly relevant where AI is used in consequential or high-impact environments—including finance, healthcare, energy, education, public services (like utilities, housing, and transportation), or any setting where automated or semi-automated decisions can materially affect individuals, including AI systems utilized in government decision-making. The standard is scalable and can be adapted for small and medium-sized organizations, in addition to large technology firms.  

Additionally, organizations can scope their ISO 42001 certification as they see fit. This means if you are obligated to comply with other regulations based on where you operate business, such as the EU AI Act or US state-level regulations, you can scope your ISO certification in a way that ensures the disciplines are consistent and aligned with those regulatory compliance requirements. 

What Are the Benefits of ISO 42001 Certification? 

ISO 42001 addresses recurring challenges organizations face when deploying AI at scale, including unclear accountability, inconsistent risk assessments—particularly around bias and unintended impacts—limited transparency in governance, and weak lifecycle management as systems evolve.  

The standard requires organizations to perform impact assessments, identify AI-related risks, define risk acceptance criteria, assign clear ownership and oversight, implement controls, and continuously monitor performance and impacts, ultimately strengthening overall AI governance and strategy. 

Critically, it emphasizes bias, fairness, and unintended consequences as ongoing governance concerns, not one-time technical checks, with requirements for review and corrective action as data, models, and use cases change. 

From a regulatory readiness perspective, ISO 42001 provides a structured way to demonstrate that AI risks are being systematically identified and managed. It serves as objective evidence of due diligence and reasonable care as regulatory frameworks continue to evolve. 

From a customer trust and transparency standpoint, the standard shifts discussions away from general claims about responsible AI toward verifiable and auditable governance practices. 

In summary, key benefits of ISO 42001 certification include enhanced stakeholder trust, strengthened brand reputation, stronger risk management, increased operational efficiency, and streamlined regulatory readiness and compliance. 

How Does ISO 42001 Address Emerging AI Technologies, including LLMs? 

Large Language Models (LLMs), agentic AI, and other advanced AI systems introduce unique risks related to scale, autonomy, transparency, downstream use, and unintended outputs. These technologies can act, adapt, and influence outcomes in ways that can challenge traditional approaches to oversight and control. Most legacy governance frameworks were not designed to address AI-specific risks, such as model drift, potential bias, and autonomous decision-making, particularly as systems become more agentic. 

ISO 42001 directly addresses this gap by requiring organizations to implement governance practices tailored to AI. This includes requirements to define appropriate use boundaries, maintain human oversight for higher-risk applications, monitor real-world impacts, and establish escalation mechanisms.  

As a result, AI governance is beginning to resemble other mature risk domains like cybersecurity and privacy, where formal management systems, independent audits, and external assurance play a central role in successful operations. ISO 42001 supports this shift by enabling consistent and repeatable evaluation of AI governance practices across organizations, helping ensure that emerging AI technologies are managed with the rigor required to meet this moment. 

The Role of Independent Auditors and Importance of Accreditation in ISO 42001 

ISO 42001 must be independently audited and certified by third-party organizations. The credibility of this process depends on the accreditation of those third-party auditors. 

Accredited certification bodies are overseen by recognized accreditation authorities to ensure competence, independence, consistency, and impartiality. Accreditation helps reduce conflicts of interest and ensures certifications represent meaningful governance maturity rather than symbolic compliance. 

Moving Forward with ISO 42001 

ISO 42001 does not resolve every policy question related to AI. However, it provides an internationally recognized framework for governing AI responsibly, classifying and managing risk, addressing bias, and enabling independent evaluation.  

For policymakers, understanding how such governance standards function may help inform discussions around accountability, transparency, oversight of high-risk AI uses at the state level, and ultimately helping to build public trust. For organizations, understanding the importance, compliance requirements and audit process behind ISO 42001 is a critical step in determining whether the standard aligns with their AI risk profile, regulatory obligations, and long-term governance strategy. 

Organizations evaluating ISO 42001 should consider how it complements existing management systems and supports scalable, defensible AI oversight. To learn more about whether ISO 42001 is the right fit for your organization, engaging with experienced assessors and governance experts at Schellman can help clarify next steps and readiness considerations. Contact us today to learn more. 

In the meantime, discover other helpful ISO 42001 insights in these resources:  

About Danny Manimbo

Danny Manimbo is a Principal at Schellman based in Denver, Colorado, where he leads the firm’s Artificial Intelligence (AI) and ISO services and serves as one of Schellman’s CPA principals. In this role, he oversees the strategy, delivery, and quality of Schellman’s AI, ISO, and broader attestation services. Since joining the firm in 2013, Danny has built more than 15 years of expertise in information security, data privacy, AI governance, and compliance, helping organizations navigate evolving regulatory landscapes and emerging technologies. He is also a recognized thought leader and frequent speaker at industry conferences, where he shares insights on AI governance, security best practices, and the future of compliance. Danny has achieved the following certifications relevant to the fields of accounting, auditing, and information systems security and privacy: Certified Public Accountant (CPA), Certified Information Systems Security Professional (CISSP), Certified Information Systems Auditor (CISA), Certified Internal Auditor (CIA), Certificate of Cloud Security Knowledge (CCSK), and Certified Information Privacy Professional – United States (CIPP/US).

4010 W Boy Scout Boulevard
Suite 600
Tampa, FL 33607

U.S. 1.866.254.0000

Outside the U.S.
1.813.288.8833

Resources
Company
Stay Up-to-Date

Sign up to receive Schellman's Weekly Read delivered every Friday morning.

© SchellmanPrivacy PolicyTerms of Use

“Schellman” is the brand name under which Schellman & Company, LLC and Schellman Compliance, LLC provide professional services. Schellman & Company, LLC and Schellman Compliance, LLC practice as an alternative practice structure in accordance with the AICPA Code of Professional Conduct and applicable law, regulations and professional standards. Schellman & Company, LLC is a licensed certified public accounting firm (Florida license number AD62941) registered with the Public Company Accounting Oversight Board (PCAOB) that provides attest services to its clients, and Schellman Compliance, LLC provides nonattest cybersecurity and compliance professional services to its clients. Schellman Compliance, LLC is not a licensed CPA firm. Schellman & Company, LLC and Schellman Compliance, LLC are independently owned and are not liable for the services provided by any other entity providing services under the Schellman brand. Our use of the terms “our firm” and “we” and “us” and terms of similar import, denote the alternative practice structure conducted by Schellman & Company, LLC and Schellman Compliance, LLC.