ISO/IEC 42001:2023, the international standard for AI management systems (AIMS), and the EU AI Act are frequently discussed together. Both address AI governance. Both require organisations to establish systematic processes for managing AI risks. The overlap is real — but so are the differences.
Where they align
Both frameworks require a risk management process that is documented, systematic, and proportionate to the AI systems in scope. ISO 42001 §6.1 requires organisations to identify and address AI-related risks and opportunities. The EU AI Act's Article 9 requires a documented risk management system for high-risk AI systems, with iterative evaluation throughout the lifecycle.
Both require documentation. ISO 42001 follows the Annex SL structure common to ISO management system standards, requiring a policy, objectives, procedures, and records. The EU AI Act requires a Technical File under Article 11 and Annex IV covering similar territory for high-risk systems.
Both address human oversight. ISO 42001 Annex A control A.6.2.5 covers human oversight. The EU AI Act addresses it in Article 14.
Where they diverge
The fundamental difference is legal force. ISO 42001 is a voluntary standard. An organisation can be certified to it, can use it as an internal governance framework, or can treat it as a best-practice reference — there is no regulatory consequence to not implementing it. The EU AI Act is law. Non-compliance with the conformity requirements for high-risk AI systems carries fines of up to €30 million or 6% of global turnover under Article 99.
The scope also differs. ISO 42001 applies to any organisation that develops, provides, or uses AI systems — it is not limited by risk tier. The EU AI Act's most demanding requirements apply specifically to high-risk systems as defined by Articles 6–7 and Annex III. A system that falls outside Annex III has minimal obligations under the AI Act, but an organisation that has adopted ISO 42001 would apply its management system framework regardless.
ISO 42001 does not produce CE marking or a declaration of conformity. These are EU AI Act requirements, tied to market access in the EU. An ISO 42001 certificate does not substitute for them.
The practical relationship
ISO 42001 implementation is a useful foundation for EU AI Act conformity work. The AIMS framework structures the governance processes that the AI Act then requires to be applied rigorously to high-risk systems. Organisations that have established an AIMS before beginning EU AI Act conformity preparation typically find the Technical File and risk management documentation easier to assemble — not because the ISO standard substitutes for the Regulation, but because the management infrastructure is already in place.
The reverse is also useful: organisations working toward EU AI Act conformity for a specific high-risk system often find that extending that work into a full AIMS is a relatively efficient step, since much of the documentation infrastructure overlaps.
Reference: ISO/IEC 42001:2023, §§ 6.1, 8.4, Annex A. Regulation (EU) 2024/1689, Articles 9, 11, 14, 99, Annex III, Annex IV.
